On 11 April 2017, the Cyberspace Administration of China (“CAC”) released a set of draft Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (“Draft Measures”) for public comment.
The Draft Measures are the first of possibly many regulations clarifying the implementation of the Cyber Security Law of the People’s Republic of China (“PRC”) (“Cyber Security Law”), which will come into effect on 1 June 2017. In particular, the Draft Measures sheds more light on how personal information and important data may be transferred overseas.
The concept of security assessments on cross-border transfer of personal information and important data was first introduced under Article 37 of the Cyber Security Law, which imposes a data localization obligation on network operators of critical information infrastructures (“CII”) with respect to personal information and important data collected and generated within the PRC. However, Article 2 of the Draft Measures expands this obligation so that it now applies to all network operators.
The term “network operators” is defined as “owners and managers of networks, as well as network service providers” under Article 17 of the Draft Measures, which is consistent with the definition under Article 76 (3) of the Cyber Security Law.
Under Article 75(3) of the Cyber Security Law's first draft, “network operators” was defined as “owners and managers of the network and the network service providers that provide related services by using the networks owned or managed by others, including basic telecommunication operators, network information service providers, and important information system operators.” The latter underlined portion has since been deleted, suggesting that legislature intended for a broad and vague meaning to capture a wider range of corporate entities. Accordingly, it may be argued that any enterprise that uses a network to collects, stores, transfers, exchanges, or processes information through networks to provide products and services to end users may constitute a “network service provider.”
What Data Must be Localized
Articles 2 and 17 of the Draft Measures specifically states that personal information and important data collected and generated by network operators within the PRC must be stored in the PRC.
Consistent with the Cyber Security Law, “personal information” is defined in Article 17 of the Draft Measures to include “information recorded by electronic or other means that can, independently or in combination with other information, identify a natural person, including but not limited to a natural person’s name, date of birth, identity certificates numbers, personal biological identification information, address and telephone numbers.”
“Important data,” on the other hand, was left undefined in the Cyber Security Law. Article 17 of the Draft Measures sheds little light on its definition and vaguely describes that important data includes “data closely related to national security, economic development, and public interest,” and the detailed scope can be found in identification guidelines (without mentioning which guidelines or whether they have been published).
It is interesting to note that Article 2 of the Draft Measures significantly expands the data localization requirement to apply to all network operators, while Article 37 of the Cyber Security Law states that it only applies to network operators of CII. We understand the legislative intent behind this is to offer greater protection of personal information and important data and guaranteeing the free transfer of e-information. However, it has yet to be seen how imposing more onerous requirements on all network operators will assist in encouraging the free flow of data.
Cross-border Data Transfer
“Data transfer” is defined in article 17 of the Draft Measures to mean “providing personal information and important data collected and generated in the operation of network operators within the People’s Republic of China to institutions, organizations, and individuals outside of the territory of the People’s Republic of China.” This definition, in our view, essentially creates a sweeping boundary of any transfer (including through the Internet or physical transfer) and provision (including providing remote access to data stored in the PRC) of any personal information or important data overseas, regardless of the purpose and recipient.
The Draft Measures create for two forms of security assessments – self-assessment and government assessment – depending on the nature of the data.
For general data, Article 12 of the Draft Measures states that all network operators must conduct an annual self-assessment and report its findings to the relevant industry supervision authority. In the event there is a change to the recipient of the transmitted data or material change to the security measures or purpose, scope, volume or type of data, the network operator must promptly conduct a new self-assessment.
We understand that the CAC will formulate Guidelines on Security Assessment of Cross-border Data Transfer（《数据出境安全评估指南》）, Guidelines on Important Data Identification（《重要数据识别指南》）, and Standards for Personal Information Security（《个人信息安全规范》）to standardize the self-assessment and help network operators identify important data and personal information.
