The Cybersecurity Law came into force on 1 June 2017. As reported previously, one area under the law that concerns many businesses operating in China is the requirement to store data in China, and the restrictions on the export or transfer of such data outside of China. In this update, we explore some recent guidance on this very important aspect of the new law.
Do the data localisation requirements only apply to CII?
Under the Cybersecurity Law, the "data localisation" requirement under Article 37 applies to operators of critical information infrastructure (CII). However, as noted in Update (3), the Draft Measures on Security Assessment relating to Export of Personal Information and Important Data appear to extend the data localisation requirement to "network operators", not just operator of CII. Further, a set of new Draft Guidelines on Security Assessment for Data Export published by the National Information Security Standardisation Technical Committee on 27 May 2017 similarly suggests that "network operators" are subject to the data localisation requirement. Given the perceived expansion of the scope of application of the data localisation requirement, there is plenty of unease amongst businesses in China.
In a set of Q&As issued by the Cybersecurity Coordination Bureau of the Cyberspace Administration of China (CAC) on the eve of the coming into force of the new law, the official emphasised and confirmed that the data localisation requirement is only applicable to operators of CII. This provides some comfort to those who are unlikely to be regarded as operators of CII, but the inconsistency with the Draft Measures and the Draft Guidelines continues to worry many businesses.
What is "important data"?
Under Article 37, operators of CII are required to store personal information and "important data" in China. As there is no definition in the law, businesses are concerned that this would include important business or commercial data.
The Q&As clarify that "important data" is data concerning the State, and not data concerning businesses or individuals. Further, the Draft Guidelines also defines "important data" as data which is closely related to national security, economic development and social and public interests. On this basis, it appears that "important data" is unlikely to involve business or commercial information.
However, at the back of the Draft Guidelines is a comprehensive guide on what is "important data" in relation to certain key industries and sectors. Some of the detailed items of data that are listed appear to relate to business and commercial information (e.g. industry operation data, business strategy, investment and development data), as well as personal information (e.g. private individuals' e-commerce account information, financial data, account information, credit information). The industry supervisory authorities are expected to further determine the detailed scope of "important data" relevant to their industries.
What does the security assessment involve?
If the data localisation requirement applies, the next challenge faced by businesses is whether the relevant data can be transferred outside of China. Article 37 provides that if transfer of the relevant data is "necessary for business needs", a security assessment should be conducted in accordance with measures formulated by the CAC and other relevant supervisory authorities. With no further clarification under the law on what the security assessment would involve, what does this mean in practice?
Through the Q&As, the CAC official clarified that the purpose of the security assessment is to determine that the export or transfer of relevant data does not endanger national security or social and public interests. A first glimpse of what is intended to be the exact scope of the security assessment is set out in the Draft Guidelines. In essence, the security assessment would require network operators to set out data export plans and assess (i) the lawfulness and appropriateness of the data export, as well as (ii) the level of risk involved in the transfer, taking into account factors such as:
- the type, sensitivity and volume of the data;
- the technical measures undertaken by the data exporter;
- the technical measures and management abilities of the data recipient; and
- the political and legal environment of the recipient country.
The Draft Measures provide that, subject to certain exceptions, businesses themselves may conduct a self-assessment. In this regard, the Draft Guidelines give some useful guidance. However, businesses are now concerned if they will have the technical ability and resources to conduct the security assessment in the manner described when the Draft Guidelines are finalised.
Notwithstanding the clarifications given under the Q&As, some of the answers appear to be inconsistent with the Draft Measures and the Draft Guidelines, in particular, the application of the data localisation requirement to network operators rather than operators of CII, and the scope of "important data" that would be required to be stored in China.
As mentioned in a previous update, relevant authorities and ministries are expected to promulgate regulations and implementation measures within 12 months from the date the law came into effect to provide proper guidance to businesses. It is expected that the Draft Measures and the Draft Guidelines will become finalised soon and these, together with further implementation measures, will hopefully provide clearer guidance for businesses to follow, and perhaps the perceived inconsistencies will be cleared away.