New Challenges Ahead: How to Comply with Cross-border Data Transfer Regulation
Although the Cybersecurity Law of thePeople's Republic of China is still in grace period, Chinese authorities have already taken enforcement actions against companies for non-compliance with it...1. IntroductionFollowing EU's release of General Data Protection Regulation ("GDPR") and numerous nations' or regions' issuance of data protection laws, including Russia, Singapore, Australia,...
Although the Cybersecurity Law of the
People's Republic of China is still in grace period, Chinese authorities have already taken enforcement actions against companies for non-compliance with it...
1. Introduction
Following EU's release of General Data Protection Regulation ("GDPR") and numerous nations' or regions' issuance of data protection laws, including Russia, Singapore, Australia, Canada, India, and South Korea, China's first comprehensive law of data protection, i.e., the Cybersecurity Law of the People's Republic of China ("CSL"), took effect on June 1, 2017. Compared with EU's so-called the strictest privacy law GDPR, the CSL appears to be even more strict than that in terms of cross-border data transfer for the purposes of which include safeguarding cyberspace sovereignty, national security, and public interests far beyond the ordinary legislative purpose of protecting citizen's personal information.
This article's objective is to shed light on the latest progress of cross-border data transfer requirements in China and to provide compliance recommendations for multinational companies operating business in China.
2017, poses new challenges for companies operating in China to comply with cross-border data transfer requirements. Different from data protection laws in other jurisdictions, to safeguard national security and public interest, the CSL not only limits cross-border transfer of personal information but also that of important data, and it distinguishes operators of critical information infrastructure from other network operators to set stricter compliance requirements. Since the CSL is still in grace period, companies operating in China are advised to catch up closely with the progress of the enactment of relevant laws and policies, prepare to initiate security assessments, and establish internal compliance systems.
2. CSL Is Still In Grace Period
Before talking about specific requirements of cross-border data transfer in China, it shall be noted that the CSL is still in grace period. As shown in the table below, the CSL's implementation requires regulations, rules, and guidelines and most of which are still in the pipeline with their drafts being released in order to solicit public opinions.
| Category | Title | Legal Status |
| Laws | CSL | Effective |
| Regulations and Rules | Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data ("Draft Security Assessment Measures")1 | In the pipeline |
| Regulation on Security Protection of Critical Information Infrastructure ("Draft CII Regulation")2 | In the pipeline | |
| Guidelines (National Standards) | Information Security Techniques – Personal Information Security Specification ("Personal Information Security Specification")3 | Effective |
| Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment ("Draft Security Assessment Guidelines")4 | In the pipeline |
3. Basics Of Cross-Border Data Transfer
Regulation
Similar to most data protection laws in the world including the GDPR, the CSL only regulates outbound data flow from China, which is defined as network operators' provision of personal or important data collected and generated during its operation within China to entities, organizations, or individuals located outside China. This chapter introduces basic terms and concepts under the CSL, including "personal information", "important data", "CII operators", and "network operators", which helps to understand the subjects and obligors of cross-border data transfer requirements.
3.1 The CSL Targets Both Personal Information
And Important Data
Most data protection laws like the GDPR only concern personal information, while the CSL also captures nonpersonal information, namely important data, as the subject of cross-border data transfer.
(1) Personal Information
Personal information refers to information which can be used alone or in combination with other information to recognize the identity of a natural person. For instance, online search records in combination with IP addresses directing to a specific natural person constitute personal information. However, once personal information is made anonymous, which prevents a specific natural person from being identified and being restored, it can no longer be defined as personal information.
(2) Important Data
To safeguard national security and public interest, the CSL also limits the cross-border transfer of "important data", which is defined as data closely related to national security, economic development, and societal and public interests. The scope of important data shall be determined in specific sectors, and reference can be made to the non-exhaustive list of exemplar information in 27 sectors provided by Appendix A of the Draft Security Assessment Guidelines, such as telecommunication, electronic information, finance, e-commerce, credit investigation, food and drug, population health, and post express. For example, where testing results of Chinese citizens' genes have been made anonymous for cross-border transfer, even if the results will not be regarded as personal information, it may constitute important data and shall be localized within China.
3.2 CII Operators Face Stricter Obligations
Compared With Network Operators
Both network operators and CII operators need to fulfill cross-border data transfer obligations under the CSL and its supporting rules, while CII operators face stricter restrictions concerning data localization and security assessment, which will be deliberated in chapter four.
