China Releases Draft Rules to Implement Local Data Residency Requirement and Security Assessment Requirement on Outbound Data Transmission
China's new Cybersecurity Law, to be effective on 1 June 2017 (the CSL), introduced a controversial local data residency requirement, which has raised questions and concerns among multinational companies operating in China.
To implement the local data residency requirement, the Cyberspace Administration of China (CAC) released a draft Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data (Draft Measures) on 11 April 2017 to solicit public comments. The deadline for submission of comments is 11 May 2017, which will be just 3 weeks before the CSL takes effect.
Scope of Applicability Extended to Network Operators
The CSL imposed an obligation on operators of "Critical Information Infrastructure (CII)" to store "personal information and other important data collected and generated during operations within China" (Local Data) and requires that CII operators undertake security assessment before transferring such data abroad. The Draft Measures, however, seem to extend the applicability of the local data residency requirements from CII operators to all "Network Operators."
The Draft Measures replicate the definition of "Network operator" stipulated under the CSL, and the term "Network Operators" means owners and operators of networks as well as network service providers. Based on this broad definition, arguably, any entity in China that uses computer systems connected to communications networks could be considered a Network Operator, and therefore would be subject to the local data residency requirement stipulated under the CSL. Should the Draft Measures be implemented as is, virtually all entities established in China that accesses and uses Internet in the course of business operation could be required to keep a copy of Local Data in China.
Security Assessment: Self-Assessment and Government-Administered Assessment
Under the Draft Measures, if a Network Operator seeks to transfer Local Data overseas for business needs, it must undergo a security assessment in accordance with the general principles of "fairness, objectiveness and effectiveness."
The Draft Measures provide two types of security assessments: self-assessment and government-administered assessment. As a general principle, Network Operators must conduct a security self-assessment before transmitting Local Data overseas (unless a government-administered security assessment is triggered) and be responsible for the results of the assessment.
A government-administered security assessment is triggered if the intended outbound data transmission involves any of the following circumstances,: (1) the data to be transmitted abroad involves personal information of 500,000 or more persons in each transmission or in aggregate; (2) the volume of data to be transmitted exceeds 1,000 GB; (3) the data concerns areas such as nuclear facilities, chemical biology, national defense, population health, large-scale engineering activities, marine environment and sensitive geographic information data; (4) network security data relating to CII, including system vulnerabilities, security protection and other cybersecurity data; (5) export of personal information and important data by CII operators; or (6) other circumstances that may affect national security or public interests. The Draft Measures provide that a government-administered security assessment should be completed by the relevant industry regulator within 60 working days and be reported to CAC upon completion.
While there are already industry-specific restrictions on cross-border transfer of certain categories of data (including population health information and sensitive geographic information data) under existing laws and regulations, the Draft Measures seem to significantly expand the applicability of the government-administered security assessment requirement. First, the Draft Measures introduce quantitative thresholds (i.e., 500,000 persons or 1,000 GB) as triggers for the government-administered security assessment, which appear to be relatively low thresholds. Second, no specific industries or business sectors are specified in respect of the proposed quantitative thresholds, which would potentially cover companies in a broad range of industries and sectors. Third, broadly defined under the Cybersecurity Law, the term CII is not further clarified under the Draft Measures. Finally, there's a catch-all category of data that may affect "national security and public interests," which gives CAC considerable additional discretion.
How is a Security Assessment to be Conducted
Under the Draft Measures, a security assessment, be it self-assessment or government-administered assessment, should focus on the following aspects: (1) the necessity of the outbound data transmission; (2) the volume, scope, type and sensitivity of Local Data to be transferred abroad; (3) the security measures and ability of the data recipient, as well as the cybersecurity environment of the country or region where the data recipient is located; (4) the risk of leakage, destruction or abuse of the data following the outbound transfer; and (5) possible risks that the outbound data transmission can pose to national security, public interests and lawful interests of individuals.
