On May 27, 2017, China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), released Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft Version) (the “draft Standard”) for public comments. The official Chinese version of the draft Standard is available here, and the comment period is open until June 27, 2017.
Once adopted, the new standard will be part of the comprehensive regime governing China’s cross border data transfers, supplementing the draft implementing regulation issued recently by the CAC, Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (“the Measures”). (See Covington’s alert on the Measures here.) Although the family of “Information Security Technology” standards are voluntary national standards and are not legally binding, we expect this draft Standard to provide important guidance to companies with respect to the security assessment of their cross border data flows.
As we have previously discussed (see our alert here), China’s Cybersecurity Law requires operators of “Critical Information Infrastructure” (“CII”) to store within China Chinese citizens’ personal information and “important data” collected or generated in the course of operations within China. To transfer that data outside of China, a security assessment must be performed.
CII operators, however, are not the only entities required to conduct a security assessment of cross-border data transfers. The Measures, which is expected to be finalized in the coming days, require “network operators” (a broad term encompassing entities that “own or manage networks in China”) to perform a security assessment before transferring outside of China personal information and “important data.” The Measures provide, among other things, the substantive criteria of the security assessment.
The draft Standard, elaborating on the substantive criteria mentioned in the Measures, details the risk factors regulators are likely to analyze when reviewing or conducting security assessments of companies’ cross-border data transfers flowing out of China. If these security assessments reveal major risks, Chinese regulators may require a company to step up its data protection efforts, or such transfers may be blocked entirely.
As a threshold matter, the draft Standard requires that the transfers should be “lawful and legitimate.” This is not a high threshold. Generally, transfers for a genuine business purpose are legitimate. For example, the draft Standard provides that transfers for the purpose of “fulfilling business contracts” would qualify as legitimate.
If this bar is met, regulators are instructed to evaluate the risks associated with the transfers. This analysis includes considering the features of data to be transferred and the likelihood of a security incidents during and post transfer. The draft Standard further lists over fifteen risk factors, including these related to a data controller’s data protection program, the data recipient’s level of protection, and the country to which the data will be sent. For example, the draft Standard contemplates that the transfer of fewer than 1 million records of personal data would have a lower risk level than the transfer of a greater number. Transfers of over 50 million records are presumed to be high risk. Regulators will also assess a company’s data protection program from two perspectives: data protection governance and technical measures used to protect the data. Factors such as whether companies having a security policy governing the transfers, or whether the companies are using encryption to protect data in-transit, will be taken into account. The absence of any data protection practices may be deemed as increasing the overall risk of the transfers. Finally, regulators consider a review of the data recipient’s security practices and the “political and legal environment” of the country or region in which the data recipient is located to be necessary in order to assess the overall risk of the transfer.
Risk factors identified in the draft Standard will be used to assess a company’s data transfer practices. For each risk factor, the regulator will assign a risk level. Once all risk factors are assessed, a regulator can decide the overall risk level of the transfers. If the overall risk level is low, such transfers should be allowed to continue. Once a company conducts a self-security assessment, the record of such an assessment must be retained for at least five years.
In addition to describing the risk factors for security assessment, for the first time, the draft Standard sheds light on what data Chinese regulators consider to be “important.” At a high level, “important data” is defined to include data that could have “severe consequences” for national security or societal and public interests in the event of leak or misuse after transfer outside of China. To inform companies of what kind of data may fall into the scope of “important data,” Annex A of the draft Standard explicitly lists, on a sector-by-sector basis, examples of data that Chinese regulators believe to be “important.” This includes specific examples (e.g., personal health records, e-commerce transaction records, payment/financial information) as well as potentially expansive categories (e.g., “information relating to natural persons, legal persons, and organizations acquired and kept in the process of establishing business relationships with natural persons, legal persons, and other organizations”). Despite releasing these examples of “important data,” the draft Standard confirms that the precise determination of whether certain data will be classified as “important data” will ultimately be made on a case by case basis by sectoral regulators.