On May 27, 2017, the National Information Security Standardization Technical Committee of China published draft guidelines on cross-border transfers pursuant to the new Cybersecurity Law, entitled Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (the “Draft Guidelines”). The earlier draft, Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data (the “Draft Measures”), requires network operators to conduct “security assessments” when they propose to transfer personal information and “important information” to places outside of China. These “security assessments” are essentially audits of the cybersecurity circumstances surrounding the proposed transfer that are intended to produce an assessment of the risk involved. If the assessment indicates that the risk is too high, the transfer must be terminated.
The Draft Guidelines, once finalized, are intended to establish norms for working requirements, methodology, content and the determination of conclusions for these “security assessments.” They recommend particular content for consideration during “security assessments,” such as the volume of information to be transferred, the political and legal environment in the place where the data recipient is located, and the security safeguard capabilities of both the transferor and the data recipient. At this time, the following observations can be made:
- Very generally speaking, the Draft Measures appear to take a risk-based approach, meaning that an assessment of the overall risks associated with a cross-border transfer, and the likely outcomes thereof, rather than a formalistic “check the box” compliance approach, should be used to determine whether the transfer should proceed.
- The Draft Guidelines appear intended, once finalized, to be a voluntary rather than compulsory document.
- The “security assessments” would focus on two overall inquiries: (1) the legality and appropriateness of the proposed cross-border transfer, and (2) the controllability of the risks involved.
- In addition to personal information, the Draft Measures would also impose restrictions on the cross-border transfer of “important information.” The Draft Measures define this term broadly as “information which is very closely related to national security, economic development and the societal and public interests.” The Draft Guidelines provide some specific possible examples of what might constitute “important information.”
- The Draft Guidelines would introduce into the Cybersecurity Law’s implementation framework the concept of “sensitive personal information,” as well as the possibility of desensitizing this information using processing that removes or reduces the sensitive elements in the data.
The Draft Guidelines’ content and approach may change by the time they are finalized. The Draft Guidelines are open to comment from the general public until June 26, 2017.
The Cyberspace Administration of China (“CAC”) has released a draft of the Measures for Security Assessment of the Cross-Border Transfer of Personal Information and Important Data (the “Assessment Measures”) on April 11. As an important ancillary implementation regulation of the Cybersecurity Law (“CSL”), the Assessment Measures establish the basic framework for security assessment for data exports. According to the Assessment Measures, where the network operators provide personal information and important data collected and generated in the course of operations within the territory of China to overseas parties, security assessments shall be carried out. Security assessments for data exports include both self-assessments and assessments by authorities. On the basis of the Assessment Measures, the Guidelines specifies the requirements for the assessment process, the focus of assessment, assessment methods and the scope and types of “important data” in different sectors and industries.
The Guidelines apply to security assessments carried out by network operators. It also applies to the competent industry regulators or regulatory authorities in their guidance and supervision of the security assessments carried out by network operators. The CAC and the competent industry regulators or regulatory authorities may make reference to the Guidelines in the security assessments of data exports carried out within their respective authorities.
III. Security Assessment Process
In accordance with the Guidelines, the security assessment process includes the following steps: initiating self-assessments, formulating data export plans, assessments of the lawfulness, appropriateness and controllability of the data export plans, generating assessment reports, and checks and revisions, etc.
Network operators shall formulate data export plans if their products and services involve the export of data. The data export plans shall include without limitation (1) the destination, scope, type and scale of the data export; (2) the information systems involved; (3) the transit country or region (if any); (4) the basic situation of the receiving party and the country or region where it is located; and (5) security control measures. Network operators shall assess whether the data export plan is lawful, appropriate and controllable by referring to the assessment methods set out in Appendix B of the Guidelines, and formulating assessment reports. Personal information and important data shall not be provided overseas if the result of the security assessment is high or extremely high. The assessment report shall be kept for at least five years. If the data export plan does not satisfy the requirements of lawfulness, appropriateness or controllability, network operators may revise the data export plan or take relevant measures to reduce the risk for data exports (such as desensitization of the data), and initiate another self-assessment.
IV. Focus of Assessment
The self-assessment for data export mainly focuses on two issues, the lawfulness and appropriateness of the export and the controllability of the export.
When assessing the lawfulness and appropriateness of the data export, factors shall be taken into account include whether consent has been obtained from those people whose personal information is to be exported, whether the data export complies with provisions under relevant treaties executed between the Chinese government and other countries or regions, and whether the data export is necessary for performing the ordinary business activities or the contractual obligations of the network operators, and whether the data export is required for judicial assistance.
When assessing the risk controllability of data export plans, features of the exported data and possibility of security incidents during the data export shall be taken into account comprehensively. Features of the exported data include the volume, scope, type, sensitivity and technical process of the personal information or important data. Factors such as (1) technical and management abilities of the exporter in relation to the data export; (2) security protection abilities and measures of the recipient; and (3) the political and legal environment of the jurisdiction of the recipient shall be taken into account when assessing the possibility of security incidents during the data export.
V. Assessment Methods
The Guideline provides methods and standards for assessments, which are based on the levels of impact on personal rights and interests caused by the export of the personal information, the impact on national security and social public interests caused by the export of important data and the degree of possibility of security incidents. On the basis of a comprehensive judgement of the abovementioned factors, the overall security risks of data export activities are classified into four levels, namely extremely high, high, middle and low. After the assessment, if the security risk of the data export is extremely high or high, the relevant personal information or important data shall not be exported.
VI. Identification of Important Data
The Guidelines defines important data in 28 industries and sectors, such as resources and energy, telecommunications and electronic manufacturing industry, and the definition, scope or identifying criteria for important data in these key industries may be further specified by the competent industry regulators or regulatory authorities. The provisions regarding important data under the Guidelines reflect restrictions on data exports in existing laws and regulations (such as demographic health information, personal financial information, credit information, map information), and adds new types of data restricted from being exported, such as registration information of e-commerce platforms and transaction records of e-commerce.
As an important ancillary document to the CSL, the Guidelines put forward detailed recommendations on the assessment process, assessment methods and points of the data exports security assessment. Although the Guidelines do not have mandatory legal force, they may be adopted and referred to in data export activities by network operators in various industries since existing laws and regulations fail to provide detailed guidance. In data export assessments, enterprises need to comprehensively take into account factors such as the consent of the individuals whose personal data is being exported, the necessity for data export, the security protection measures of the data exporters and of the data recipient, and the political and legal environment of the receiving country or region. These comprehensive and detailed assessment requirements bring new challenges for enterprises’ data export activities. Once assessments determine data export is not allowed, the company may need to consider adjusting its data export practices, improving security protection measures of the data exporter and the data recipient, and taking technical measures such as desensitization to meet compliance requirements. As the Guidelines are still open for public comments, we will continue to monitor its subsequent developments and implementation.”