Two years into the implementation of the Cyber Security Law (CSL), one of the key areas of uncertainty for businesses operating in China are to the restrictions on cross border data transfer.
The key supporting implementation guidance and measures, including the draft Measures on Security Assessment relating to Export of Personal Information and Important Data and the draft Guidelines on Security Assessment for Data Export, have been in draft form for over 18 months. For previous Update on the previous draft Guidelines and draft Measures, please see here.
On 13 June 2019, the Cyberspace Administration of China (CAC) issued a long-awaited second draft Measures on Security Assessment for Export of Personal Information (Second Draft Measures). The Second Draft Measures are open for public consultation until 13 July 2019.
We set out below a number of key takeaways in relation to Second Draft Measures:
The Second Draft Measures do not cover the requirements for export of important data, which was covered in the previous draft and also under the CSL. It is expected that separate implementation measures and guidance will be issued shortly by the CAC on export of important data.
As with the previous draft, the data export requirements apply to all "network operators". One can argue that this is inconsistent with the data export requirements under the CSL where the data localisation and data export restrictions only apply to "operators of critical information infrastructure" (Article 37 of the CSL).
To the extent that there was any doubt as to whether it was simply an oversight that the data export requirements were inadvertently imposed on all network operators, it is now fairly clear that the legislative intention is to widen the application of certain aspect of Article 37 of the CSL to network operators. The Second Draft Measures however do not appear to expressly impose any data localisation requirement on network operators.
It is important to note that businesses operating outside of China (thus not just a "network operator" in China) will also be caught by the Second Draft Measures. Article 20 of the Second Draft Measures provides that entities operating outside of China but collecting personal information of individuals in China through the Internet (or other means) are required to though their legal representatives in China to comply with the obligations applicable to network operators in China.
Network operators are required under the Second Draft Measures to conduct a filing (effectively an application) with the local CAC on conducting a security assessment in respect of any export of personal information before any personal information is exported from China.
A separate filing should be made if the data recipient changes but no separate or additional filing needs to be made for multiple transfers to the same data recipient.
In addition, network operators are required to renew a filing once every 2 years, or if there is any change in the purpose of transfer, categories of data transferred and retention period of the transferred data.
Network operators are required to submit:
The CAC will, based on the information filed by the network operators, review security assessment within 15 working days (except in complicated cases). The security assessment will include reviewing:
It is unclear whether export of personal information by network operators is conditional on receiving a certain result based on the security assessment (e.g. the results indicate that the risk is "low"). However, Article 11 of the Second Draft Measures provides that CAC has the right to require a network operator to suspend or stop any export of personal information in cases where:
Network operators have a duty to keep a record of personal information exported for a period of 5 years. They are also required to submit before 31 December of each year a record on the circumstances under which personal information is exported and the status of compliance of any contracts with the relevant data recipients. The content as stipulated is very broad and the exact information to be included is unclear.
Quite separate from other statutory requirements, the Second Draft Measures also requires any data breach relating to such exported data to be notified to the local CAC.
The Second Draft Measures also mandate certain content to be included in any contracts or documents having legal effect between a network operator and the data recipient. The network operators and data recipients are also required to assume certain obligations in the contracts.
Some of the key requirements are summarise below: