The controversial Cybersecurity Law of China is scheduled to take effect on June 1, 2017, despite reports that China may delay the full implementation of the law, giving companies more time to prepare. The government has not yet confirmed a change. Since the law will ultimately take effect either way, the Chinese government has issued multiple regulations related to the implementation of this law, including the rules on cross-border data transactions, and security review on products and services.
Draft Rule on Cross-Border Data Transmissions Released for Comment
Cybersecurity Administration of China (CAC) released “Security Assessment Methods for Outbound Personal Information and Important Data (Draft for Comment)” for public comment until May 11, 2017. (A revised Draft has been circulated in the last few days, but the source seems not to be the Chinese government’s normal channel.) The draft specifies that cross-border transferring of data collected in China is only permitted when such a transfer is the necessity of conducting business, and certain transfers are required to go through the security assessment. It also outlines the governmental agencies responsible for supervision of the security assessment, the security assessment criteria and the types of transfers required for the security assessment.
Many had expected the Draft to fill in the blanks left in the Cybersecurity Law, such as the definitions of “critical information infrastructure” and “business necessity.” Surprisingly, the Draft expands the scope of “critical information infrastructure operators,” while leaving “business necessity” undefined.
In the Cybersecurity Law, only critical information infrastructure operators are subject to the data localization requirement. The Draft, however, has deleted the word “critical” and expanded the requirement to almost all “network operators.” The definition of “network operators” is broad enough to potentially cover all entities that own or manage networks, or that use networks to provide services, in accordance with Article 17 of the Draft. If the Draft Measures are passed in the current language, almost all entities and individuals will be subject to the data localization requirement, as long as the involved data is collected or generated in China and constitutes “personal information” or “critical data.” Such a requirement has been viewed by the domestic and international business communities as overbroad and overreaching, and will be difficult to enforce.
Another important development: the Draft outlines two types of security assessment: the self-assessment by a network operator itself, and the official assessment by the appropriate government agencies. Article 8 of the Draft lists the topics to be covered by self-assessment, including the scope and nature of the personal information and critical data implicated in the proposed transmission, the review of necessity of the transmission, the security level of the proposed transmission destination, and the assessment of risks of post-transmission data breach, leakage or abuse, etc. However, the Draft has not specified how such a self-assessment should be conducted.
Article 9 sets forth the scenarios for the official assessment. It states that an official assessment is required when the data transferred meets one of these conditions:
- Data containing or aggregating personal information from more than 500,000 individual data subjects.
- Data of a volume more than 1,000 GB.
- Data containing information concerning nuclear facilities, chemistry biology, national defense and the military, demographic health, large-scale engineering projects, the marine environment or sensitive geographic information, etc.
- Data relating to cybersecurity information such as system vulnerabilities or security measures for a critical information infrastructure.
- Situations where national security or public interest may be otherwise affected and the relevant government agencies believe an assessment is necessary.
Such official assessment is expected to be conducted by the applicable “industry regulator” (the ministry in charge of the relevant industry sector, such as SFDA for the health care industry, CBRC for commercial banks, and CIRC for insurers), to be completed within 60 days and then filed with the CAC.
The Draft also touched on privacy issues, like the Cybersecurity Law. For example, it has imposed a requirement that the transmission of any personal information out of China would need to obtain prior informed consent of the data subject. With such requirements, we expect business operators would need to update their China privacy notices to include the languages of informing the consent process.
With the soon-to-be effective Cybersecurity Law, China is in urgent need of a set of reasonable and enforceable rules to implement the data localization requirement. This Draft is an important step toward this goal. However, with various provisions of the Draft subject to criticism, there is still much uncertainty in what the final rules will look like. Companies with operations in China that need to transmit data offshore should closely watch the legislative progress of the Draft Measures and position themselves for designing an appropriate compliance program to face the challenge.
New Measures Clarify Security Review of Information Infrastructure Purchases
The Measures on Security Review for Network Products and Services (for Trial Implementation) (Measures) were issued on May 3, 2017, and will become effective on June 1, 2017. The Cybersecurity Law requires that the purchase of products or services for “critical information infrastructure,” shall undergo a “security review” by relevant government agencies. To a certain extent, the Measures fill in more gaps on the operating rules for such a “security review,” by clarifying the following:
- CAC will lead the review committee, except that certain industry sectors like finance, telecommunications, energy and transport are carved out and the review authority for such sectors is reserved for the relevant industry regulators
- The review committee will base its review on the independent review by qualified third parties
- The industry regulators will further identify which products and services of the critical information infrastructure operators will fall within the review scope.
In addition, the Measures appear to leave the interpretation of the scope of the security reviews to be further identified by the special committee working under the CAC. The Measures appear to be a preliminary guideline and a more detailed implementation rule or policy may be expected in the near future.