Since China’s three main laws for cybersecurity and data privacy all came into effect two months ago, China has issued supplementary, implementing regulations or consultation papers to inform on the new Chinese cybersecurity and data privacy regulatory order particularly in the area of cross-border transfer of data.  This article examines the new requirements as non-compliance is serious, including penalties up to 5% of turnover of the previous year and personal liabilities such as disqualification from important positions besides penalties against the individuals.

Consultation Paper for the Measures for Security Assessment of Cross-border Data Transfer

The Cyberspace Administration of China (“CAC”) released the Consultation Paper for the Measures for Security Assessment of Cross-border Data Transfer on October 29, 2021.  

The Consultation Paper reiterates the data localization requirement for critical information infrastructure operators (“CIIOs”).  The Consultation Paper also provides that

  • cross-border transfer of personal information by a company which handles 1 million (or more) individuals’ personal information requires prior government approval
  • cumulative cross-border transfer of personal information of more than 100,000 individuals or cumulative cross-border transfer of sensitive personal information of more than 10,000 individuals requires prior government approval

To obtain government approval (termed “security assessment” in the law) for cross-border transfer of personal data, the transferring company must first conduct self-assessment covering areas such as the data involved and the overseas recipient and submit the self-assessment to obtain the government approval.  The approval application is submitted to the local provincial cyberspace administration where the transferring company is located.  The approval process is to take at least two months and each approval is valid for two years.  If there are changes of circumstances, approval needs to be obtained again.

Consultation Paper on Internet Data Security

CAC issued the Consultation Paper on Internet Data Security (“Draft Data Management Regulation”) on Nov 14, 2021.

Besides reiterating the requirements set out in the China Personal Information Protection Law and the Consultation Paper discussed above, this Consultation Paper additionally prescribes that prior Chinese government approval is needed for cross-border transfer of important data by non-CIIOs. “Important data” is not yet officially defined although the term is defined in another consultation paper (viz. the Consultation Paper for the “Information Security Technology – Identification Guide of Important Data) which has not yet been adopted

The Consultation Paper prescribes requirements for internet platforms, including obtaining government approval in the following situations:

  • it is an internet platform which holds a substantial amount of data relating to national security, economic development, or the public interest, and which intends to conduct merger or other transactions, affecting or potentially affecting national security.
  • it holds more than 1 million individuals’ personal information and intends to list overseas
  • it intends to list in Hong Kong, which affects or potentially affects national security (this may be omitted when the draft regulation is officially adopted).

Cybersecurity Review Measures

The new Cybersecurity Review Measures (“CRM”), which was issued by 13 Chinese government authorities including CAC and will become effective on 15 February 2022, will be applicable to data processing activities carried out by CIIOs and internet platform operators. (The Security Protection Regulations for Critical Information Infrastructure (effective as of 1 September 2021) defines CII as important network facilities and information systems in the industries of public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defence, science and technology as well as those that may seriously endanger national security, national economy and the people’s livelihood, and public interests in case of damage, loss of function or data leakage. Industry regulators are responsible for giving guidance and issuing detailed catalogues of CIIs within their own industries. The Draft Data Management Regulation defines internet platform operators as data processors that provide users with internet platform services such as information release, social interaction, transactions, payments, audio-visual services, etc.)

Chinese government approval is required for the following data processing activities:

1. where CIIOs procure network products or services which affect or may affect China's national security; and

2. where internet platform operators carry out data processing activities which affect or may affect China’s national security.

If an internet platform operator processing more than 1 million users’ personal information seeks to list overseas, it must obtain government approval.

The approval focuses on the assessment of the possible national security risks brought by the purchase of network products and services, data processing activities and overseas listing, including:

  • The risk of CII being illegally controlled, interfered with or destroyed and the risk of important data being stolen, leaked or damaged;
  • The risk that supply disruptions involving these products and services may pose to the continuity of CII;
  • The security, openness, transparency, diversity and reliability of supply channels and the risk of supply disruptions due to political, diplomatic, trade and other causes;
  • The suppliers' compliance with the law;
  • The risk of core data, important data or substantial personal information being stolen, leaked, damaged, illegally used or exported;
  • The risk of CII, core data, important data or substantial personal information being affected, controlled and maliciously used by foreign governments after overseas listing as well as the network information security risk; and
  • Other factors that could endanger the security of CII, the cybersecurity and national data security.

The CRM also outlines the government approval process which can take up to at least 5 months.

Penalties for non-compliance include confiscation of income, a fine of up to RMB 10 million, business suspension, revocation of business license or permits, and criminal prosecution.

Take-aways

The China Personal Information Protection Law provides that companies which are not CIIOs processing a volume of personal information that reaches a threshold amount stipulated by CSA must store the personal information collected and generated in China within China. If it is necessary to provide the information overseas, they must obtain Chinese government approval. Recent developments since set out the following requirements which basically require companies to switch to data localization for the most part:

  • prior Chinese government approval is needed for cross-border transfer of important data (not yet defined) by even non-CIIOs
  • cross-border transfer of personal information by a company which handles 1 million (or more) individuals’ personal information requires prior government approval
  • cumulative cross-border transfer of personal information of more than 100,000 individuals or cumulative cross-border transfer of sensitive personal information of more than 10,000 individuals requires prior government approval

Companies need to consider personal data localization as much as possible under the new order of China’s cybersecurity and data privacy landscape.  For companies which must share or transfer data outside of China need to prepare early for seeking Chinese government approval for the cross-border transfer.