The Cyberspace Administration of China (CAC) has published its Measures for the Security Assessment for Personal Information and Important Data Exported Abroad (Draft for Comments) (Draft Measures) on 11 April 2017. The Draft Measures, if enacted, will become the first regulation to impose general data localisation obligations in China.
China's new Cyber Security Law (CSL) will take effect on 1 June 2017. Before the CSL was published, the scope of data localisation requirements was relatively narrow, applying only to areas such as personal financial information in the banking industry. However, the CSL introduces the concept of critical information infrastructure (CII) and requires that (i) personal information and important data collected and generated by CII within the territory of the People's Republic of China (PRC) must be stored within the territory; and (ii) providing such data abroad for business or operational needs must be subject to a security assessment (for further details refer to our previous e-bulletins on the CSL). The Draft Measures are expected to implement the data localisation and security assessment requirements under the CSL.
In this e-bulletin we highlight the key provisions of the Draft Measures and set out our observations on the draft regime.
What data is covered by the Draft Measures?
The data covered includes:
a. Personal information, which is defined as information recorded by electronic or other means that is able to verify personal identity separately or in combination with other information (Art. 17). The definition is identical to that under the CSL.
b. Important data, which refers to data closely related to national security, economic development and social or public interests (Art.17). The detailed scope will be determined by reference to the "relevant national standards and important data identification guide" which is yet to be published.
Who are covered by the Draft Measures? The Draft Measures apply to:
a. Network operators, which refers to owners and administrators of networks and network service suppliers. The definition is consistent with the CSL (Art. 17). As noted in our previous e-bulletins, the scope is sufficiently wide to encompass any entity or individual that operates, owns or provides services relating to a network system. The network system does not need to be connected to the wide area network or accessible by the public.
b. "Other individuals or organisations" that collect or generate personal information and important data within the territory of the PRC (Art. 16). This is an unexpected extension of the scope from that under the CSL. It could be interpreted to include any individual or organisation that provides personal information and important data abroad, whether such individual or organisation is a network operator or not.
What is “exporting data abroad"?
“Exporting data abroad” is defined as network operators providing personal information and important data collected and generated within the territory of the PRC to institutions, organisations and individuals located outside the territory.
"Providing" is not defined and, in our view, can include any act that makes data accessible outside the PRC, whether electronically or in physical medium.
The Draft Measures reflect the principle in the CSL that data must be stored within the territory of the PRC and can only be provided abroad subject to a security assessment. Geographical exit from the PRC appears to be a key factor in determining whether data has been provided abroad. Data "leaving" the territory of the PRC and being stored overseas or being accessible by individuals or organisations located outside China will be caught. On the other hand, providing data to personnel or a branch of a foreign institution located within the territory of the PRC should be permitted.
Who are the regulators?
The industry regulators will be responsible for overseeing and organising security assessments in their relevant industries. The CAC will coordinate security assessments and provide guidance to the industry regulators (Art. 5 and Art. 6).
What assessment is to be conducted?
a. Self-assessment must be conducted by network operators as follows:
(i) Pre-export self-assessment: to be conducted each time data is to exit the territory of the PRC (Art. 7).
(ii) Periodic assessment: to be conducted at least once a year with the assessment result filed with the industry regulator (Art. 12).
(iii) Updated assessment: to be conducted if there are substantial changes to the data recipient or the purpose, scope, volume or type of the data or if there is a significant security incident. (Art. 12)
b. Mandatory assessment: to be conducted by the industry regulator if the data to be exported abroad involves any of the following (Art. 8):
(i) personal information that involves or accumulates more than 500,000 individuals;
(ii) data volume that exceeds 1,000GB;
(iii) data in fields such as nuclear facilities, chemical biology, the defence and military industry and population health, and data involving large-scale engineering projects, the marine environment or sensitive geographic information;
(iv) network security information including system bug and safety protection of CII;
(v) provision by CII operators of personal information and important data abroad; or
(vi) other data that, in the opinion of the industry regulator, may affect national security and social public interests and should be subject to security assessment.
Data prohibited from being exported
Data should not be exported abroad in any of the following circumstances (Art. 11):
a. where personal information is exported abroad without the subject of the information's consent or where it may harm that person's personal interests;
b. where exporting the data abroad will bring security risks to politics, the economy, technology and national defence or may jeopardise national security or social public interests; or
c. other information or data which the CAC, public security authority or national security authority prohibits from being provided abroad.
What will be assessed under the security assessment?
The security assessment must cover:
a. the necessity of the data export?;
b. the size, scope, type and sensitivity of the information and the relevant individual's consent if it involves personal information;
c. the size, scope, type and sensitivity of the information if it involves important data;
d. measures, capability and levels of security and protection of the data recipient, and the network security environment in the receiving country;
e. the risk of data being leaked, damaged, tampered with or abused after being exported;
f. the risks concerning national security, social and public interests, and the lawful interests of an individual arising from the data export and the convergence of concentration the exported data; and
g. other important factors.
- Unduly broad scope of data
The Draft Measures retain the scope of data restricted for export under the CSL, i.e. personal information and important data. The definition of personal data remains broad. Further, defining important data by reference to "national security, economic development and social public interests" is vague and subjective. In light of this, the "national standards and important data identification guide" will be critical in delineating the scope of important data.
- Unexpected extension of scope of subjects
While the CLS only requires data exported by CII to be subject to security assessment, the Draft Measures extend the scope of subjects to all network operators and "any individuals or organisations". The legal basis for such an extension remains unclear, as neither the National Security Law nor the CSL provides for this. With the scope of network operators already wide, a further extension will undoubtedly create an onerous compliance burden for any person or entity exporting data abroad and also generate an enormous administrative workload for industry regulators.
- Lack of practical guidance on security assessments
Mandatory security assessment: For companies with a regular or continuous need to export data, criteria (i) and (ii) above need to be clarified as to whether the data quantity or volume is qualified by a time period. The description of the types of data in (iii) is vague and should be specified in detail, perhaps in the "national standards and important data identification guide". The discretionary power given to the industry regulators under (vi) to select data export for security assessment based on its impact on "national security and social public interests" creates uncertainty as to how the power may be used in enforcing the security assessment.
Self-assessment: despite the list of factors to be considered in a security assessment, it remains challenging for entities and individuals to assess these without a detailed practical guide. Given the extensive scope of individuals and organisations subject to the security assessment requirement, many may lack the ability to assess factors such as the impact on "national security, social and public interests, and the lawful interests of an individual" and the data protection level of the data recipient. Without practical guidance customised for particular industries, implementation will likely prove problematic.
It is also difficult to assess what data will fall within the scope of data prohibited for export. Data that may "harm personal interest" or "jeopardise national security or social public interests" creates a subjective test that is subject to interpretation. The discretionary power of the CAC and the public and national security authorities to ban data from being exported also creates uncertainty in enforcing the rules.
- Unclear legal penalties
The Draft Measures do not provide specific penalties for breach. The CSL (Art. 66) imposes penalties for exporting data abroad by CIIs in violation of the CSL. However, as the Draft Measures extend the subjects beyond CIIs to network operators and other individuals and organisations, it is unclear whether the penalties applicable to CIIs will be extended to breaches of the Draft Measures.
With more and more data being transferred across the Chinese border and the prevalent deployment of cross-border cloud services, the data localisation measures in China will have widespread repercussions on any organisation or individual that transfers "personal information and important data" outside China. As the CSL is coming into force in June 2017, we expect the data localisation measures to be enacted soon. Companies should start reviewing their current data export policies and prepare for security assessments that are set to be implemented in the coming months.