(By Gao Tianyi and You Yunting) China’s legal system for dealing with data security and personal information protection standards has been established*, but more detailed rules and standards are in the process of being formulated. This article will mainly discuss the new requirements for, and new changes in, data localization and compliance management regarding cross-border data transfers.
The analysis shows that those who use data from China should keep abreast of changes in policy orientation within the country, in order to avoid potential regulatory risks.
*The below article makes references to three established laws:
- The Data Security Law of the People’s Republic of China(“Data Security Law”),
- The Personal Information Protection Law of the People’s Republic of China(“Personal Information Protection Law”), and
- The Cybersecurity Law of the People’s Republic of China(“Cybersecurity Law”), which was enacted in 2016.
Ⅰ. Chinese Regulations on Cross-border Data Transfers
The Cybersecurity Law first puts forward the requirement for data localization in China, but it mainly targets “personal information and important data collected and produced by critical information infrastructure operators during their operations within the territory of China”. It further provides for security assessments to be conducted where it is truly necessary for them to provide the personal information and important data outside the territory of China.
In China, the requirements on the cross-border transfer of important data and personal information were once proposed together, with no difference. But now, the Chinese government has clarified the boundary between the two categories of data, and thus separate regulations have been enacted. This only means there are differences in specific regulatory measures, but not necessarily in regulatory bodies.
Currently, on the basis of the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law have respectively enacted regulations on the cross-border transfer of important data and personal information.
The relevant clause of the former is more general, stipulating that critical information infrastructure operators shall be subject to the Cybersecurity Law while the security management measures for important cross-border data transfer by other data handlers are to be formulated by the national cyberspace authority.
The relevant clause of the latter, which is more specific and practical, sets forth (a) four conditions under which the personal information handler can provide personal information outside the territory of China, (b) the individual’s right to be informed, and (c) that some subjects — such as critical information infrastructure operators and personal information handlers who handle personal information up to a certain amount — must pass security assessments before they provide personal information outside the territory of China.
With respect to certain fields, China has also promulgated several specialized regulatory rules. For instance, the Several Provisions on the Management of Automobile Data Security (for Trial Implementation) provides for the security management concerning important cross-border data transfers in the field of transportation, that in addition to the security assessment required in the Cybersecurity Law, automobile data handlers must also report to the competent authority the type, volume, purpose and necessity of the automobile data to be transferred, and its storage location and duration, its scope and method of use, etc.
Besides, one of the financial industry standards Technical Specification for Personal Financial Information Protection requires the following conditions to be met where it is truly necessary to provide personal financial information outside the territory of China due to business needs: express consent shall be obtained from the individual; a security assessment shall be conducted; and corresponding protection obligations of the overseas institution shall be clarified in agreements and its performance shall be supervised through onsite inspection.
These specialized regulatory rules make it much more difficult to transfer automobile data and financial data to firms outside of China. Arguably, the rules increase the likelihood that existing vendors of such data will need to alter their data products or even cease distribution entirely in order to comply.
Ⅱ. Definition and Form of “Cross-Border Data Transfer” in China
For compliance solutions regarding cross-border data transfer, one must determine which transfers qualify as “cross-border data transfers”. However, all of the three major data laws simply state “provision outside the territory of China” and do not specify any definitions or forms.
Generally speaking, it is certainly a form of ” cross-border data transfer” to provide the data collected and produced domestically to the institutions, organizations, and individuals located overseas, but still some ambiguous forms remain to be clarified. For instance, the Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft for Comments) (“Assessment Guidelines”) specifically regards the following situations as “cross-border data transfer” as well:
- The data is provided tothe subjects located within the territory of China, but not under the jurisdiction of China or not registered in China;
- The data has not been transferred and stored outside the territory of China, but can be accessed by overseasinstitutions, organizations, and individuals (except for public information and webpage access) — this could mean that data on a network server located in China (but accessible to a firm in the US, even if it’s not stored in the US) would still be subject to a security assessment, though aggregators of publicly visible data are exempt from this requirement;
- The personal information and important data collected and produced by network operators during their domestic operations are involved in the transfer of internal data among its group companies from domestic to abroad.
For regulatory purposes, cross-border security management is necessary in the above three situations since supervision by the existing Chinese laws and regulations is difficult to anticipate. Therefore, although the Assessment Guidelines has not been formally implemented yet, many data handlers have already taken it into consideration for their data compliance. In accordance with the Assessment Guidelines, for overseas data handlers, only when they have been registered in China and are to access the relevant data within the territory of China, their handling activities may not be recognized as “cross-border data transfer”.
III. Strict Management Measures for Important Cross-Border Data Transfer
The legal concept of “important data” was first proposed by the Cybersecurity Law, and the Data Security Law further stipulates that a stricter management system shall be implemented to conduct key protection for important data. Especially where the important data collected and produced by critical information infrastructure operators is to be provided outside the territory of China, a security assessment organized by the national cyberspace authority is a must.
