Recently, the Cyberspace Administration of China released new draft "Measures on Security Assessment on Cross-border Transfer of Personal Data" for public consultation. The June 13 release presents another approach to cross-border data transfer under the China Cyber Security Law. These CAC New Draft Measures superseded the previous efforts of CAC on cross-border data transfer, i.e., CAC’s draft "Measures on Security Assessment on Cross-border Transfer of Personal Data and Important Data" and the draft "Guidelines on Security Assessment for Cross-border Data Transfer," both of which were released for public consultation in 2017.

It's not unusual that certain ministry-level measures can be passed within a short period of time and leave a short grace period (as short as only a month) for companies to comply with. As such, it's worth considering planning certain actions to reduce unnecessary pressure to meet the compliance deadlines once the new rules are adopted

August 20, China started to implement its pilot policy on cross-border data transfer in Lin Gang Zone located in the Shanghai Pilot Free Trade Zone. The pilot policy briefly mentions the implementation of security assessments for cross-border data transfer, setting up information security maturity models and the filing of the cross-border data transfer for certain sectors such as integrated circuit, artificial intelligence and life sciences and pharmaceutical, and for multinational companies that register their headquarters in the new zone. It is not clear for now how Chinese authorities intend to implement rules for facilitating the cross-border data transfer in this particular free trade zone as a pilot program for the purpose of attracting foreign investors.   

New approach to cross-border transfer of personal data

The new CAC draft measures require all network operator’s cross-border transfer of personal data to go through a security assessment to be conducted by a provincial branch of CAC. The cross-border transfer of personal data is prohibited if the security assessment concludes that such cross-border data transfer is likely to impact national security or public interest or impact the effective protection of personal data. This is the significant change in approach because, in the 2017 CAC draft measures, CAC positioned themselves as coordinator for various sectoral regulators that were proposed to undertake the specific security assessment. Previously, the security assessment was in general proposed as self-assessment unless the involvement of sectoral regulators in such security assessment becomes necessary in certain prescribed circumstances. When cross-border transferring to different data receivers, each transfer warrants a security assessment, whereas transferring to the same data receiver in multiple batches or continuously does not require repeating the security assessment. The security assessment shall be revisited every two years or when the purposes or data categories in the cross-border data transfer or the period of data retention by the data receiver change.

Another notable change is that the CAC new draft measures do not address cross-border transfer of important data, which is separately addressed in draft "Measures on Administration of Data Security," released by CAC for public consultation May 28, 2019. In the draft data security measures, CAC proposed that the collection of important data shall be filed with the sectoral regulators (or the provincial branch of CAC in the event that there is no specific sectoral regulator) and cross-border transfer of important data is subject to the pre-approval of CAC. And yet, the key question remains: What is important data? CAC is drafting a guideline on how to identify important data, which is highly expected.  

Cross-border data transfer can be a one-off activity, such as copying personal data and/or important data in the thumb drive and courier to an overseas data receiver, or a continuing transfer, such as granting a user outside Mainland China remote access to an information system that is used and hosted in China. 

Areas of assessment

The focus of security assessment also changed in the CAC new draft measures. In them, a self-assessment of the potential risks and the security measures in relation to the cross-border transfer of personal data is required, as well as the cross-border data transfer agreement between the domestic network operator and the overseas data receiver.

CAC’s clear stance on extraterritorial application of the CSL?

CAC proposed to make its stance clear on the extra-territorial application of the CSL in the new draft measures. In them, it states foreign companies that collect personal data of data subjects in China via the internet are required to appoint representatives in China to perform the obligations and responsibility of a network operator. It is not clear yet whether such remote collection of personal data outside China needs to first meet the targeting criteria, such as Article 3(2) of the EU General Data Protection Regulation. A similar attempt was made in the 2017 draft measures and the 2017 draft guidelines, where the “domestic operation” was extended to include any remote provision of products and/or services to data subjects in China as long as such company targets the data subjects in China (the targeting criteria was proposed to include use of Chinese, use of RMB as payment, or arrangement of domestic logistic services, etc.).

Alternative proposal from industry 

Many representatives of various industries in China proposed an alternative proposal for cross-border data transfer, i.e., a filing system of cross-border data transfer coupled with random sampling and inspection from time to time. Some suggested adding a list of exemptions for cross-border data transfer, such as cross-border data transfer that is initiated by the data subject or that is for the purpose of performing the legal obligations under Chinese laws, the personal data that has been made public by the data subject voluntarily.

Plan for imminent changes

Many changes, such as change of system provider (e.g., customer relationship management, human relations system, or "know your customer" system for banks, cloud services) with backup hosted outside China need to be planned ahead, and these imminent local nuances in China must be embraced.

A cross-border data transfer agreement will be inevitable in China

The new draft measures seem to favor the approach of having a contractual arrangement to ensure the overseas data receiver must protect the personal data and facilitate the exercise of data subject rights. Some mandatory clauses have been proposed for such cross-border data transfer agreements, such as that the network operator in China shall first compensate the data subject in the event of infringement of the right to data protection by the overseas data receiver, unless the network operator can prove that it is not at fault. Companies shall avoid directly using standard contractual clauses under the GDPR without further tailoring for China.

Self-assessment can be prepared in advance either for submission as part of the security assessment or as documentation of compliance

While the rules may take time to finalize, the obligation to protect the personal data regardless of the data processing in China or outside China is provided in Article 42 of China's cybersecurity law. Given this, the network operators in China have to address the change of control and the difference in the level of protection of personal data when transferring personal data outside China.

Reconciliation with sectoral rules is important 

While the CAC proposed to take over the security assessment in its new draft measures, there are many sectoral rules that are currently in effect stipulating the pre-approval for collection, processing and cross-border transfer of certain data categories. There have been long-standing data localization requirements for personal financial information that is collected by banks in China, surveying data (i.e., ground data) and personal health data that is collected by medical institutions in China. For example, recently China also revised and passed the Regulation on Administration of Human Genetic Resources, which regulates the collection, processing and cross-border transfer of human genetic resources (including human samples and genetic data).

While it is not yet clear how the CAC will reconcile with the sectoral regulators’ security assessment or whether CAC will set up an interoperability mechanism to recognize the sectoral regulators’ security assessment, it is beneficial to check with sectoral regulators to pre-empt their questions in the process of conducting self-assessment. 

Photo by Hanson Lu on Unsplash