China’s Network Security Law (the “NSL”), adopted late last year, is set to take effect on June 1, 2017. One of the most important provisions of the NSL is Article 37, which requires operators of critical information infrastructure to store personal information and important data within China. Transferring such information overseas is only permitted after the information is assessed by the competent authority. Critical information infrastructure is broadly defined in the NSL as any information system important to national security, citizen welfare, and public interests, such as public communications and information services, energy, transportation, water conservancy, finance, public services, e-government and other important industries and fields.
On April 11, 2017, the Chinese Cyberspace Administration published a notice on its website (http://www.cac.gov.cn/2017-04/11/c_1120785691.htm), seeking public comments on its proposed rules for security assessment of transfer of personal information and important data abroad (the “Proposed Rules”), which are essentially administrative rules to implement Article 37 of the NSL.
However, there is one glaring difference between the Proposed Rules and Article 37 of the NSL. Although network operators are similarly defined in both the NSL and the Proposed Rules as owners or managers of network and network service providers, the Proposed Rules impose the data export restrictions not only on the operators of critical information infrastructure, as in the NSL, but also on all other network operators.
EU’s data protection practice drew a lot of criticism by prohibiting companies from transferring personal data of EU citizens to countries which have not been deemed to provide an “adequate” level of data protection. In comparison, China's restriction on data export under the Proposed Rules is much more extensive and stringent. As will be discussed in further details below, China not only limits cross-border transfer of personal information, but also requires security assessment for transfer of "important data", which is vaguely defined to be data that is closely related to national security, economic development, and societal public interests, with specific reference to some yet-to-be-published guideline. In addition, certain data cannot be transferred whatsoever.
If the Proposed Rules are adopted as is, which is speculated to be the case, personal information and important data collected and generated in China are required to be stored in China. If such personal information or data needs to be transferred overseas, safety assessment should be conducted either by the network operators or by the relevant regulatory authorities, depending on the nature of the personal information or data.
I. Data that cannot be transferred abroad
The following data is not allowed to be transferred overseas:
personal information, if the subject of the personal information does not consent to the transfer, or the transfer may harm the interests of the individual;
The data transfer poses national political, economic, scientific or technological risks, may affect national security or harm societal public interests;
other data that cannot be transferred as determined by relevant departments such as the national network information department, public security department and other security department.
II. Data that can be transferred but is subject to self-assessment by network operators:
Prior to transfer any personal information or important data, the network operator should carry out security assessment for the data transfer at least on an annual basis. The Proposed Rules suggest seven factors as the focus of the assessment:
need for the transfer;
with respect to personal information, the amount, scope, type, and sensitivity of the personal information, and whether the subject of the personal information consents to the transfer. The network operator must (i) explain to the subject the purpose, scope, content of the transfer, as well as the recipient of the transfer and the country or region where the recipient is located, and (ii) obtain the subject's consent. For minors' personal information, the consent of their guardian is required;
with respect to important data, the amount, scope, type and sensitivity of the data;
the measures for security protection, capabilities and levels of the recipient of the transferred data, and the network security environment of the country or region where the recipient is located;
risks of the transferred data being disclosed, damaged, compromised or misused in connection with the transfer or re-transfer;
risks to national security, social public interests and legitimate personal interests that may be caused by the data transfer and aggregation of the transferred data;
other important matters that need to be assessed.
III. Data that can be transferred with administrative approval
If the personal information or important data meets any of the following requirements, the network operators should report the prospective data transfer to relevant industry regulatory or supervisory authorities (or the national cyberspace administration if the regulatory or supervisory authorities cannot be ascertained), which will be responsible for the security assessment:
the data contains or contains in aggregate personal information of more than 500,000 people;
the amount of data is over 1000GB;
the data contains data in the fields of nuclear facilities, chemistry, biology, national defense, military, and public health, etc., or information relating to large-scale engineering projects, marine environment, and sensitive geographic;
the data contains information relating to network security or system vulnerabilities of key information infrastructures and security protection;
transfer of personal information and important data by an operator of key information infrastructure;
other data transfer that may affect the national security and societal public interests, and the security assessment is deemed necessary by industry regulatory or supervisory authorities.
Even if certain information covered by the Proposed Rules luckily falls under the self-assessment category (category II above), the network operator still faces significant compliance risks, as it is required to report the self-assessment to the industry regulatory or supervisory authorities and will be held responsible for the assessment results. In additional, the network operator not only needs to assess the personal information and important data itself, but is also required to assess the capability and security protection levels of the data recipient and the risk of the data being stolen or otherwise comprised during re-transfer overseas, which is hardly something that the network operator can easily determine with certainty. Thus, many Chinese companies, especially the ones with risk-averse compliance policies, are likely to turn to domestic partners in transactions where data exchanges are necessary, including the much anticipated rise of big data, deep learning, cloud services, SaaS, to name a few. For companies who find it a business necessity to transfer data overseas, for example, due to auditing or securities disclosure requirements, they are encouraged to set up internal security assessment procedures based on the factors in the Proposed Rules or, if they do not have adequate internal compliance or legal resources, to engage outside experts to conduct the security assessment to minimize compliance risks.