20 April 2017
The Cyberspace Administration of China (‘CAC’) launched, on 11 April 2017, a public consultation on draft Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data (‘the Draft Measures’). The Draft Measures anticipate the entry into force of the Cybersecurity Law (‘the CS Law’), which is to be effective from 1 June 2017. In particular, the Draft Measures extend data localisation requirements under the CS Law from operators of critical information infrastructure to network operators, and require all network operators to obtain the informed consent of data subjects for the cross-border transfer of their personal information.
Dr. Michael Tan, Partner at Taylor Wessing, told DataGuidance, “The Draft Measures answer some pending questions under the CS Law, but also seem to create more questions than expected […] A particular concern is the extended interpretation of the CS Law, making the local storage of data a general principle for all network operators (instead of just critical infrastructure providers). This could potentially mean that, in the future, all data exports shall require clearance from the Chinese government in order to stay on the safe side. It may jeopardise business operations and contradict the goal of ‘promoting the free and orderly flow of data’ mentioned by the Draft Measures.”
In addition, the Draft Measures require network operators to conduct security assessments, which are divided into two classes: self-assessments and those conducted by a competent authority. Security assessments must be conducted by a competent authority when, for instance, the transfer involves the personal information of over 500,000 individuals; the size of the transfer exceeds one terabyte; the transfer involves data relating to large scale infrastructure; or the transfer may affect national security or the public interest.
The Draft Measures, if adopted in their current form, will significantly impact multinational companies where personal data and important business data are stored and processed on a global or regional basis.
Xun Yang, Of Counsel at Simmons & Simmons, added, “The Draft Measures, if adopted in their current form, will significantly impact multinational companies where personal data and important business data are stored and processed on a global or regional basis. Healthcare, pharmaceutical, and medical device businesses; business consultation services, including those collecting and analysing large amounts of information about consumer spending; and research/survey business, including [those engaged in the] collection, processing, and analysis of big data such as information about natural resources, traffic, social behaviors, and industrial behaviors [will all likely fall under the draft requirements].”
Further, the Draft Measures would apply to classes of data covered beyond merely personal data, such as ‘critical data.’ While the definition of personal data adopted by the Draft Measures is in line with that under the CS Law, they elaborate a definition of the term ‘critical data,’ which is not enumerated but only referred to, by the CS Law.
Gregory Louvel, Partner at Leaf Legal, noted, “Critical data refers to data which is very closely related to national security, economic development and the public interest. [Its] scope will follow the relevant national standards and guidance documents for the identification of critical data. [Relevant authorities will include] agencies specialising in specific industry sectors and shall perform their assessment within 60 days, under the supervision of the National Network Information Department.”
Data transfers which are not subject to assessment by a competent authority, i.e. the transfers which do not involve critical data and/or a large volume of data transferred, and are not prohibited from transfer altogether, are instead subject to a requirement for yearly self-assessment on the part of the transferor. Such assessments must consider, inter alia, the business need for the transfer, the recipient’s levels of security and the type of data involved.
Tan concluded, “Although the Draft [Measures are] not yet officially launched, companies operating in China are advised to closely follow the development of this topic and get prepared to tackle the new challenges that might soon arrive.”
The CAC invites interested parties to submit comments on the Draft Measures by 11 May 2017.
Hernán Romero-Dutschmann | Privacy Analyst