Search This Section
13 Jun 2019
On 13 June 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for the Security Assessment of Cross-Border Transfer of Personal Information (“Draft Measures”) for public comment. As the draft Measures on Cybersecurity Review, released on 21 May 2019, did for the purchase of network products and services, the Draft Measures specify obligations and procedures for network operators transferring personal information out of China as well as for the recipients of that information. This regulatory regime differs considerably from that of the draft Measures for Evaluating the Security of Transmitting Personal Information and Important Data Overseas, which were released by the CAC on 11 April 2017 but have never come into effect.
As per the Cybersecurity Law of the PRC, “network operators” are “network owners and administrators, and network service providers”. This broad definition may apply to almost any company that engages in business through the Internet. The definitions of “personal information” and “sensitive personal information” are also not new (and the former at least resembles definitions in other jurisdictions): respectively, “information recorded by electronic or other means that can identify a natural person's identity alone or in combination with other information” and such information that may be harmful to the person’s physical or mental health, property or reputation (if not handled properly).
According to the Draft Measures, before a network operator may transfer personal information out of China, it must conduct and report a “Security Assessment” for the review of the provincial CAC branch. (A separate Security Assessment is required for each recipient, but multiple or continuous transfers to the same recipient require reassessment only every two years.) Among other focuses of the Security Assessment, the CAC will not only look at the credibility and track record of the network operator, but also of the foreign recipient.
Within 15 days (extendable for complex situations), the provincial branch of CAC will report its conclusions to the network operator and the central CAC: if the transfer of personal information may affect national security or damage public interest, or it is difficult to effectively protect personal information, the transfer will be prohibited.
Approved transfers entail several additional obligations. For example, the network operator must retain records of all transfers for at least five years and provide an annual report, to the provincial CAC branch, on the status of the transferred personal information and performance of the contract involving the transfer. In fact, a major new requirement is that a contract or equivalent legal document regarding the data transfer must be signed between the network operator and the foreign recipient. Moreover, it must include numerous protective provisions, e.g., on the rights of the subject of the personal information to obtain information about—and potentially compensation for—certain circumstances in relation to the transfer of his/her personal information.
The Draft Measures also directly specify obligations on the foreign recipient of transferred information. For example, aside from strictly following the contract’s stipulations on the use and length of storage of personal information and restrictions on transfers to third parties, if changes in the legal environment of the recipient’s jurisdiction would jeopardize the security of the personal information, the recipient must notify the network operator (and, by virtue of another article in the Draft Measures, the contract may be terminated and/or the Security Assessment must be redone).
The 22 articles of the Draft Measures herald not a few obligations on network operators involved in cross-border transfers of personal information, and on the recipients of that information, but many of them resemble concepts and practices in other jurisdictions, particularly the European Union. There also remains some lack of clarity over certain obligations, such as an apparent requirement that foreign entities perform security assessments. In sum, companies involved in cross-border transfers of personal information out of China, particularly MNCs, should prepare to establish or adjust internal mechanisms to be in compliance with China’s growing regulations in this and related areas.