China’s new Cybersecurity Law, effective from 1 June 2017, introduced a local data residency requirement that has raised questions and concerns among multinational companies operating in the country.
To implement the local data residency requirement, the Cyberspace Administration of China (CAC) released a draft Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data on 11 April 2017 to solicit public comments.
The Cybersecurity Law imposed an obligation on operators of “critical information infrastructure (CII)” to store “personal information and other important data collected and generated during operations within China” (local data) and requires that CII operators undertake security assessment before transferring such data abroad. The draft measures, however, seem to extend the applicability of the local data residency requirements from CII operators to all “network operators”.
The draft measures replicate the definition of “network operator” stipulated under the Cybersecurity Law. “Network operators” refers to owners and operators of networks, as well as network service providers. Based on this broad definition, arguably, any entity in China that uses computer systems connected to communication networks could be considered a network operator, and therefore would be subject to the local data residency requirement stipulated under the Cybersecurity Law. Should the draft measures be implemented as is, virtually all entities established in China that access and use the internet in the course of business operations could be required to keep a copy of local data in China.
Under the draft measures, if a network operator seeks to transfer local data overseas for business needs, it must undergo a security assessment in accordance with the general principles of “fairness, objectiveness and effectiveness”.
The draft measures provide two types of security assessments: self-assessment; and government-administered assessment. As a general principle, network operators must conduct a security self-assessment before transmitting local data overseas (unless a government-administered security assessment is triggered) and be responsible for the results of the assessment.
A government-administered security assessment is triggered if the intended outbound data transmission involves any of the following circumstances: (1) the data to be transmitted abroad involve personal information of 500,000 or more persons in each transmission or in aggregate; (2) the volume of data to be transmitted exceeds 1,000 GB; (3) the data concern areas such as nuclear facilities, chemical biology, national defence, population health, large-scale engineering activities, marine environment and sensitive geographic information; (4) network security data relate to CII, including system vulnerabilities, security protection and other cybersecurity data; (5) the export of personal information and important data by CII operators; or (6) other circumstances that may affect national security or public interests. The draft measures provide that a government-administered security assessment should be completed by the relevant industry regulator within 60 working days and be reported to the CAC upon completion.
While there are already industry-specific restrictions on cross-border transfers of certain categories of data (including population health information and sensitive geographic information data) under existing laws and regulations, the draft measures seem to significantly expand the applicability of the government-administered security assessment requirement. First, the draft measures introduce quantitative thresholds (i.e., 500,000 persons or 1,000 GB) as triggers for the government-administered security assessment, which appear to be relatively low. Second, no specific industries or business sectors are specified in respect of the proposed quantitative thresholds, which would potentially cover companies in a broad range of industries and sectors. Third, broadly defined under the Cybersecurity Law, the term CII is not further clarified under the draft measures. Finally, there’s a catch-all category of data that may affect “national security and public interests”, which gives the CAC considerable additional discretion.
Under the draft measures, a security assessment, be it self-assessment or government-administered assessment, should focus on the following aspects: (1) the necessity of the outbound data transmission; (2) the volume, scope, type and sensitivity of local data to be transferred abroad; (3) the measures and ability of the recipient to ensure data security, as well as the cybersecurity environment of the country or region where the data recipient is located; (4) the risk of leakage, destruction or abuse of the data following the outbound transfer; and (5) possible risks that the outbound data transmission can pose to national security, public interests and lawful interests of individuals.
Furthermore, a network operator must, based on its business development and network operation status, conduct a security assessment on outbound data transmission at least once a year and report the assessment results to the relevant industry regulator. In addition to an annual security assessment, a network operator is required to conduct a new security assessment each time (a) there is a change in the data recipient, or significant change in the purpose, scope, volume or type of the outbound data transmission; or (b) there is a major security incident involving the data recipient or the data transmitted abroad.
The requirement on annual security assessment is quite confusing as it may be interpreted to mean that as long as a network operator has conducted the security self-assessment on outbound transmission of personal information and important data, such security self-assessment would be sufficient for its outbound data transmission unless and until the new security assessment is triggered as stipulated under the draft measures.
The draft measures provide that industry regulators must be responsible for organizing and administering government-administered security assessments. Where such an assessment is triggered but a competent industry regulator cannot be identified, the CAC must take charge of the assessment.
The term “important data” is not defined under the Cybersecurity Law, which has caused great concern given the local data residency requirement. The draft measures have clarified that “important data” refers to data that are closely related to national security, economic development and public interest. While it is useful to understand that coverage is not as broad as originally feared, the draft measures also refer to certain relevant national standards and identification guidelines for important data, suggesting that the specific scope of important data would be subject to further legislation.
The Cybersecurity Law generally requires that network operators shall inform data subjects of the purpose, method and scope of collection and use of personal data and obtain data subjects’ consent. In line with this general requirement, the draft measures require that in order to transmit personal information overseas, a network operator must inform the data subjects of the purpose and scope of the outbound data transmission, the content and the recipient(s) (including the country(ies) or region(s) where the recipient(s) are located) of the information transmitted, and obtain consent from the data subjects. Where the data subject is a minor, the consent of the data subject’s guardian is required for the outbound transmission of the data subject’s personal information.
This consent requirement raises practical challenges and impediments, given the wide adoption of cloud technology and the geographic spread of many businesses. For example, it is not entirely clear if a network operator must inform and obtain consent from data subjects each time it transmits personal information abroad. Further, age verification could be a challenge depending on how the requirement is actually enforced. Also, when dealing with corporate customers, it would be quite burdensome and impractical for network operators to request contact persons of corporate customers to give a separate consent on transmitting their personal information (name, phone number and/or email address) abroad for business purposes.
In light of this advance consent requirement, network operators with a need to transmit abroad personal information collected within China should review and amend their existing privacy policies or statements in order to ensure compliance.
PROHIBITIONS ON TRANSMISSION
Under the draft measures, transmission of local data is prohibited under the following circumstances: (a) a personal information data subject has not consented to transmission of his/her personal information out of China, or the transmission could infringe on the data subject’s interests; (b) the intended outbound data transmission would create a security risk in terms of national politics, the economy, science and technology, or national defence, etc., and could affect national security or harm the public interest; and (c) a relevant authority such as the CAC, public security authority or national security authority, etc., determines that the data may not be transmitted abroad.
Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by e-mailing Danian Zhang (Shanghai) at: email@example.com