Further Evolution On Data Transfer And Security Assessment

Basic background

The Cyber Security Law of the People's Republic of China came into effect on June 1, 2017 where the most highlighted rule concerned the "data localisation" requirement. Article 37 requires Critical Information Infrastructures (“CIIs”) to store any personal information and important business data collected in China within the territory of the country. The scope of this data has been defined in article 31 in the form of “list + result”, but it remains vague in practice. However, “data localisation” is noteworthy for transnational enterprises who want to invest in China since it is inevitable in business transactions and management.

As one of the important supporting documents of the Cybersecurity Law, the Measures on Security Assessments for Personal Information and Important Data to be Transmitted Abroad (for Public Comment) ("Measures") provides more specific and detailed rules. The Measures are intended to specifically implement the personal information and important data export security assessment requirements found in Article 37. Anyone wanting to transfer data outside the country must jump through the extra hoop of a security assessment.

Two features of the Measures:

1. The data localisation requirement is extended to Network Operators, not only limited to CIIs as described in China's Cybersecurity Law.

2. Data can be transferred out of China if there is a legitimate business need and a security assessment is undertaken prior to the transfer. There are two types of security assessment – self-assessment and assessment carried out by the competent authority.

The assessments are stipulated in articles 8 and 9 of the Measure

Article 8 provides that data export security assessments shall focus on the following elements:

1) The necessity of transferring data abroad;

2) Whether personal information is involved, including the quantity, scope, type, and sensitivity of the personal information, as well as whether the subject of the information consents to transferring the information abroad;

3) Whether important data is involved, including the quantity, scope, type and sensitivity of the important data;

4) The security protection measures and capabilities of the recipient of the personal information, and the cybersecurity environment of the country where the recipient is located;

5) The risk of leakage, damage, alteration or misuse of the data transferred abroad and further transferred;

6) The possible risks to national security, the public interest and the individual's rights arising from transmitting the data abroad and gathering the data to be transmitted abroad;

7) Other important matters requiring assessment.

Article 9 indicates that network operators shall report to the industry administrative or supervisory department to organise a security assessment where the data to be exported falls under one of the following circumstances:

1) The outbound transfer involves the personal information of over 500,000 individuals;

2) The data is over 1,000 GB;

3) The data transferred pertains to nuclear facilities, chemistry and biology, national defence and the military, population health, the marine environment or sensitive geographic information;

4) The transfer involves data related to the cybersecurity of key information infrastructures, such as system vulnerabilities and security protection;

5) CIIs transfer personal information and important data abroad;

6) Other circumstances in which the cross-border transfer may affect national security or the public interest that the industry administrative or supervisory department determines should be assessed.

Commentary

Considering the rules of China's Cybersecurity Law and the trend reflected in the Measure, we recommend that transnational enterprises prepare classifications of information and develop an effective internal assessment first. 

Before transferring data abroad, it is necessary to seek advice from the industry administrative or supervisory department to make sure that the data transfer meets the requirements of the law. 

Last and most importantly, transnational enterprises should pay close attention to the evolution of the relevant laws and make corresponding adjustments.