China - Rules on cross-border transfer of data finalised

The Cyberspace Administration of China (“CAC”) has issued near-final rules on the cross-border transfer of personal information and important data. Those final rules contain important clarifications to the earlier draft rules but the basic structure of these rules is unaffected.

Restriction on cross-border transfer

Article 37 of the Cyber Security Law, which will come into effect this June, contains a data onshoring principle which requires operators of critical information infrastructure (“CII”) to store in mainland China all personal information and important data collected or generated in the course of their operational activities.

In April, the CAC released draft rules (“Draft”) on situations in which the transfer of personal information and important data out of China will be permitted for business purposes provided that a security review is conducted in accordance with the relevant provisions of the Draft. Whilst Article 37 applies only to operators of CII, the Draft proposes that it should apply to all network operators (which includes network owners, network administrators and online service providers in China). More details on the original proposals are here.

Revised text released

In May, the CAC released to industry players and market participants a revised text (“Revised Rules”) of the Measures on the Security Assessment of Cross-border Transfer of Personal Information and Important Data (“Measures”), which incorporates comments received from market participants on the consultation draft of the Measures and is expected to be published shortly in substantially similar form.

An unofficial English translation of the Revised Rules received from the CAC is available here, and we summarise the key changes made to the Draft below, followed by some key principles which market participants should bear in mind from the Revised Rules. We also relay certain informal comments made by the CAC officials in explaining the thinking behind the Revised Rules.

Key changes

Consent to transfer of personal information - Compared to the Draft, additional operational flexibility in implementing cross-border transfers of personal information is provided by Article 4 of the Revised Rules. This clarifies that in the absence of express written consent, the personal information subject’s consent to the transfer (a mandatory requirement of the Revised Rules) may be deemed or implied from “acts initiated by personal information subjects” such as international telephone calls, sending e-mails or instant messages overseas and cross-border online transactions. In obtaining the consent, an account of the type (rather than the specific content), together with other criteria, of information transferred is sufficient to satisfy the requirement of disclosure to the personal information subject, and the provision of the Draft for the recipient’s identity to be disclosed has been removed.

Prior assessment - In Article 6 of the Revised Rules, the Draft’s requirement that the transferor’s assessment take place “prior to the transfer” is replaced by a requirement to base the assessment on “type, volume and sensitivity”. This is welcome clarification that an assessment can be made on a one-off basis for a given type and volume of data, as opposed to an assessment made each time a transfer takes place (which could potentially be unworkable). Another useful clarification is the removal of the Draft’s requirement to consider the implications of an agglomeration of data overseas in making the assessment.

Assessment by regulators - The Revised Rules have significantly reduced the list of circumstances in which an assessment must be carried out by the regulators (as used in this alert and as explained by CAC, “regulators” means the industry regulators at central government level coordinated by CAC as appropriate). First, the blanket principle in the Draft requiring regulators to assess all transfers by CII operators has been removed; such assessments are still required, however, if the information relates to CII security (Article 7(2)). Second, the requirement for all transfers of over 1000GB to be reviewed by the regulators has been removed from the Revised Rules.

Annual assessment not required - The requirement of the Draft for data transfers to be assessed on an annual basis has been removed, reducing the compliance burden.

Not applicable to physical transfers - It is clarified in the definition of “cross-border data transfer” in Article 15 that only transfers of personal information and important data in electronic form will require assessment.

Transitional period - To enable network operators to adequately prepare for the new regime, the Revised Rules will take effect on 1 June 2017 at the same time as the Cyber Security Law, but network operators will have until 31 December 2018 to comply with the new rules. In the meantime, the National Information Security Standardisation Technical Committee is expected to issue a draft of the standards for the conduct of cross-border data transfer security assessments for public consultation. The CAC also stated that it may consider issuing industry-specific guidance on how to conduct such security assessments.

Key principles

Application of the Revised Rules - The Revised Rules apply to all network operators, not just CII operators (as is the position in the Draft). The CAC clarified that the rules defining CII, expected to be released shortly, are intended to limit CII to infrastructure and networks of national strategic importance (for example, the mere fact that a network is operated by a bank does not necessarily make it CII). Accordingly, it would not be appropriate to limit the scope of the Revised Rules to CII.

The Revised Rules are intentionally widely drafted to catch all electronic transmissions of personal information and important data out of the PRC, with no specific exceptions for purpose (e.g. internal transfers between affiliates) or type of information (e.g. employee information, customer information, and information relating to PRC nationals as well as foreign nationals would be caught by the Revised Rules), and regardless of whether the information and data is transferred from a server in the PRC to a location outside the PRC, or is accessible to a remote operator located outside the PRC.

Not an approval process - A transfer cannot proceed if a prohibited element is discovered in the course of an assessment (Article 9). For this purpose, the assessment could be carried out by the transferor or by the regulators. If the regulators discover an element of a prohibited transfer, a prompt demand is to be made for the transfer to be stopped (Article 10). The Revised Rules thus reflect the view (also consistent with but not as explicit in the Draft) that the intention is not to disrupt a data transfer pending completion of an assessment.

Key assessment considerations - The redefined criteria of regulatory assessments and prohibited transfers (Articles 7 and 9) shows that the concern of the regulators in assessing and  preventing data transfers is national security (broadly defined to include political, economic, culture, social, technological, informational, ecological, resource and nuclear factors as well as defence). This also means that when conducting an assessment, it should be possible to define the “legitimacy, propriety and necessity” of a transfer in accordance with Article 8(1) by reference to commercial factors affecting the transferor (such as transfers of data to a low-cost processing jurisdiction); such commercial factors should, however, be reasonably necessary to justify the type and volume of data transferred.

Mechanism for obtaining consent - The Revised Rules continue to require the network operator that seeks to transfer or provide personal information out of the PRC to obtain the information subject’s consent (Article 4). This structure fails to take into account the information flows of a modern business operation, where the entity transferring the information (such as a third-party processor, or a reinsurance company obtaining information from its insurance company clients) may be different from the entity which obtained the information and has direct contact with the information subject. We understand the CAC is still thinking through the possibilities, and hope that further clarification will be forthcoming.

Important data - This remains undefined, and is to be the subject of subsequent rules. The CAC clarified that “importance” is likely to be measured with reference to the state and the general public, not from the standpoint of particular interest groups.

By Jian Fang, Richard Gu, Annabella Fu van Bijnen, Bryan Chan and Alex Roberts, Shanghai