China’s Network Security Law (the “NSL”), adopted late last year, is set to take effect on June 1, 2017. One of the most important provisions of the NSL is Article 37, which requires operators of critical information infrastructure to store personal information and important data within China. Transferring such information overseas is only permitted after the information is assessed by the competent authority. Critical information infrastructure is broadly defined in the NSL as any information system important to national security, citizen welfare, and public interests, such as public communications and information services, energy, transportation, water conservancy, finance, public services, e-government and other important industries and fields.
On April 11, 2017, the Chinese Cyberspace Administration published a notice on its website (http://www.cac.gov.cn/2017-04/11/c_1120785691.htm), seeking public comments on its proposed rules for security assessment of transfer of personal information and important data abroad (the “Proposed Rules”), which are essentially administrative rules to implement Article 37 of the NSL.
However, there is one glaring difference between the Proposed Rules and Article 37 of the NSL. Although network operators are similarly defined in both the NSL and the Proposed Rules as owners or managers of network and network service providers, the Proposed Rules impose the data export restrictions not only on the operators of critical information infrastructure, as in the NSL, but also on all other network operators.
EU’s data protection practice drew a lot of criticism by prohibiting companies from transferring personal data of EU citizens to countries which have not been deemed to provide an “adequate” level of data protection. In comparison, China's restriction on data export under the Proposed Rules is much more extensive and stringent. As will be discussed in further details below, China not only limits cross-border transfer of personal information, but also requires security assessment for transfer of "important data", which is vaguely defined to be data that is closely related to national security, economic development, and societal public interests, with specific reference to some yet-to-be-published guideline. In addition, certain data cannot be transferred whatsoever.
If the Proposed Rules are adopted as is, which is speculated to be the case, personal information and important data collected and generated in China are required to be stored in China. If such personal information or data needs to be transferred overseas, safety assessment should be conducted either by the network operators or by the relevant regulatory authorities, depending on the nature of the personal information or data.
I. Data that cannot be transferred abroad
The following data is not allowed to be transferred overseas:
II. Data that can be transferred but is subject to self-assessment by network operators:
Prior to transfer any personal information or important data, the network operator should carry out security assessment for the data transfer at least on an annual basis. The Proposed Rules suggest seven factors as the focus of the assessment:
III. Data that can be transferred with administrative approval
If the personal information or important data meets any of the following requirements, the network operators should report the prospective data transfer to relevant industry regulatory or supervisory authorities (or the national cyberspace administration if the regulatory or supervisory authorities cannot be ascertained), which will be responsible for the security assessment:
Even if certain information covered by the Proposed Rules luckily falls under the self-assessment category (category II above), the network operator still faces significant compliance risks, as it is required to report the self-assessment to the industry regulatory or supervisory authorities and will be held responsible for the assessment results. In additional, the network operator not only needs to assess the personal information and important data itself, but is also required to assess the capability and security protection levels of the data recipient and the risk of the data being stolen or otherwise comprised during re-transfer overseas, which is hardly something that the network operator can easily determine with certainty. Thus, many Chinese companies, especially the ones with risk-averse compliance policies, are likely to turn to domestic partners in transactions where data exchanges are necessary, including the much anticipated rise of big data, deep learning, cloud services, SaaS, to name a few. For companies who find it a business necessity to transfer data overseas, for example, due to auditing or securities disclosure requirements, they are encouraged to set up internal security assessment procedures based on the factors in the Proposed Rules or, if they do not have adequate internal compliance or legal resources, to engage outside experts to conduct the security assessment to minimize compliance risks.