(1) Network Operators
Similar to the concepts of "controller or processors of personal data" under the GDPR, network operators shall be interpreted broadly to encompass owners, managers, and service providers of a network.
(2) CII Operators
CII operators are a subset of network operators, operating critical information infrastructure in important industries and sectors that, once damaged, disabled, or data disclosed, may severely threaten the national security, national economy, people's livelihood, and public interests, which includes industries of government administration, energy, finance, transportation, water conservation, healthcare, education, and information networks. As to the scope and identification of CII, a guideline will be formulated by the Cyberspace Administration of China ("CAC"), China's chief Internet watchdog, in conjunction with other relevant authorities in the future.
4. Main Obligation: Conducting Security
Assessments
Article 37 of the CSL initially requires CII operators to store within China personal information and important data generated during its operation in China ("data localization") or to conduct security assessments where cross-border data transfer is needed for business purposes. At present, only CII operators are subjected to the data localization requirement; however, the security assessment requirement is expanded from CII operators to all network operators by the Draft Security Assessment Measures.
operators are subjected to the
data localization requirement,
however, the security
assessment requirement is
expanded from CII operators
to all network operators by
the Draft Security Assessment
Measures
4.1 Two Sets Of Security Assessments
Security assessment under the CSL is a two-tiered framework, consisting of self-assessment and official assessment. In principle, network operators shall conduct a security self-assessment where cross-border data transfer occurs. In special circumstances, an official security assessment is conducted by industry-supervising authorities or CAC, where involving personal information of more than 500,000 individuals, containing information in critical industries, or other circumstances that possibly affect national security and societal and public interests.
In addition, before transferring personal information overseas, network operators shall notify data subjects the purpose, scope, type, and the country or region in which the recipient is located and obtain his/her consent, except for the occurrence of urgent circumstances under which the security of persons' lives and properties is endangered. The notification is advised to be stated in explicit statements in privacy policies, pop-ups and non-ticked boxes in Internet websites, and phone voices, etc.
4.2 Legal Liabilities
The fines imposed by the CSL for breaching cross-border data transfer requirements are relatively small, ranging from 50,000 yuan to 500,000 yuan. But the enforcement of the CSL focuses on severe penalties such as suspension of related business or shutdown of the website and revocation of business licenses. Besides, violators may also face penalties in forms of warning, rectification, and confiscation of illegal gains.
5. Recommendations For Compliance
Although the CSL is still in grace period, Chinese authorities have already taken enforcement actions against companies for non-compliance with the CSL. In July 2017, the CAC and three other departments have jointly initiated a special action to review privacy policies of 10 notable domestic network companies, including WeChat, Taobao, JD, AutoNavi, Baidu Maps, Didi Chuxing, Alipay, Sina Weibo, Umetrip, and Ctrip, and have ordered them to make rectifications.
Against this backdrop, though the CSL still left a fair number of issues unresolved with respect to cross-border data transfer, companies doing business in China, whether or not they have physical presence in China, are advised to make preparations for compliance as follows:
(1) update or establish privacy policies on cross-border data transfer, in which, the scope, purpose, and type of personal information and the country or region of a recipient shall be articulated in an explicit way;
(2) adopt a check box which is not checked by default to obtain data subjects' consent;
(3) reduce the amount of personal information and important data to a minimum necessary for business purposes or take measures to make anonymous where data export is needed;
(4) add positions for data protection where necessary or at least provide training on cross-border data transfer requirements for employees on a regular basis;
(5) keep up with the implementation rules of the CSL and seek professional advice for interpretation and compliance in a timely manner.
2. CAC published a draft of CII Regulation on 10 July 2017, see http://www.cac.gov.cn/2017-07/11/c_1121294220.htm.
3. Chinese version of the Personal Information Security Specification,http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno= 4FFAA51D63BA21 B9EE40C51DD3CC40BE.
4. The National Information Security Standardization Technical Committee ("TC260", in which some officials of CAC serve as its members) published a draft of Security Assessment Guidelines on 30 August 2017, see http://www.tc260.org.cn/front/bzzqyjDetail.html?id=20170830211755&norm_id=20170221113131&recode_id=23883.
Disclaimer - The views expressed in this article are the personal views of the author and are purely informative in nature.