China Expands Data Transfer Requirements for its Cybersecurity Law

As I explained earlier in my blog about understanding China’s Cybersecurity Law, China is unveiling its Cyber sovereignty strategy by releasing regulations, policy statements and guidelines over time. The latest release was on April 11, 2017, when the Cybersecurity Administration of China (CAC) released their draft of “Security Assessment Measures for Cross-Border Transfer of Personal Information and Important Data.”

Cross-Border Transfer Draft Overview

The Transfer Draft, as it is being referred to, provides guidelines for conducting assessments on data originally created, or stored, in China before the data can be transferred to a jurisdiction outside of mainland China. The Transfer Draft also extends this requirement to all Network Operators (not just organizations who are considered CII or Critical Information Infrastructure).  This controversial draft is under consideration until May 11 and is bound to the Cybersecurity Law that will go into effect June 1, 2017.

We knew the Transfer Draft was forthcoming and anticipated it would provide clarity on data management for CII’s. While the Transfer Draft does provide detailed requirements for the data localization, it goes a step further by expanding data localization scope, which creates some uncertainty as to how data localization should be implemented. Furthermore, up until the Transfer Draft, only organizations considered as CII needed to worry about data localization. The Transfer Draft expands the scope to cover both CIIs as well as network operators.

Therefore, be warned, if adopted, the April 11 Transfer Draft could potentially impose data localization requirements on multinational companies (MNCs) who previously believed they were not subject to these rules as non-CIIs. If adopted, MNCs will need to re-evaluate their data localization plans in order to mitigate cybersecurity compliance risk.

Transfer Draft extends requirement to Network Operators

The Cybersecurity Law Article 37 already requires CIIs and network operators to store personal information and important data gathered and produced during their operations in China on servers within mainland China.  It also specifies only CIIs will need to obtain a security assessment from the authorities if such data is to be provided abroad. Article 2 of the new Transfer Draft expands Article 37 to include network operators to comply with the rule:

Network operators shall store personal information and important data gathered and produced during operations within the territory of China. Where it is  necessary to provide such information and data to overseas parties due to business requirements, a security assessment shall be conducted in accordance with these measures.

The definition of “network operator” under the Transfer Draft remains consistent with CSL definition, which states: the owner or an administrator of a computerized information network system, or a network service provider.

This means that all network operators will be required to store, within the territory of China, personal information and critical data that they collect or generate in the course of operating their business in China. And if they have a business need to transmit data outside of China, they must undergo a security assessment.

Data Transfer Security Assessments

The Transfer Draft proposes two different possibilities for security assessments:

1. Proactive self-assessment conducted by the operator’s organization.
2. Reactionary official assessment undertaken by the appropriate government authorities.

Organizations doing business in China are encouraged by the draft to choose option 1—annually conduct Data Transfer self-assessments for Cyber compliance. Consistent with the CSL, the Transfer Draft suggests the following items be considered within the self-assessment:

• What is the likelihood of the data being transferred to cause harm to national security, public interest, and an individual’s legitimate interest once the data is abroad?
• What are the risks of the transferred data being disclosed without authorization, destroyed, modified, misused, or otherwise compromised?
• What is the network security environment of the recipient country/region?  Can it be trusted?
• What is the adequacy of the data protection measures the data recipient is capable of adopting?
• What is the quantity, scope, type, and sensitivity of the personal information and “important data” to be transferred? The Transfer Draft defines “important data” to mean “data closely related to national security, economic development, and public interest.”
• Does the data really need to be transferred or can the issues being considered be solved with the data staying in China?

The Transfer Draft recommends an organization conduct self-assessments if there is a significant change in business operations. It also recommends a self-assessment should there be (heaven forbid) a serious security breach incurred by the recipient or anything pertaining to the data being transferred.

In addition to the self-assessment performed by the organization, network operators shall also obtain an official security assessment from the relevant government authorities if any one of the following circumstances applies:

• The data to be transferred is from sectors such as nuclear, biochemical, national defense, military, healthcare, marine engineering, or contains sensitive geographic data
• The data concerns security vulnerabilities and protection of CIIs
• The personal information to be transferred concerns more than 500,000 individuals
• The data to be transferred exceeds 1 Terabyte (1,000 Gigabytes)
• CIIs provide personal information and important data abroad
• Any cross-border transfer that shows potential to affect national security and public interest

An official data transfer assessment is required to be completed within 60 working days by the relevant government authorities. The results of the official assessment need to be reported to the CAC. Organizations do not want to fail one of these reviews.

See the full translation here from Wolters Kluwer.

“Off Limits” for Data Transfer

The article also explains how the Transfer Draft prohibits the cross-border transfer of personal information and important data in any of the following three scenarios:

1. Missing consent. A business entity will be required to provide the transfer purpose, scope, content, the data recipient, and the recipient’s country/region of the transfer, and obtain the sender’s consent prior to transfer. Missing consent means data can’t be transferred.  Cross-border transfer of personal information pertaining to minors will need to obtain the consent of the minor’s legal guardian.
2. Potential national security risk. Proposed cross-border data transfer cannot be transferred if it could possibly jeopardize national security, public interest, and/or cause harm to the government, economy, science, and/or national defense.
3. The Catch All.  When government authorities simply deem the transfer inappropriate (yep, they can do that).

Recommendations for Organizations doing Business in China

As stated in understanding China’s Cybersecurity Law, organizations need to “Be Prepared.” MNCs (Multinational Corporation) should plan on taking steps to comply with the security assessment requirements if any cross-border data transfer is being considered. In addition, it is suggested organizations consider adopting these steps in preparation for a self-assessment:

1. Prepare an assessment check list by gathering information regarding past and planned data transfers.  Start with details such as the data type, quantity, sensitivity of the data, and the adequacy of data protection measures of the recipient vendor and of the country/region where the recipient resides;
2. Evaluate your policies and procedures for your China operations and ensure adequate notice has been given to your users and proper consent has been obtained with regards to all cross-border data transfers;
3. Conduct a global vendor assessment and eliminate high-risk vendors.

We will know more soon–very soon

We will be watching this unfold over the next few weeks. Currently, the Transfer Draft has only been published for comment and is not a final regulation; however, it does provide a glimpse of what the final regulation may require. The public comments period for the Transfer Draft is scheduled to end on May 11.

According to my sources at the American Chamber of Commerce (AmCham) and the United States Information Technology Office (USITO), a number of US MNCs are currently expressing their concern over the Transfer Draft Measures.  We suspect we will see some changes between May 11 and June 1 but don’t hold your breath. As stated before, China is very serious about protecting its data and establishing its Cyber Sovereignty.