On June 13, 2019, the Cyberspace Administration of China (“CAC”) issued the draft Measures on Security Assessment of the Cross-border Transfer of Personal Information (“Draft Measures”) for public comment. (The official Chinese version of the Draft Measures is available here, and an unofficial English translation is available here.) The comment period ends on July 13, 2019.
The issuance of the Draft Measures marks another major development in the implementation of China’s Cybersecurity Law (“CSL”) over the past month, aiming to create a cross-border data transfer mechanism that would govern all of the transfers of personal information conducted by network operators (defined as “owners and managers of networks, as well as network service providers”).
CAC has previously released two earlier versions of its draft Measures on Security Assessment of Cross-border Transfer of Personal Information and Important Data back in 2017, which imposed security assessment obligations on network operators when they transfer both personal information and important data outside of China (See Covington’s previous alert here). The latest and long-anticipated Draft Measures only focus on the cross-border transfer of personal information (the cross-border transfer of important data will be subject to a separate approval mechanism introduced by the draft Measures for Data Security Management released by CAC on May 28, 2019) and also set out new requirements that bear resemblance to the Standard Contractual Clauses under the EU’s General Data Protection Regulation (“GDPR”).
We discuss the key requirements of the Draft Measures in a greater detail below.
Scope of Regulated Entities
These Draft Measures introduce a broad jurisdictional scope for regulating cross-border transfers of personal information. To provide context, under Article 37 of the CSL, only the cross-border data transfers of Critical Information Infrastructure operators are subject to the security assessment requirement. However, under the new Draft Measures, all network operators are obliged to undergo the security assessment process before they may transfer personal information collected in the course of their operations in China to recipients outside China. If the results of the security assessment indicate that the proposed cross-border transfer may “impact China’s national security, endanger public interest or ineffectively protect personal information,” then the cross-border transfer will be prohibited (Article 2).
In addition, the Draft Measures provide that if other laws or regulations have specified rules that regulate the cross-border transfer of certain personal information, these rules shall take precedence (Article 2). This could mean that data regulated by pre-existing sectorial data transfer rules and/or other localization rules may be carved out from the scope of the Draft Measures.
Security Assessment Process
When the security assessment will be required?
The Draft Measures require all network operators to apply for the security assessment at their respective CAC branch at the provincial level (“Provincial CAC”) before they transfer any personal information collected in the course of their operations in China to outside of China.
Under the Draft Measures, the network operator only needs to undergo the security assessment one time for each data recipient, including when data is continuously transferred to the same recipient. However, separate applications for the security assessment will be required if personal information is transferred to multiple recipients.
Network operator are required update their security assessment every two years or on an ad-hoc basis whenever the transfer purpose(s), type(s) of personal information transferred or the retention period(s) for data stored outside of China have changed (Article 3).
What materials must be submitted for the security assessment?
To apply for the security assessment, network operators are required to submit the following materials, and they are responsible to ensure the authenticity and accuracy of these materials:
- the application letter;
- the contract between the network operator and the recipient;
- the security assessment report on the security risks and the adopted security measures (of the proposed cross-border data transfers); and
- other materials required by the CAC.
Who will conduct the security assessment and how long will the assessment process take?
After the Provincial CAC has received all the required application materials, it will organize experts to carry out the security assessment (Article 5). The security assessment must be concluded within 15 business days after all the required application materials have been received, but this period can be extended for complex situations (Article 5).
What could be the result of the security assessment?
The Provincial CAC will notify network operators of the results of the security assessment and will also report such results to the central level CAC at the same time. The network operator may file an appeal with the CAC if it does not agree with the security assessment result (Article 7).
What to do after the security assessment?
The Draft Measures require network operators to retain the records of their cross-border data transfers for at least 5 years. The records shall include (Article 8):
- date of the cross-border data transfer and the retention period of data being transferred;
- identity of the data recipient, including without limitation, its name, address and contact details; and
- types, volume and the sensitivity of the personal information transferred.
Network operators are also required to submit annual reports to the Provincial CAC before the end of each year (December 31), which shall include information regarding their cross-border transfer practices and the status of their contracts with recipients. In addition, if a “relatively serious” security incident occurs, the network operator must report it to the Provincial CAC in a timely manner (Article 9).
What inspection authority does the Provincial CAC have?
Under the Draft Measures, the Provincial CAC may regularly inspect network operators’ cross-border transfer records, with a particular focus on:
- whether network operators have implemented the obligations in their contracts with data recipients;
- whether there are any violations of laws or regulations (during these transfers);
- whether the legal rights and interests of personal information subjects have been harmed (by these transfers).
If the agency discovers that the interests of personal information subjects have been harmed or there have been data breaches or other security incidents, the Provincial CAC can order the network operator and/or urge the data recipient to rectify these violations (Article 10).
If any of the following circumstances occurs, the CAC and/or Provincial CAC may order the network operator to suspend or cease the cross-border data transfer (Article 11):
- the network operator or the data recipient suffers a “relatively serious” security incident;
- personal information subjects cannot or find it difficult to protect their legal rights and interests related to their personal information; or
- the network operator or the data recipient is unable to protect the personal information.
Substantive Criteria for the Security Assessment
The security assessment will focus on the following key factors (Article 6):
- whether the transfer complies with Chinese laws and regulations；
- whether the contractual terms with the data recipient can fully protect the legal rights and interests of the personal information subject;
- whether the terms of the contract can be effectively honored by the parties;
- whether the network operator or the data recipient has a history of harming the legal rights and interests of personal information subject, and whether any significant security incident has previously occurred; and
- whether the network operator obtained the personal information in a lawful and legitimate way.
Specific Requirements for the Contracts Between the Network Operators and the Data Recipients and the Security Assessment Report
What specific provisions should be included in these contracts?
