Draft Guidelines Released for Securing Cross-Border Data Transfers Out of China

With the Cybersecurity Law of China effective on June 1, 2017, and the draft data transmission measures pending finalization, Chinese regulators on May 27, 2017, published another draft rule as a piece of the newly formed China cross-border data transmission regulatory puzzle.

The “Information Security Technology-Guidelines for Data Cross-Border Transfer Security Assessment” (Draft Guidelines) were drafted by the National Information Security Standardization Technical Committee of China (TC260). As a technical committee led by Cyberspace Administration of China (CAC) and Standardization Administration of China (SAC), TC 260 has authority to draft technical standards for encryption, big data and other cybersecurity related subjects. The Draft Guidelines, though voluntary by nature, are helpful for industry players to understand the “security assessment” required under the Cybersecurity Law, and what future data transmission measures will possibly look like.

The Draft Guidelines define “data cross-border transfer” as “network operators” providing “personal information” or “critical data” collected in China to non-Chinese entities or individuals outside of China “in electronic form,” and further define the action of such data “provision” as including delivering, releasing or otherwise making the data accessible. They even seem to suggest that the network operators enabling users to transmit data shall be responsible for data transfers made by their users.

These “data cross border transfers” are allowed only if the network operator has completed a “security assessment” to prove the proposed transfer is (i) lawful and appropriate, and (ii) with controllable risks. An assessment report is required to be kept for at least five years. Most importantly, the Draft Guidelines for the first time map out standards and protocols for assessment of the two essential criteria, namely, “lawful and appropriate,” and “risk controllability”

1. “Lawful and Appropriate”

The “lawful” standard will be met if the proposed transfer is not explicitly prohibited by Chinese law or challenged by the government agencies, and in the case of “personal information,” such transfer has been consented to by the individual data subjects (it also seems to indicate that, in certain emergencies, serious harm to individuals’ personal or property safety may negate such consent).

The “appropriate” standard will be met if the proposed transfer is necessary for conducting a legitimate business, satisfying a contractual or legal obligation, complying with Chinese legal requirements or fulfilling international judicial assistance.

2. “Risk Controllability”

The risk levels of the proposed transfer will be evaluated with two dimensions: (i) the impact of the data (with five numerical grades); and (ii) the possibility of security breach incident (with three numerical grades). This matrix shows how to determine risk levels (graded as low, medium, high, or extremely high) based on the grades of these two dimensions:

Proposed transfer with “high” or “extremely high” risk levels (the shadowed boxes in above table) will be prohibited.

When evaluating the “impact of the data,” if the data is “personal information,” the following matrix will be used:

The Draft Guidelines define “Sensitive Personal Information” as information that disclosure or illegal use of may cause harm to the subject’s personal or property safety, or may cause damages to the subject’s personal reputation or physical and mental health, or may result in discriminatory treatment against the involved person. The Draft Guidelines define “Personal Information” as “All kinds of information in electronic or other recoding forms that can be used on its own or with other information to identify a natural individual’s identity, or to reflect a specific natural individual’s activities, including but not limited to a natural individual’s name, date of birth, ID number, contact, personal biometric information, address, financial account password, assets status, location, behavior information,” and etc.

When evaluating the “impact of data” for “critical data,” the following matrix will be used:

As “Critical Data” is not defined in the Cybersecurity Law and the definition proposed in the draft data transmission measures was very broad, the Draft Guidelines were intended to help make this term ready for practical use. Exhibit A of the Draft Guidelines contains a non-exhaustive list of identified Critical Data on a sector-by-sector basis for 28 sectors including certain manufacturing industries, public utility services, oil and natural gas, telecommunications, financial services, food and health care industries, and e-commerce. Notably, the clinical trial data for Class II or Class III medical devices and food safety traceability data are identified as Critical Data.

Finally, the evaluation of “possibility of security breach incidents” would encompass review of a whole set of factors in relation to (i) the robustness of the data management programs and technical safeguard capabilities of both the data transferor and data recipient, (ii) a due diligence on the data recipient to verify qualification to conduct business, track record in relation to cybersecurity and general compliance, and its “background” if the transfer involves Critical Data, and (iii) the legal and political environment of the jurisdiction where the recipient is located. More detailed criteria are set forth for each of the above components.

Taking the transferor’s data management programs as an example, a “robust” program would entail at least the following:

• A comprehensive protocol and process for cross-border data transmission
• Dedicated personnel and adequate training for data transmission related positions
• Proper contractual clause with the data recipient requiring the recipient to cooperate with security audits, assist the data subjects or the transferor to conduct reasonable investigations relating to the data transfer, refrain from further distribution, disclosure or transfer of data without authorization of the data subjects and the transferor, and take necessary security measures to ensure confidentiality and completeness of the data (this to a certain extent resembles the model clause mandated under the data transfer regulatory regime in EU)
• Capabilities to audit the efficacy of protocol and process
• A proper plan to respond to emergencies
• Capabilities to respond to individual claims of data subjects
• Detail process for reporting security breach incidents

The Draft Guidelines were subject to public comments until June 27.