A quick look at the draft "Measures on Security Assessment relating to Export of Personal Information and Important Data".
The State Internet Information Office issued on 11 April 2017 a draft "Measures on Security Assessment relating to Export of Personal Information and Important Data". The consultation period will end on 11 May 2017. The draft measures are prepared pursuant to the China Cybersecurity Law and should provide further insight on how the Chinese government intend to enforce the main legislation.
We highlight below some of the key provisions and requirements in the draft measures:
The draft measures also include a definition which has caused much concern when the Cybersecurity Law was first promulgated, that is the definition of "important data". In the draft measures, this is proposed to mean "data which is closely related to national security, economic development, and social and public interests, with specific reference to relevant national standards and important data identification guidelines".
Observations
The scope of data localisation as proposed in the draft measures is much wider than it is contemplated under the Cybersecurity Law. Under the Cybersecurity Law, the data localisation requirement is only imposed on the operators of critical information infrastructure. The broadening of the data localisation obligation is unlikely to be well received by MNCs operating in China.
The draft measures now contain a definition of "important data", which appears to exclude business and commercial information. Whether this indeed will be the case, we will only be sure when the identification guidelines are eventually published.
It is also interesting to see the draft measures mentioning that the security assessment process set out in the measures should also be followed by other entities that collect personal information and important data in China and wish to export such information outside of China and are required to under security assessment of the export.