China releases the new draft of security assessment measures for the cross-border transfer of personal information

Back to Communications Law Committee publications

Jihong Chen
Zhong Lun, Beijing
chenjihong@zhonglun.com

Yun Luo
Zhong Lun, Beijing
luoyun@zhonglun.com

 

Background

Cross-border data transfer regulations have always been among the factors taken into consideration in network operators’ business decision making, particularly that of multinational corporations. The Measures on Security Assessment for Cross-border Transfer of Personal Information and Important Data (Exposure Draft) released in April 2017 (the former measures) have received questions and even criticism from interest groups. Unlike any guidelines and national standards that recommend best practice, these measures officially introduced by the Cyberspace Administration of China will be legally binding. Therefore, changes to the measures and shifts in the regulator’s approach in this field are highly likely to cause ripple effects.

The new measures and our highlights

The new measures cover 22 articles. Notable changes compared to the former measures and the highlights of China’s emerging version of the Standard Contractual Clauses (SCC) are discussed below.

Material substantive changes

The drastic changes in the new measures reflect China’s recent international relations as well as tentative adjustments to domestic supervision.

Removing of articles regarding ‘important data’

The new measures centre on personal information and remove rules on transferring ‘important data’ overseas set out in the former measures. In fact, the management of the cross-border data transfer of personal information and important data is regulated in different ways, protecting the legal interests of different groups. The former concerns the legal interests and rights of personal information subjects (ie, individuals), the latter focuses on national security and public interest.

Abandoning the double-layer security assessment mechanism

The former measures proposed a double-layer security assessment mechanism consisting of self-assessment and regulatory assessment, under which a self-assessment on the security of the cross-border transfer is required,[1] and a network operator is only required to inform the relevant authority or industry regulator if data to be transferred falls into certain categories.[2]

The new measures, however, require all network operators to file and report the security assessment of the cross-border personal information transfer to the relevant authority.[3]

Personal information subject’s consent no longer required

Under the former measures, personal information subjects shall be notified of the purpose, scope, content, receiver and the receiving country, and consent of such subjects shall be obtained.[4] The new measures appear to be more lax here, merely requiring the notification to the personal information subjects of the basic information of the network operator and the receiver, the purpose, type and storage period of the personal information to be transferred abroad.[5]

Parallel to the Standard Contractual Clauses (SCC) of GDPR

Similarities

Apart from the substantive changes above, certain articles of the new measures as outlined below resemble the Standard Contractual Clauses (SCC) of the European Union’s General Data Protection Rules (GDPR), indicating China’s emerging version of SCC.

1. Network operators shall enter into contract with the overseas receivers of the personal information and file and report such contract to the relevant authority.[6]

2. The contract between network operators and the overseas receivers shall specify, inter alia, the purpose, type and storage period of the personal information.[7]

3. The contract between network operators and the overseas receivers shall clarify the obligations and responsibilities of the parties.[8]

4. The contract between network operators and the overseas receivers shall identify the personal information subjects as the beneficiaries of provisions regarding the rights retained by personal information subjects and the subjects’ right to assert claims.[9]

5. Personal information subjects are entitled with the right to be informed. Network operators shall provide the copy of the contract between network operators and the overseas receivers on the request of the personal information subjects.[10]

6. The regulatory agencies are authorised to audit the performance of the contract between network operators and the overseas receivers, focusing on activities breaking the regulations or impairing the legitimate rights and interests of the personal information subjects.[11]

Uniqueness

As distinguished from the GDPR, the role of the regulatory authority is palpable in the emerging China’s version of SCC as the authority plays a role in almost the entire process of the cross-border transfer of personal information.

As summarised below, the Cyberspace Administration Agencies would be the chief supervisory authority in this field, in charge of:

1. assessing the completeness of the received materials of security assessment for cross-border transfer of personal information and organising experts to conduct security assessments;[12]

2. carrying out regular audits of cross-border transfers of personal information record on network operators;[13]

3. requiring the network operators to stop providing personal information overseas on the discovery of a violation;[14] and

4. hearing complaints of activities against the new measures.[15]

In the meantime, the new measures also impose certain corresponding requirements on the network operators. For example, before 31 December of each year, network operators shall file that year’s information regarding cross-border transfers of personal information and contract performance with the Cyberspace Administration Agency of their local province.[16] Network operators are also required to report to their local province’s Cyberspace Administration Agency on comparatively significant data security incidents.[17]



Notes

[1] Former measures, Article 2.

[2] Ibid, Article 9.

[3] New measures, Article 3.

[4] Former measures, Article 4.

[5] New measures, Article 14 (1).

[6] Ibid, Article 4 (2).

[7] Ibid, Article 13 (1).

[8] Ibid, Articles 14 and 15.

[9] Ibid, Article (2) and (3).

[10] Ibid, Article 14 (2).

[11] Ibid, Article 10.

[12] Ibid, Article 5.

[13] Ibid, Article 10.

[14] Ibid,Article 11.

[15] Ibid,  Article 12.

[16] Ibid, Article 9.

[17] Ibid, Article 9.