However, up to now, no laws, regulations or guidelines in effect have defined “important data”, and no relevant systems or rules have been formally promulgated. Certainly, the scope of “important data” is inherently vague, but since most other countries do not also use the term “important data”, there is little guidance to rely on. The absence of any shared concept or a clear definition under Chinese laws and regulations has lead to a dilemma as to whether certain types of data can be provided outside the territory of China directly without any restriction, and the applicable regulatory rules, if any, may also be in vain.
To resolve this uncertainty, the competent Chinese authorities are now actively promoting the implementation of relevant systems and rules. For example, the Information Security Technology – Guidelines for Important Data Identification (“Identification Guidelines“), a national standard, has finally been upgraded from Appendix A of the Assessment Guidelines to the draft for comments recently, macroscopically clarifying the principles, characteristics, procedures and methods for each region, department and industry to respectively identify their specific categories and contents of “important data.”
The Identification Guidelines defines “important data” as “data in electronic forms, which may endanger national security and public interest once it is tampered with, destroyed, leaked, or illegally obtained or used”, and also states that this shall not include state secrets or personal information, but may include statistical data and derivative data formed on the basis of massive amounts of personal information. The bulk of the Identification Guidelines is devoted to elaborating the seven specific characteristics of important data, i.e., related to economic operation, population and health, natural resources and environment, science and technology, security protection, application services, and governmental affairs.
The identification method specified in the Identification Guidelines is largely different from the one in Appendix A of the Assessment Guidelines in the wording and perspective. The former requires each industry to identify important data in their own industries by themselves based on the above characteristics while the latter enumerates more than 20 specific industries and makes a non-exhaustive list of important data involved in each industry. Such change indicates that the scope of supervision over important data will be more extensive and no longer limited to certain traditionally special industries.
Furthermore, after the implementation of the Data Security Law and the Personal Information Protection Law, the enactment of such systems and rules stipulated therein will undoubtedly be accelerated, including with respect to categorical and hierarchical systems for data protection, security management measures for important cross-border data transfer and relevant data security standards.
Ⅳ. Tendency to Relax Restrictions for Personal Information Cross-Border Transfer
Owing to the promulgation of the Personal Information Protection Law, regarding cross-border transfers, the regulatory rules on personal information are relatively clearer than those on important data.
In accordance with Article 38, Paragraph 1 of the Personal Information Protection Law, where personal information is to be provided outside the territory of China, only critical information infrastructure operators and personal information handlers that handle personal information up to the amount stipulated by the national cyberspace authority must pass a security assessment organized by the national cyberspace authority while other personal information handlers with business needs shall just conduct their own assessments of the impact on personal information protection in advance and record the handling activities, and meet one of the following three conditions:
- obtaining personal information protection certification from a specialized organization in accordance with the regulations of the national cyberspace authority;
- concluding a contract with the overseas recipient in accordance with the standard contract formulated by the national cyberspace authority, stipulating the rights and obligations of both parties; or
- other conditions provided in laws or administrative regulations or by the national cyberspace authority.
Previously, the Measures on Security Assessment of the Cross-Border Transfer of Personal Information (Draft for Comments) required all network operators to pass security assessments of cross-border data transfer conducted by experts or technical professionals organized by the provincial cyberspace authority. Such requirement, simplified and one-size-fits-all, have caused concerns in the industry, and the current categorical and hierarchical method in the Personal Information Protection Law is obviously more reasonable, for in terms of efficiency alone, the time required for the security assessment of cross-border data transfers will be much more than the time required for certification from the specialized organization or conclusion of a standard contract.
Moreover, regarding the second condition above, the further requirement that “(personal information handlers) shall supervise their (overseas recipients’) personal information handling activities to meet the personal information protection standard stipulated in this Law” provided in the second deliberation draft of the Personal Information Protection Law has been removed. Although Article 38, Paragraph 3 still prescribes that “personal information handlers shall take necessary measures to ensure that the personal information handling activities of overseas recipients meet the personal information protection standard stipulated in this Law”, fewer obligations will be imposed on personal information handlers by the term of “ensure” in the latter than by the term of “supervise” in the former.
In conclusion, to review the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law as a whole, China’s supervision system regarding personal information and data security – more similar to the General Data Protection Regulation of the EU – is relatively stringent and therefore raises higher requirements to overseas data recipients.
For example, the Personal Information Protection Law stipulates that the handling activities of overseas recipients shall meet the protection standard required by Chinese laws, and the Assessment Guidelines also includes the security protection capability of data recipients and the political and legal environment of their countries or regions in security assessments of cross-border data transfer, urging overseas data recipients to abide by Chinese laws and forcing other countries and regions to respect China’s national sovereignty more.
Therefore, although specialized systems and specific rules remain to be formulated by relevant departments in order to clarify and then implement the provisions in the three laws, data handlers should actively respond to the policy orientation and establish corresponding mechanisms in advance to avoid potential regulatory risks.