On 11 April 2017, the Cyberspace Administration of China (CAC) issued the draft Measures for the Security Assessment of Export of Personal Information and Critical Data (Draft) for consultation. This move by the CAC is intended to pave the way for easier implementation of the new PRC Cyber Security Law which came into effect on June 1, 2017 (CS Law).
Article 37 of the CS Law stipulates that critical information infrastructure operators (CIIOs) must store personal and other important data collected and generated out of its operation in China, onshore. If transmission of such data outside China is necessary due to business needs, clearance procedures must be followed under separate rules to be formulated by the CAC (and included in the Draft). While clarifying some of the implementation details around the CS Law, this Draft also creates complexities and concerns.
Who does Article 37 apply to?
A literal reading of the CS Law gives the impression that a CIIO would include, for example, telecoms infrastructure service operators. However, there is no clear definition of this term. The CS Law gives examples of businesses which will qualify as a CIIO, including public communications networks and information services, energy, transport, water conservation, finance, public services, and e-government affairs. In addition, the category includes any other areas where a data breach or security compromise could result in serious harm to national security, the national economy, people’s livelihoods and the public interest. As the term “information service” is broad and vague, it could potentially be interpreted widely as covering all businesses with an online feature, so further clarity is needed.
Surprisingly, the Draft does not address the question of what constitutes a CIIO. Instead, it rephrases Article 37 of the CS Law by imposing local data storage requirements upon “network operators”. This term is further defined to cover those who own networks, manage networks and provide network services. Although the Draft is purportedly regulating data export clearance procedures, use of a different term for the scope of application creates the impression that local storage of data becomes a general principle (instead of only applying to CIIOs). This is all the more true given that the Draft further states that other individuals or organisations should also refer to the data export clearance procedures under this Draft.
What data is covered?
Article 37 of the CS Law refers to two types of data, namely personal data and critical data collected and generated within the territory of China. The definition of the former is repeated under the Draft, i.e. information recorded by electronic or other means that, alone or jointly with other information, can serve to identify a natural person, including but not limited to a natural person’s name, date of birth, identification number, personal biometrics data, address, or phone number. The CS Law does not define critical data. The Draft clarifies that critical data is data closely related to national security, economic development and public interest, of which the exact scope will be set out in relevant national standards and classification guidance.
According to the Draft, the following types of data must not be exported:
- personal data for which no prior consent to export was sought or where export might jeopardise the personal interests of the data subject;
- any data which poses a risk to national security (e.g. political, economic, technological, national defence) or may possibly affect national security and damage the public interest; and
- data which is barred from export by administrative authorities like the CAC, police authority and national security authority.
Security self-assessment procedures
Network operators are required to conduct a self-assessment before exporting personal and critical data. This should focus on aspects including business demand for export, quantity of data, scope of data, category and sensitivity of the data, whether consent for export has been obtained where applicable, the security and competence provided by the data importer, including the level of cybersecurity regulation in the data importer's jurisdiction, data breach risk and impact after export including the potential for further export.
Network operators need to get clearance from the relevant administrative regulators to export any of the following:
- personal information involving over 500,000 individuals (including on an accrued basis);
- data quantity exceeding 1,000 GB;
- data concerning nuclear facilities, biochemistry, national defence and military matters, demographics and health, large-scale project activities, marine environment or sensitive geographic information;
- cybersecurity information about system vulnerabilities and security protection of critical information infrastructures;
- data exports by a CIIO; and/or
- data potentially impacting national security and the public interest, in relation to which an assessment is deemed necessary by the regulators.
The Draft answers some questions under the CS Law, but also generates questions of its own. This reflects the fact that the CAC - as a new rising power among the Chinese ministries - plays an increasingly critical role as the Chinese government prioritises cybersecurity.
Of particular concern is the Draft's seemingly extended interpretation of the CS Law which appears to apply data export limitations to all network operators and could be interpreted as extending them to all online activities. This could mean that, in future, all data exports will require clearance from the Chinese government to stay on the safe side.
Although this might sound similar to the situation in Europe where all data exports are regulated, the clearance mechanism under the Draft is extremely cumbersome compared with the approach adopted by EU and may jeopardise business operations and contradict the goal of “promoting orderly and freely the flow of data” set out in the Draft.
Although the Draft has not been finalised, companies operating in China are advised to follow developments closely and be prepared to tackle new challenges.