Further Developments in Draft Rules on Security Assessment of Outbound Data Transmission
On 19 May 2017, the Cybersecurity Administration of China (CAC) released an amended draft (Amended Draft) of the Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data (Draft Measures) at a seminar attended by the representatives from the international business community in Beijing.
About a week later, the National Information Security Standardization Technical Committee announced a draft of the Guidelines for Security Assessment of Outbound Data Transmission (Draft Guidelines), which contain the relevant standards and guidelines referenced in the Draft Measures.
This alert discusses these developments as an update to our previous alert on the original version of the Draft Measures issued in April 2017.
Key Revisions in the Amended Draft
Key revisions contained in the Amended Draft are:
- Local data residency requirement. China's Cybersecurity Law (CSL) requires operators of "Critical Information Infrastructure (CII)" to store "personal information and other important data collected and generated during operations in China" (Local Data) within China. The original Draft Measures extended the local data residency requirement from CII operators to all "Network Operators" (broadly defined in the CSL to include owners and administrators of computer networks as well as network service providers). However, the Amended Draft removes reference to the local data residency requirement, focusing entirely on security assessment of outbound data transmission. This amendment suggests that not all Network Operators (but only CII operators) will be required to store Local Data in China, which is in line with the CSL itself.
- Consent requirement. The Amended Draft removes some of the more onerous requirements for obtaining consent regarding the outbound data transmission. For example, the Amended Draft no longer requires obtaining guardian consent for the outbound transmission of a minor's personal information. Also, while Network Operators are still required to inform data subjects of the purpose and scope of the outbound data transmission as well as the location of the data recipient(s), the Amended Draft does not require disclosure of the data recipients to data subjects. In addition, the Amended Draft provides an exemption to the consent requirement (i.e., where the outbound data transmission is necessitated by an emergency that endangers the life or property of citizens) and circumstances where consent may be inferred from the conduct of data subjects (e.g., making international phone calls, sending international emails or instant messages, conducting cross-border online transactions).
- Security self-assessment. The original Draft Measures require all Network Operators to conduct a security self-assessment of outbound transmission of Local Data on an ongoing basis and also at least once a year. Under the Amended Draft, however, while there is still a general requirement for security self-assessment, Network Operators are no longer required to conduct annual security assessment or report the self-assessment results to the relevant industry regulator.
- Government-administered security assessment. Under the Amended Draft, any of the following situations from the original Draft Measures would still trigger a government-administered assessment for outbound transmission of Local Data: (1) the data to be transmitted abroad involves personal information of 500,000 individuals; (2) the data concerns areas such as nuclear facilities, chemical biology, national defense, population health, large-scale engineering activities, marine environment and sensitive geographic information data; (3) network security data relating to CII, including system vulnerabilities and security protection measures; or (4) other circumstances that may affect national security or public interests. Other triggering situations where the Local Data to be transmitted overseas (a) contains more than 1,000 GB by volume or (b) relates to the Local Data of CII operators as stipulated under the original Draft Measures have been dropped from the Amended Draft. These revisions have narrowed the scope of outbound transmission of the Local Data to be regulated under the original Draft Measures, and also suggest that CII operators would no longer be automatically subject to a government-administered security assessment (unless one of the triggering situations occurs).
- Security assessment procedures. The Amended Draft still does not provide much detail on how a government-administered security assessment would be conducted procedurally. In addition, the Amended Draft removes the 60-day timeframe for completing a government-administered security review, adding in uncertainty as to timing.
- Definition of personal information. The definition of personal information has been expanded under the Amended Draft, specifically including location and behavioural information into the scope of personal information subject to the security assessment regime. This definition is more in line with the definition of personal information contained in the Interpretations on Several Issues Concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens’ Personal Information issued by the Supreme People’s Court and the Supreme People’s Procuratorate of China on 9 May 2017.
The Draft Guidelines contain detailed criteria and standards for conducting security assessments of outbound data transmission, including the identification guidelines for "important data" specifically referenced in the Draft Measures and in the CSL itself.
The identification guidelines for important data define the scope of important data for a wide range of industries. Although the scope of coverage is still quite broad, at least initially it seems that important data would not include internal corporate data generated from day-to-day operations. The detailed listing of key industries (oil/gas, coal, petrochemicals, power, telecommunications, steel, defence, geolocation data, etc.) also perhaps sheds some lights on what types of industries may be initially classified as CII.
Also, it may be worth noting that the Draft Guidelines have clarified that data generated outside China and transferred through China does fall within the scope of Local Data and would not be subject to the outbound transmission requirements, if such data has not been modified or processed in China. Further, the Draft Guidelines define the term "provision" to mean active provision of data by Network Operators to overseas entities or individuals, which raises the question of whether outbound data transmission within the meaning of the Draft Measures would include remote access.
The CAC has scaled back the Draft Measures significantly and issued an implementation regulation that is consistent with the CSL itself, after significant noise and resistance from industry players (both foreign and domestic) with respect to the original version of the Draft Measures.
Furthermore, to provide more breathing space perhaps, the Amended Draft provides an effective date of 1 June 2017, but an implementation date of 31 December 2018. As such, Network Operators will have a grace period of up to 18 months to comply with the requirements under the Draft Measures.
According to the press release issued by CAC on 31 May 2017 right ahead of the CSL taking effect, within the 12-month period following 1 June 2017, the Draft Measures will be further amended, and implementation measures concerning CII operators will also be issued. Businesses operating in China are advised to continue to closely monitor developments in this area and start adopting corresponding measures as soon as further implementation measures of the CSL, including the Draft Measures and the Draft Guidelines, are finalized and announced.