All enterprises in China may soon be subject to a new rule governing how they export personal information and important data. Under the draft rules, companies that export data will have to undergo regular self-assessments of their security controls on data and in certain circumstances may have to be assessed by the authorities as well.
On April 11, 2017, a draft “Measures on Security Assessment with respect to the Export of Personal Information and Important Data” (the “Measures”) were issued by the State Internet Information Office for public consultation. Drafted in accordance with the newly issued Cyber Security Law1, the Measures provide greater detail how the Chinese government may regulate the outbound transmission of personal information and important data.
The Measures do the following:
1. Define and regulate the “Outbound Transmission of Data”
“Outbound Transmission of Data” is defined to occur when a network operator provides personal information and important data (collected and generated during its operation within China) to any entity, organization or person located overseas.
The definition is therefore focused on the result (i.e., the information and data are obtained by an overseas party), instead of the method of transmission (i.e., regardless of whether the information and data are sent by a domestic party to an overseas party, are made accessible for an overseas party to download, or saved to any physical media that is then delivered overseas, etc.).
2. Self-assessment by Operator
A network operator is required to conduct a security assessment before any individual Outbound Transmission of Data, as well as regular overall assessments at least once a year.
The Measures do not provide any detailed requirements in terms of the assessment method and standards, but only list several topics that are supposed to be included in the assessment (e.g., the reason the Outbound Transmission of Data is necessary, the nature, quantity and scope of the information and data, the overseas recipient’s capacity to properly keep and manage the transmitted information and data, and any risks associated with the overseas transmission).
3. Special Assessment by Supervisory Authority
Under following circumstances, operators are required to report to relevant supervisory authorities for a special assessment:
(i) the data involves (one-off or cumulatively) personal information of 500,000 or more people;
(ii) the size of data is more than 1,000GB2;
(iii) the data concerns nuclear facilities, chemistry biology, national defense, public health, large-scale project activities3, marine environment and sensitive geographic information data;
(iv) network security data relating to critical information infrastructures, including system vulnerabilities, security defense and other network security data;
(v) the providing operator is a critical information infrastructure operator; or
(vi) other circumstances that may affect national security and social public interests.
Our Observations and Recommendations
Effectively, the draft Measures clarify that multinationals operating in China must follow the rules governing data transmission as long as they need to transmit any “personal information and important data” overseas4.
The term “important data” is not yet fully defined. The draft Measures define it as “data that is closely related to national security, economic development, and social and public interests, with specific reference to relevant national standards and important data identification guidelines.”
Currently the Measures are only a draft for the purpose of public consultation. Please let us know if you have any comments on the proposed Measures, as we have the opportunity to discuss such issues with the authorities.
1 Article 2 of the Cyber Security Law (issued on November 7, 2016 and effective from June 1, 2017) provides that “the operator of a critical information infrastructure shall store within the territory of the PRC personal information and important data collected and generated during its operation within the territory of the PRC. Where such information and data have to be provided overseas for business purpose, security assessment shall be conducted pursuant to the measures developed by the Cyberspace Administration of China together with competent departments of the State Council...”
2 The draft Measures do not clarify if such a size threshold is one-off or will be measured cumulatively over a certain period of time.
3 The specific standards defining “large-scale” projects are not provided in the draft Measures.
4 When the Cyber Security Law was promulgated, it was unclear from the its provisions if multinationals are “operators of critical information infrastructure” regulated by such new law. The draft Measures, however, will definitely cover multinationals.