Two years into the implementation of the Cyber Security Law (CSL), one of the key areas of uncertainty for businesses operating in China are to the restrictions on cross border data transfer.
The key supporting implementation guidance and measures, including the draft Measures on Security Assessment relating to Export of Personal Information and Important Data and the draft Guidelines on Security Assessment for Data Export, have been in draft form for over 18 months. For previous Update on the previous draft Guidelines and draft Measures, please see here.
On 13 June 2019, the Cyberspace Administration of China (CAC) issued a long-awaited second draft Measures on Security Assessment for Export of Personal Information (Second Draft Measures). The Second Draft Measures are open for public consultation until 13 July 2019.
We set out below a number of key takeaways in relation to Second Draft Measures:
- The Second Draft Measures only cover export of "personal information"
The Second Draft Measures do not cover the requirements for export of important data, which was covered in the previous draft and also under the CSL. It is expected that separate implementation measures and guidance will be issued shortly by the CAC on export of important data.
- The requirements apply to (i) network operators in China and (ii) offshore entities collecting personal information in China
As with the previous draft, the data export requirements apply to all "network operators". One can argue that this is inconsistent with the data export requirements under the CSL where the data localisation and data export restrictions only apply to "operators of critical information infrastructure" (Article 37 of the CSL).
To the extent that there was any doubt as to whether it was simply an oversight that the data export requirements were inadvertently imposed on all network operators, it is now fairly clear that the legislative intention is to widen the application of certain aspect of Article 37 of the CSL to network operators. The Second Draft Measures however do not appear to expressly impose any data localisation requirement on network operators.
It is important to note that businesses operating outside of China (thus not just a "network operator" in China) will also be caught by the Second Draft Measures. Article 20 of the Second Draft Measures provides that entities operating outside of China but collecting personal information of individuals in China through the Internet (or other means) are required to though their legal representatives in China to comply with the obligations applicable to network operators in China.
- Filing requirement for export of personal information
Network operators are required under the Second Draft Measures to conduct a filing (effectively an application) with the local CAC on conducting a security assessment in respect of any export of personal information before any personal information is exported from China.
A separate filing should be made if the data recipient changes but no separate or additional filing needs to be made for multiple transfers to the same data recipient.
In addition, network operators are required to renew a filing once every 2 years, or if there is any change in the purpose of transfer, categories of data transferred and retention period of the transferred data.
Network operators are required to submit:
- a filing report,
- the relevant data export contract (entered with the data recipient),
- an assessment report on the security risks and protection measures in respect of the data export; and
- any other information as may be requested by the CAC.
- Security assessment to be conducted by the CAC
The CAC will, based on the information filed by the network operators, review security assessment within 15 working days (except in complicated cases). The security assessment will include reviewing:
- Whether the transfer is in compliance with legal and policy requirements;
- Whether the contract with the data recipient sufficiently protects the legal rights of the data subjects;
- Whether the contract with the data recipient may be effectively implemented;
- Whether there has been any prior significant data breach or infringement of data subject rights by the network operator of the data recipient;
- Whether network operator obtained personal information by legal and proper means; and
- Other relevant considerations.
It is unclear whether export of personal information by network operators is conditional on receiving a certain result based on the security assessment (e.g. the results indicate that the risk is "low"). However, Article 11 of the Second Draft Measures provides that CAC has the right to require a network operator to suspend or stop any export of personal information in cases where:
- there is relatively significant data breach or abuse of data by the network operator or the data recipient;
- the legal rights of data subjects cannot be protected; or
- the network operator or data recipient is unable to protect the security of personal information.
- Obligations to keep and file records of personal information export and data breach notification requirement
Network operators have a duty to keep a record of personal information exported for a period of 5 years. They are also required to submit before 31 December of each year a record on the circumstances under which personal information is exported and the status of compliance of any contracts with the relevant data recipients. The content as stipulated is very broad and the exact information to be included is unclear.
Quite separate from other statutory requirements, the Second Draft Measures also requires any data breach relating to such exported data to be notified to the local CAC.
- Specific contractual requirements to be imposed on data recipients and network operators
The Second Draft Measures also mandate certain content to be included in any contracts or documents having legal effect between a network operator and the data recipient. The network operators and data recipients are also required to assume certain obligations in the contracts.
Some of the key requirements are summarise below:
- the contracts must set out the purposes of the export, the types of personal information involved and the period for which the data will be retained abroad, and an obligation on the network operator to notify the data subjects of the export;
- the data subjects will be named as a third party beneficiary in the relevant contracts and be given the right of recourse against the data recipients and the network operators;
- termination of the relevant contracts will not automatically extinguish the duties and obligations of the network operators and the data recipients;
- if a data subject is unable to obtain compensation from the data recipient, the network operator is obliged to make the compensation to the data subject first;
- the data recipient is not permitted to further transfer the personal information to a third party unless certain conditions are satisfied, including that a consent has been obtained from the data subjects concerned.
- The legal requirements set out in the Second Draft Measures are significantly more onerous than the previous draft. These legal requirements are likely to pose additional administrative burden when conducting businesses in China.
- It is expected that a revised draft national standards which complement the implementation of the Second Draft Measures will also be released shortly.