At the end of August, a number of draft Guidelines and draft National Standards were published by the National Information Security Standardisation Technical Committee, one of which is a revision of the draft Guidelines on Security Assessment for Data Export which was first published in May 2017 (see Update (6)). The revised draft is important to those who are concerned about the application and scope of the data localisation and data export requirement under the China Cyber Security Law, and there are a number of significant provisions and issues raised in the Guidelines which we will highlight in this update.
Do the data localisation requirements only apply to CII?
The "data localisation" requirement under the Cyber Security Law provides that operators of critical information infrastructure (CII) are required to store personal information and "important data" in China, and if such data is to be exported outside of China for business needs, a security assessment must be conducted. As raised in Update (3) and Update (6), although the Cyber Security Law provides that the "data localisation" requirement only applies to CII operators, subsequent draft implementation rules and guidance provide that "network operators" are also subject to the requirement.
The revised draft Guidelines continues to provide that the data localisation requirement would be relevant to "network operators" in general, with some provisions that are specifically relevant to CII operators (e.g. CII operators must submit self-conducted security assessments to the relevant supervisory authorities). The wider application under the revised draft Guidelines perhaps suggests that it will be good national standard and good practice for "network operators" in general to comply with the data localisation requirement even if they are not required to do so under the Cyber Security Law.
What is "data export"?
Under the Cyber Security Law, operators of CII are required to undergo security assessment if personal information or "important data" is to be exported outside of China for business need. The revised draft Guidelines contains an expanded definition of "data export". In particular, it clarifies that the following situations would be regarded as "data export":
- Any transfer of personal information or "important data" to entities that are not subject to China's legal jurisdiction or not registered in China but are located within China;
- Any personal information or "important data" that stays in China but which is accessed by organisations, entities or individuals outside of China; and
- Any personal information or "important data" generated by the domestic operations of a group organisation and transferred to members of the group organisation outside of China.
Based on the above clarifications, "data export" could potentially include access of personal information or "important data" in China by foreigners who enters the borders of China, and also covers remote access of such data from places outside of China.
Importantly, the revised draft Guidelines clarifies that only the cross-border transfer of "data generated by domestic operations" would be regarded as data export. "Data generated by domestic operations" include data generated by network operators that are not registered in China but conducts business operations in China or provide goods and services within China. Factors that would suggest that goods and services are provided "within China" include the use of Chinese currency for payment, the use of Chinese language and the delivery of goods to locations in China. On the contrary, personal information or "important data" generated by network operators whose business provides goods and services only to entities outside of China would not be regarded as "data generated by domestic operations".
What is "personal information" and "important data"?
The definitions of "personal information" and "important data" under the Cyber Security Law are crucial in determining what data needs to be localised in China. Under the revised draft Guidelines:
- The definition of "personal information" is revised and made consistent with the definition under the Cyber Security Law. In particular, specific references to information that reflects a natural person's activities such as location and behavioural data have been removed from the definition.
- Further, specific reference is made to an appendix in a separate National Standard, the "Guideline on Personal Information Security" which will set out the scope and categories of information that would be classified as "personal information". This new Guideline has not yet been published and suggests that the old Guideline on Information Security Protection (which is an old standard issued prior to the Cyber Security Law) will be replaced.
- The revised draft Guidelines defines "important data" as data (whether raw data or secondary data) which is closely related to national security, economic development and public interests, and specifically excludes State secrets. It is further clarified that information that has been publicised via Government information publication channels will not be regarded as "important data". It is however unclear what forms of disclosure would qualify as "Government information publication channels".
- Similar to the draft Guidelines issued in May 2017, the revised draft Guidelines sets out, in an Appendix, a comprehensive guide on what is "important data" in relation to specific key industries and sectors, which remain largely unchanged. Industry supervisory authorities are expected to further determine and regularly update and revise the detailed scope of "important data" relevant to their industries.
What does the security assessment involve?
The revised draft Guidelines sets out two separate procedures in relation to the security assessment for data export: (1) self-assessment and (2) security assessment to be conducted by the relevant supervisory authorities. This approach reflects the provisions under the draft Measures on Security Assessment relating to Export of Personal Information and Important Data issued in April 2017 (see Update (3)).
The steps that need to be taken for self-assessment are similar to what has been set out in the first draft of the Guidelines i.e. it would involve network operators to set out data export plans and assess (i) the lawfulness and appropriateness of the data export, as well as (ii) the level of risk involved in the transfer (see Update (6)).
In addition, further clarification on certain specific requirements relating to the security assessment are also set out in the revised draft Guidelines, including how often and when the security assessment should be conducted and the circumstances when the self-assessment report should be submitted to the relevant supervisory authorities.
Security assessment by supervisory authorities
In relation to security assessment to be conducted by the relevant supervisory authorities, the revised draft Guidelines sets out the procedure involved in the assessment, including (i) the setting up of a working group within the relevant supervisory authority that would assess documentation submitted by the relevant network operators and conduct site investigations; (ii) a third party specialist committee that will review the draft assessment report and provide recommendations; and (iii) the relevant supervisory authority working group that will make a final determination under the security assessment report taking into consideration recommendations of the third party specialist committee.
The revised draft Guidelines further sets out the circumstances when security assessment by the relevant supervisory authorities will be triggered, and once this is triggered, it is expected that the National Cyberspace Authority and industry supervisory authority will set out a specific "security assessment plan" relevant to each supervisory authority for each security assessment. The factors that will be considered in the security will be similar to those that are considered under a self-assessment.
The level of detail and revisions made to the revised draft Guidelines suggest that a lot of thought has been given to the processes and considerations that are relevant to the "data export" restrictions relevant to the "data localisation" requirements under the Cyber Security Law. It is expected that the draft Guidelines will be finalised soon.
Given the further guidance provided in the revised draft Guidelines, businesses that generate personal information and "important data" in China and seek to "export" such data are recommended to start considering their current operations and data flow and start putting in place applicable security assessment procedures and processes in place.