Compliance requirements and regulatory trends in cross-border transfers of personal information in China - China Working Group
Back to Asia Pacific Regional Forum publications
Charles (Xuchao) Feng
T&C Law Firm, Shanghai
fengxuchao@tclawfirm.com
The process of global economic integration has meant an increasing number of companies are faced with the need to transmit data abroad. Examples include multinational companies’ management of customer information and business information on a global scale, as well as technical and/or commercial cooperation between domestic and overseas tech companies. In China, with the promulgation of the Cyber Security Law[1] and relevant supporting measures (including some drafts for comment), compliance requirements for cross-border transfer of data, especially the personal information (PI), have received a lot of attention.
Compliance requirements for personal information cross-border transfer
Currently, the compliance requirements for cross-border transfer of general PI, are mainly provided in article 37 of the Cyber Security Law. It states that:
‘The Critical Information Infrastructure Operator (CIIO) shall store within the territory of the People’s Republic of China (PRC) personal information and important data collected and generated during its operation within the territory of PRC. Where such information and data have to be provided abroad for business purpose, security assessment shall be conducted pursuant to the measures developed by the Cyberspace Administration of China (CAC),[2] together with competent departments of the State Council, unless otherwise provided by laws and administrative regulations.’
That said, specific rules for the security assessment are still in the course of study and research and have not yet been put in place. For non-CIIOs, it seems that they are neither subject to the compliance obligations for domestic storage of PI, nor subject to the security assessment for PI cross-border transfer in accordance with the Cyber Security Law, while the subsequent draft regulations/measures provide the opposite rules, which will be further discussed below.
In terms of special types of PI, special compliance requirements for cross-border transfer are set out in the relevant provisions issued by various departments. These mainly include:
|
Type of data |
Relevant regulations |
|
Personal credit Information |
Article 24 of the Administrative Regulations on Credit Investigation Industry[3] |
|
Personal financial information |
Article 33 of the Implementing Measures of the People’s Bank of China for the Protection of Financial Consumers’ Rights and Interests[4] |
|
Population health information |
Article 10 of the Measures for the Management of Population Health Information (for Trial Implementation)[5] |
|
Human genetic resources information |
Article 7, article 27 and article 41 of the Administrative Regulations on Human Genetic Resources of PRC[6] |
Trends in regulation
We would like to bring your attention to the Measures for Evaluating the Security of Transmitting Personal Information Overseas (Draft for Comment)[7] ('Measures 2019'), issued by CAC in June 2019. Drawing on the regulatory experiences of other countries and regions in respect of PI cross-border transfer, in particular the European Union’s General Data Protection Regulation (GDPR), Measures 2019 provides relatively detailed rules for PI cross-border transfer, and further clarifies relevant requirements of declaration and assessment, cross-border transfer records, reporting of cross-border transfer circumstances, content for cross-border transfer contracts, content for the analysis report of security risks and security safeguard measures for PI cross-border transfer.
The characteristics and trends of China’s regulation for PI cross-border transfer are as follows:
• PI and important data may be regulated separately
Pursuant to the Administrative Measures on Data Security (Draft for Comment),[8] issued by CAC in 2019, important data and PI will be handled separately. Article 38 provides that ‘important data generally excludes the information about the production, operation and internal management of companies, personal information, etc.’ Measures 2019, which was announced to replace the Measures for the Security Assessment of the Cross-border Transfer of Personal Information and Important Data (Draft for Comment),[9] issued in 2017 ('Measures 2017') further indicates the trend for separate supervision over the cross-border transfer of important data and PI.
• The scope of responsibility entities for security assessment will be expanded
Although according to the Cyber Security Law, only CIIOs are subject to security assessment in cases of PI export, both Measures 2017 and Measures 2019 provide that general network operators shall also bear such responsibility for security assessment. Given this, we tend to view that the government authority has a clear idea that the scope of responsibility entities for security assessment of PI export may be expanded to the extent including all network operators, not just CIIOs.
• More stringent restrictions may be put in place
In terms of the regulatory measures, the Cyber Security Law only generally requires CIIO to conduct a security assessment in cases of PI and important data export, Measures 2017 gives more details on the specific methods of assessment, ie, ‘Self-assessment + Assessment by Competent Authorities + Annual Assessment and Filing for Record’, and then Measures 2019 changes the assessment measures into the system of ‘Assessment by Competent Authorities + Annual Filing for Record + Regular Inspection’. In light of the developing tracks above, we can see that government authorities intend to make more stringent restrictions to PI export, and network operators are less flexible in assessing risks and controlling such risks themselves.
• Other highlights of Measures 2019
(a) Standard contract terms
By learning from the supervision mode of the Standard Contractual Clauses (SCC) implemented in the EU, Measures 2019 requires network operators and PI recipients to enter into contracts or other legally binding documents with some compulsory clauses incorporated, for the purpose of binding the rights and obligations of the relevant parties, thereby indirectly realising the management of PI cross-border transfer.
(b) Protection of PI subjects’ rights
Measures 2019 further guarantees:
- PI subjects’ rights to know, access, correct and delete their PI;
- that it is clear when PI subjects’ legitimate rights and interests are damaged;
- PI subjects are entitled to claim compensation against network operators or receivers or both, (where PI subjects cannot receive compensation from receivers, network operators shall make the compensation in advance); and
- the reversal rules are set out, under which network operators or receivers shall bear the burden of proof.
Although Measures 2019 is still in the process of seeking comments and has not been put in force, it is advisable for companies involving PI cross-border transfer to make backup plans or compliance policies for the domestic storage of PI, security assessment of PI export and other activities to mitigate the compliance risks.
Notes
[1] Cyber Security Law of the People’s Republic of China, issued on 7 November 2016, http://www.gov.cn/xinwen/2016-11/07/content_5129723.htm, last accessed on 9 January 2020.
[2] Official website of the Cyberspace Administration of China, http://www.cac.gov.cn/, last accessed on 9 January 2020.
[3] Administrative Regulations on Credit Investigation Industry, issued on 21 January 2013, http://www.gov.cn/flfg/2013-01/29/content_2323780.htm, last accessed on 9 January 2020.
[4] Implementing Measures of the People’s Bank of China for the Protection of Financial Consumers’ Rights and Interests, issued on 14 December 2016, http://www.pbc.gov.cn/tiaofasi/144941/3581332/3589398/index.html, last accessed on 9 January 2020.
[5] Measures for the Management of Population Health Information (for Trial Implementation), issued on 5 May 2014, http://www.cac.gov.cn/2014-08/20/c_1112064075.htm, last accessed on 9 January 2020.
[6] Administrative Regulations on Human Genetic Resources of the People’s Republic of China, issued on 10 June 2019, http://www.gov.cn/zhengce/content/2019-06/10/content_5398829.htm, last accessed on 9 January 2020.
[7] Measures for Evaluating the Security of Transmitting Personal Information Overseas (Draft for Comment), issued on 13 June 2019, http://www.cac.gov.cn/2019-06/13/c_1124613618.htm, last accessed on 9 January 2020.
[8] Administrative Measures on Data Security (Draft for Comment), issued on 28 May 2019, http://www.cac.gov.cn/2019-05/28/c_1124546022.htm, last accessed on 9 January 2020.
[9] Measures for the Security Assessment of the Cross-border Transfer of Personal Information and Important Data (Draft for Comment), issued on 11 April 2017, http://www.cac.gov.cn/2017-04/11/c_1120785691.htm, last accessed on 9 January 2020.