The Draft Measures require network operators to enter into legally binding contracts with data recipients which specify the following (Article 13):
- the purpose of the cross-border transfer, the types of personal information and the retention period of data being transferred;
- that the personal information subject is the “beneficiary of the contractual terms that involve the rights and interests of the personal information subject”;
- when the legal rights and interests of the personal information subject are harmed, the personal information subject may claim damages from the network operator or data recipient separately, or from both parties jointly, unless it is proved that the network operator or the data recipient is not liable;
- if it is difficult to perform the contract due to changes in the legal environment of the recipient’s country, the contract shall be terminated or the security assessment shall be conducted again;
- the termination of the contract cannot exonerate the network operator and the recipient from their obligations relating to the legal rights and interests of the personal information subject as specified in the contract, unless the recipient has destroyed or anonymized the personal information received.
What are the obligations of the network operator?
The Draft Measures requires that the contract sets out the following obligations on the network operator (Article 14):
- inform the personal information subject of the basic information of the network operator and the data recipient, as well as regarding the purpose for the transfer, the type of personal information transferred, and the retention period for the data (by means of e-mail, instant messaging, letters, faxes, etc.);
- provide a copy of the contract at the request of the personal information subject;
- convey any request of the personal information subject to the data recipient (including financial claims against the data recipient); and
- if the personal information subject cannot obtain compensation from the recipient directly, the network operator shall pay the compensation.
What are the obligations of the data recipient?
The contract shall specify the following obligations of the recipient (Article 15):
- provide channels for the personal information subject to access their data and, when requested, respond, correct or delete personal information of data subject within a reasonable time and at a reasonable cost;
- use personal information in accordance with the purposes stated in the contract, and do not retain personal information longer than the retention period provided in the contract;
- confirm that the execution and performance of the contract will not violate the legal requirements of the recipient’s country. If any changes to the local legal environment may impose difficulties on the performance of the contract, the recipient has the obligation to (i) notify the network operator in a timely manner; and (ii) with the assistance of the network operator, report to the Provincial CAC where the network operator is located.
Assessment report of security risks and security measures
As one of the materials required to be submitted for the security assessment application, the “assessment report of security risks and security measures” shall at least address the following issues (Article 17):
- the background information of the network operator and the recipient, including their scale, major business, financials, reputation, and security capabilities.;
- the plan for cross-border transfers, specifying the duration, the number of personal information subjects involved, the scale of the transfer, and whether there will be any onward transfer; and
- risk assessment and the measures protecting the security of the personal information and the legal rights and interests of the personal information subject.
Other Key Requirements
What are the requirements for onward transfers to third parties?
The Draft Measures prohibit onward transfers of personal information unless the following requirements are fulfilled (Article 16):
- the network operator has notified the personal information subject – through e-mail, instant messaging, letter or fax – of the purpose of the onward transfer, the identity and nationality of the third party, as well as the type and the retention period the data transferred;
- the recipient provides an opt-out mechanism to the personal information subject and requests the third party to delete all the data received if so requested by the personal information subject;
- if sensitive personal information is included in an onward transfer, opt-in consent of the personal information subject is required; and
- the network operator commits to assume the liability for damages caused by the onward transfer (again, ostensibly with the possibility to seek reimbursement thereafter from the recipient).
Requirements for companies having no operations in China
For entities that collect personal information in China but have no operations in China, the Draft Measures require them to fulfill the obligations imposed on the network operators through their legal representatives in China (individuals or entities) (Article 20).
Although the Draft Measures furnish some basic requirements for the cross-border transfer of personal information, the meaning and scope of some provisions in the Draft Measures are still unclear. Furthermore, some important questions are still unanswered, such as (i) whether data processors will be subject to different rules; (ii) whether the Draft Measures will treat intra-group transfers differently; and (iii) for group companies, whether the security assessment shall be done at the group level or at the individual entity level. More guidance is expected from CAC in the coming months.
Similarities to Standard Contractual Clauses and Binding Corporate Rules
The Draft Measures include provisions that are, in certain ways, similar to the European Union’s Standard Contractual Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”), which have existed for some time and are widely implemented by businesses worldwide.
For example, the very concept of passing down certain data protection obligations by way of contract is the foundational principle of the SCCs, which aim to provide an effective method to safeguard personal data transfers on an international scale. These obligations may extend not only to transfers to the initial recipient (referred to as the “data importer” under the SCCs), but also serve to ensure accountability for onward transfers to other third parties.
Secondly, the requirement for the recipient to notify the network operator if a local law prevents it from complying with the terms of the contract is also contained in the SCCs. This provides a means to prevent parties from seeking exemption from their contractual obligations due to local law requirements, and ensures that the data exporter is informed of changes in local laws that might affect a recipients ability to fulfill its obligations.
Finally, the Draft Measures introduce a third-party beneficiary clause that is also found in the SCCs and gives individuals a legal means to enforce their rights and claim compensation for breaches of certain contractual provisions that result in harm to their personal data. This is reinforced by the fact that an individual must be provided a copy of the contract upon request, and a network operator may be required to pay compensation for the contractual violations of a recipient or for an improper onward transfer.
The provisions in the Draft Measures are also similar in certain respects to the EU’s BCRs. For example, the fact that parties must apply and undergo an assessment to receive approval for their cross-border transfers of personal data is somewhat analogous to BCRs, which involve an extensive and document-intensive review of a company’s data protection practices as part of the approval process.
We emphasize that any similarities between these regimes are observed at a high level and at an early stage of development of the Draft Measures. While it may be interesting to consider these resemblances from a comparative law perspective, in reality the legal traditions and enforcement regimes in Europe and China are vastly different, and will likely remain as such for well into the future.