It is interesting to note that Article 12 of the Draft Measures states that the self-assessment shall be based on the “business development and operations” of the network operator; implying that the self-assessment is a periodic review of the network operator’s business, and is not aimed to be conducted for every transfer of data.
Lastly, it is important to note that this obligation applies to all network operators. Therefore, companies insufficiently equipped to conduct these assessments are strongly advised to hire external professionals to assess data transfer, reducing any risk of non-compliance.
Where the personal information or important data to be transferred:
a. contains or cumulatively contains more than 500,000 people’s personal information;
b. exceeds 1,000 GB in volume;
c. contains information in industries including nuclear energy, chemical biology, military, the PRC’s population’s health, and sensitive geographic information;
d. contains system bugs and network safety information of CII;
e. belong to network operators of CII; or
f. in the view of the relevant the industry supervision authority, may otherwise affect national security and public interests,
the network operator shall report and request the relevant governmental the industry supervision authority (the CAC when it is not clear which the industry supervision authority applies) to conduct a security assessment of the data transfer, which shall be completed within 60 working days.
It is very likely that industry supervision authorities such as the China Banking Regulatory Commission, the China Securities Regulatory Commission, and the China Insurance Regulatory Commission will formulate their own implementation rules on security assessment of data transfer in the near future.
Security Assessment Criteria
The security assessment includes:
a. Ensuring that persons who have furnished personal information are informed of the purpose, scope, content, recipient, and country their personal information will be transferred to and that their consent to do so has been obtained; and
b. Assessing, amongst others, the necessity of the data transfer, whether adequate safety measures have been put in place for the transfer, the potential risks of the transferred data being divulged, damaged or tempered with, and the potential negative impacts the transfer of data may have on national security, public interests and legitimate interests of individuals.
From the above, it can be seen that a network operator and the industry regulators must first be satisfied of the necessity of the data transfer, and we are of the view that legitimate management requirements or disclosure and reporting requirements of listed companies will suffice.
Data Prohibited from being Transmitted
Data cannot be transferred overseas if:
a. the persons to whom the personal information being transferred have not consented to the transfer or the transfer will infringe personal rights and interests;
b. the transfer poses a risk to the security of Chinese politics, economy, technology, or national defence, and thereby, having a negative impact on national security or is not in the public interest; or
c. the data, in the CAC’s view, should not be transmitted.
Given the first limb, network operators are strongly advised to obtain the written consent of personal information providers for data transfer. Additionally, the broad and vague drafting of the second limb suggests that the subsequent national standards or industry guidelines will be issued to further clarify the assessment standard.
Article 14 of the Draft Measures defers to the Cyber Security Law on penalties. However, it is interesting to note as the data localization requirement only applies to network operators of CII, the Cyber Security Law is silent on the penalties on network operators who violate cross-border data transfer requirements.
If the PRC signs agreements on cross-border data transfer with other countries, such agreements shall prevail (save for when state secrets are involved), thus, leaving open the possibility of different rules and regulations on transfer of data to different countries.
The Draft Measures provide basic parameters of the security assessment of cross-border data transfer, but fail to clarify many of the Cyber Security Law’s ambiguities and creates some of its own. In particular, the Draft Measures, if enacted in its current form, would mandate that all network operators, not just operators of CII, assess the security of their cross-border data transfers; creating uncertainty for companies considered as “unregulated” under the Cyber Security Law.
To manage these uncertainties, companies seeking to transfer personal information and important data outside of the PRC should consider clarifying their status with industry regulators and taking pro-active steps self-assess their cross-border data flow and be prepared for the PRC government’s security assessment.
 《中华人民共和国网络安全法》, promulgated by the Standing Committee of the PRC National People's Congress on 7 November 2016
 Penalties for non-compliance are heavy and include the network operator being ordered to suspend its business operations, shut down its website, or have its licenses revoked
 Article 9, Draft Measures
 Article 10, Id.
 Article 4, Id.
 Article 8, Id.
 Article 11, Id.