The Cyberspace Administration of China (CAC) released the draft Measures on Security Assessment of the Cross-border Transfer of Personal Information on June 13, 2019. The Measures, which refer to the GDPR, apply to all network operators, i.e., “owners and managers of networks as well as network service providers.” The comment period ended on July 13, 2019.
Under the draft measures, network operators should undergo security assessment with the CAC prior to the transfer of personal information collected in China to an overseas recipient. They should also file their security assessment report with the CAC for evaluation. If results show that the crossborder transfer may “impact China’s national security, endanger public interest or ineffectively protect personal information,” the transfer will not be allowed.
Network operators should also have data transfer agreements containing specific clauses with all overseas recipients. Among these clauses are that the data subjects are the beneficiaries of the contract and they can bring infringement claims against either the network operator or the recipient or both and claim damages.
Additionally, the measures specify that network operators should develop an incident response plan, report serious data security incidents immediately and keep a record of all cross-border data transfers for at least five years, among others.
In the case of a foreign entity, appointing a local representative who will help the organization to comply with Chinese data protection and security policies may be beneficial.
According to James Gong, senior associate at Herbert Smith Freehills in Beijing, there will be challenges once the measures are enacted.
“The measures do not provide any exemption for random or limited transfers of personal information. This will further increase the number of applications and also the compliance burden for companies that only export personal information on an occasional basis. Measures seem to apply to all overseas entities that collect personal information from China, irrespective of the amount of personal information collected or whether Chinese data subjects are targeted. In addition to a rocketing administrative workload, the proposed regulations would also give rise to a disproportionate compliance burden for overseas entities that collect only a small amount of personal information on an irregular or random basis,” says Gong.
He also mentions that some of the provisions to be included in the export contract seem to be inconsistent with the general contract law or tort law. Thus, problems in enforcement may arise.
He cites other gaps in the draft measures: “The draft regulations do not expressly specify whether the overseas entities must also apply to the CAC for assessment and pre-approval for the collection of personal information.”
Dora Luo, counsel at Hunton Andrews Kurth in Beijing, agrees with Gong. “The measures have been under heated debate during the period of public comment, for instance, as to whether it is reasonable to require network operators to go through the mandatory security assessments conducted by the competent authority regardless of the volume of personal data that would be transferred outside of China,” she says.
Gong continues: “In addition, the 2019 Draft Measures do not expressly provide a grace period within which network operators can complete the evaluation and approval process. If implemented strictly, network operators may have to cease current transfers and wait for the export applications to be evaluated and approved. This would give rise to serious operational difficulties for a number of companies.”
Luo sees additional challenges considering the complexity of cross-border data transfers.
“For instance, the measures only address cross-border transfer of personal data rather than the much larger amount of non-personal data,” says Luo. “Before the measures were issued, back in April 2017, the China Administration of Cybersecurity also released the Draft Measures on Assessment of Cross-Border Transfer of Personal Information and Important Data. Even though the relationship between these two drafts still remains unknown, it seems that cross-border transfers of personal data and cross-border transfers of important data would be subject to different regulations.”
She also believes that some organizations which need to transfer large amounts of personal data outside of China will have to review their IT structures. In case data cannot be delivered out of China, the organization may even be forced to build a data center on Chinese soil.
Despite these however, Luo believes the draft measures serve a purpose.
Singling out the security assessment process as a smart move, Luo says, “the security assessment is a reasonable option in the initial stage of the establishment of a crossborder data transfer mechanism in China. It is hard to reach a unanimous agreement as to the global standard of national security which might vary by the change of volume, type, scope of data, network security environment of the receiving nation, data security laws, foreign relations, international political and economic situation and development of new technology. The specific standard of assessment of national security is difficult to confirm in the preliminary stage of drafting the cross-border data flow, so the security assessment is a smart way for exploration.”
In totality, Luo says that the issuance of the draft measures shows China’s commitment to continuously improve its data protection laws. Her firm also believes that the orderly data flow will promote data privacy and data compliance in Asia Pacific.
Citing the Snowden incident of 2013, Luo says, “conditions such as geopolitics, national security, privacy protection, industry capabilities and market access inevitably influence and drive such policies. The issuance of the measures reflects the burgeoning demand of data protection as well as cybersecurity compliance in China. On one hand, China wants to promote the free flow of data. On the other hand, China also needs to ensure security. China is trying to seek orderly data flows in the complex political environment and with the rapid development of technology.”
Espie Angelica A. de Leon