Furthermore, a Network Operator must, based on its business development and network operation status, conduct a security assessment on outbound data transmission at least once a year and report the assessment results to the relevant industry regulator. In addition to annual security assessment, a Network Operator is required to conduct a new security assessment each time (a) there is a change in the data recipient or significant change in the purpose, scope, volume or type of the outbound data transmission, or (b) there is a major security incident involving the data recipient or the data transmitted abroad. The requirement on annual security assessment is quite confusing as it may be interpreted to mean that as long as long as a Network Operator has conducted the security self-assessment on outbound transmission of personal information and important data, such security self-assessment would be sufficient for its outbound data transmission unless and until the new security assessment is triggered as stipulated under the Draft Measures.
The Draft Measures provide that industry regulators shall be responsible for organizing and administering government-administered security assessments. Where a government-administered security assessment is triggered but the competent industry regulator cannot be identified, CAC shall take charge of the government-administered security assessment.
The term "important data" is not defined under the CSL, which has caused great concerns given the local data residency requirement. The Draft Measures have clarified that "important data" refers to data that is closely related to national security, economic development and public interest. While it is useful to understand that coverage is not as broad as originally feared, the Draft Measures also refer to certain relevant national standards and identification guidelines for important data, suggesting that the specific scope of important data would be subject to further legislation.
Advance Consent for Outbound Transmission of Personal Information
The CSL generally requires that Network Operators shall inform data subjects of the purpose, method and scope of collection and use of personal data and obtain data subjects’ consent. In line with this general requirement, the Draft Measures require that in order to transmit personal information overseas, a Network Operator must inform the data subjects of the purpose and scope of the outbound data transmission, the content and the recipient(s) (including the country(ies) or region(s) where the recipient(s) are located) of the information transmitted, and obtain consent from the data subjects. Where the data subject is a minor, the consent of the data subject's guardian is required for the outbound transmission of the data subject's personal information.
This consent requirement raises practical challenges and impediments, given the wide adoption of Cloud technology and geographic spread of many businesses. For example, it is not entirely clear if a Network Operator must inform and obtain consent from data subjects each time it transmits personal information abroad. Further, age verification could be a challenge depending on how the requirement is actually enforced. Also, when dealing with corporate customers, it would be quite burdensome and impractical for Network Operators to request contact persons of corporate customers to give a separate consent on transmitting their personal information (name, phone number and/or email address) abroad for business purposes.
More broadly, in light of this advance consent requirement, Network Operators with a need to transmit personal information collected within China abroad should review and amend their existing privacy policies or statements in order to ensure compliance.
Circumstances Where Outbound Data Transmission is Prohibited
Under the Draft Measures, transmission of Local Data is prohibited under the following circumstances: (a) a personal information data subject has not consented to transmission of his/her personal information out of China, or the transmission could infringe on the data subject's interests; (b) the intended outbound data transmission would create a security risk in terms of national politics, the economy, science and technology, or national defense, etc. and could affect national security or harm the public interest; and (c) a relevant authority such as CAC, public security authority or national security authority, etc. determines that the data may not be transmitted abroad.
Although the Draft Measures offer some guidance on the local data residency requirement stipulated under the CSL, with a broader scope of applicability and less than clear rules on security assessment for outbound transmissions, it has perhaps raised more questions than answers.
For instance, the Draft Measures use the term "outbound data transmission" (数据出境), which seems to suggest the local data residency requirement only applies to transfers of Local Data to localities outside of China. However, the term "outbound data transmission" is further defined under the Draft Measures to mean the "provision" (提供) of personal information and important data by a Network Operator to entities and individuals outside China. Thus, this requirement could potentially apply to remote access.
Further, the Draft Measures also provide that security assessments of the outbound data transmission by "other entities and individuals" that collect Local Data in China should be handled with reference to the Draft Measures. As the term "Network Operator" is very broad, this raises the question of what other entities and individuals must comply.
It remains to be seen whether the Draft Measures will be fine-tuned to provide more clarity. However, given that the CSL will come into effect on 1 June and the cut-off time for submission of public comments on the Draft Measures is only 3 weeks away from the date, practically speaking there probably will not be significant changes to the Draft Measures.