China’s Network Security Law (the “NSL”), adopted late last year, is set to take effect on June 1, 2017. One of the most important provisions of the NSL is Article 37, which requires operators of critical information infrastructure to store personal information and important data within China. Transferring such information overseas is only permitted after the information is assessed by the competent authority. Critical information infrastructure is broadly defined in the NSL as any information system important to national security, citizen welfare, and public interests, such as public communications and information services, energy, transportation, water conservancy, finance, public services, e-government and other important industries and fields.
On April 11, 2017, the Chinese Cyberspace Administration published a notice on its website (http://www.cac.gov.cn/2017-04/11/c_1120785691.htm), seeking public comments on its proposed rules for security assessment of transfer of personal information and important data abroad (the “Proposed Rules”), which are essentially administrative rules to implement Article 37 of the NSL.
However, there is one glaring difference between the Proposed Rules and Article 37 of the NSL. Although network operators are similarly defined in both the NSL and the Proposed Rules as owners or managers of network and network service providers, the Proposed Rules impose the data export restrictions not only on the operators of critical information infrastructure, as in the NSL, but also on all other network operators.
EU’s data protection practice drew a lot of criticism by prohibiting companies from transferring personal data of EU citizens to countries which have not been deemed to provide an “adequate” level of data protection. In comparison, China's restriction on data export under the Proposed Rules is much more extensive and stringent. As will be discussed in further details below, China not only limits cross-border transfer of personal information, but also requires security assessment for transfer of "important data", which is vaguely defined to be data that is closely related to national security, economic development, and societal public interests, with specific reference to some yet-to-be-published guideline. In addition, certain data cannot be transferred whatsoever.
If the Proposed Rules are adopted as is, which is speculated to be the case, personal information and important data collected and generated in China are required to be stored in China. If such personal information or data needs to be transferred overseas, safety assessment should be conducted either by the network operators or by the relevant regulatory authorities, depending on the nature of the personal information or data.
I. Data that cannot be transferred abroad
The following data is not allowed to be transferred overseas:
II. Data that can be transferred but is subject to self-assessment by network operators:
Prior to transfer any personal information or important data, the network operator should carry out security assessment for the data transfer at least on an annual basis. The Proposed Rules suggest seven factors as the focus of the assessment:
III. Data that can be transferred with administrative approval
If the personal information or important data meets any of the following requirements, the network operators should report the prospective data transfer to relevant industry regulatory or supervisory authorities (or the national cyberspace administration if the regulatory or supervisory authorities cannot be ascertained), which will be responsible for the security assessment:
Even if certain information covered by the Proposed Rules luckily falls under the self-assessment category (category II above), the network operator still faces significant compliance risks, as it is required to report the self-assessment to the industry regulatory or supervisory authorities and will be held responsible for the assessment results. In additional, the network operator not only needs to assess the personal information and important data itself, but is also required to assess the capability and security protection levels of the data recipient and the risk of the data being stolen or otherwise comprised during re-transfer overseas, which is hardly something that the network operator can easily determine with certainty. Thus, many Chinese companies, especially the ones with risk-averse compliance policies, are likely to turn to domestic partners in transactions where data exchanges are necessary, including the much anticipated rise of big data, deep learning, cloud services, SaaS, to name a few. For companies who find it a business necessity to transfer data overseas, for example, due to auditing or securities disclosure requirements, they are encouraged to set up internal security assessment procedures based on the factors in the Proposed Rules or, if they do not have adequate internal compliance or legal resources, to engage outside experts to conduct the security assessment to minimize compliance risks.
MagStone Law, LLP is pleased to announce that Ms. Bing Zhang Ryan has recently joined the firm as a litigation partner. Ms. Ryan will work out of our Silicon Valley office. Having more than a decade of experience litigating individual and high profile class actions in federal and state courts nationwide, Ms. Ryan has substantial experience in all stages of litigation, including initial case investigation, discovery, and trial. As an instrumental member of several securities and consumer class action litigation teams, she helped her clients obtain favorable settlement results. In an antitrust class action case involving one of the world’s leading manufacturers of Thin Film Transistor -Liquid Crystal Displays, Ms. Ryan successfully persuaded the court in admitting key evidence during the trial and won a favorable jury verdict on behalf of her client.
Prior to joining MagStone Law, Ms. Ryan was a team lead of DLA Piper’s Litigation and Compliance team in China and advised multinational companies on cross-border commercial litigation and government enforcement matters. Her experience includes conducting internal investigations for corporations of different sizes to respond to formal or informal regulatory inquiries from US and Chinese government agencies and to identify employee misconduct.
Ms. Ryan’s extensive litigation and investigation experience helps her develop and implement case strategies during early stages of litigation. She is a frequent speaker on how to mitigate potential risks when running businesses in the US ad in China. She has also helped multinational companies establish adequate internal procedures and policies to avoid potential lawsuits.
Ms. Ryan obtained her Juris Doctor degree from University of California, Berkeley School of Law. Born and educated in China, Bing fully understands the culture sensitivities, reads and writes Chinese fluently, and speaks Chinese in multiple dialects.
“We are delighted to have Bing on board,” says Ruming Liu, a partner at MagStone’s Silicon Valley office. “Her expertise in US litigation and international dispute resolution will allow us to better serve our growing clients and help make MagStone an one-stop full service law firm."
With offices in California and New York, MagStone Law, LLP is a modern law firm dedicated to providing solution-focused and cost-effective high-quality legal services to our clients. MagStone's partners are all experienced lawyers with backgrounds from the most prominent international law firms. Our practice covers all aspects of corporate transactions and litigation. Known for our expertise on China cross-border transactions, we have become the go-to law firm for many Chinese companies exploring the U.S. market.