China issues draft rules on cross-border data flows

Security assessment process

Under the new Draft Measures all network operators are required to undergo a security assessment process before transferring personal information to recipients outside China. Personal information includes ID, addresses and phone numbers collected in China.

The security assessment requirements are more onerous under the new Draft Measures. Under the 2017 Draft Measures security assessments were only required on critical information infrastructure operators. However, under the new Draft Measures there are no threshold requirements and all network operators must apply for security assessment at the provincial level branch of the CAC. A network operator is a provider of services through a ‘Network’, that includes personal data.

Network operators must undergo security assessment once for each recipient, and separate applications for security assessment are required when personal information is transferred to multiple recipients. However, operators that repeatedly or continuously undertake cross-border transfers to the same recipient will not be required to undertake separate security assessments.

To apply for security assessment, network operators need to provide the contract between the operator and the intended recipient, an assessment report on the security risks, and details of the adopted security measures of the proposed cross-border data transfers.

Upon submission by the applicant, the new Draft Measures require the CAC to complete the security assessment within 15 working days unless this period is to be extended ‘under complicated circumstances’.

The new Draft Measures also require network operators to undertake a new assessment every two years, or when the type of cross-border transfer changes or the retention period outside of China changes.

The new Draft Measures require network operators to submit annual reports before December 31st to their local CAC, and to report any major security incidents. The CAC may require network operators to suspend or terminate cross-border transfers in the event of a major breach, or if it is not possible for data subjects to protect their legitimate interests, or if the network operator is incapable of properly safeguarding the personal information.

Network operators are also required to keep records of all applicable cross-border transfers for at least five years. The records must include the date of the cross-border transfer, the identity of the data recipient, and the type, volume and sensitivity of the personal information transferred.

Transfers to third parties

The Draft Measures limit onward transfers of personal information to third parties once it has been transferred abroad. In accordance with Article 16, the contract between the network operator and recipient must state that onward transfer can only occur if special conditions are met. Article 16 distinguishes personal information from sensitive personal information. Sensitive personal information is defined as data that once disclosed, stolen, falsified or illegally used, may endanger the personal safety or property interests of the data subject, or lead to damage to the reputation, or physical or mental health of the data subject.

In order to transfer personal information to a third party, the data subject must be able to request that the transfer is stopped and the third party shall be required to delete the data. In contrast, the consent of the data subject is required for transfers of sensitive personal information.

Overseas companies with no operations in China

If a foreign entity is a network owner, administrator or service provider that gathers personal information during its operation in China, it will be considered a ‘network operator’ and will have to apply for security assessment, as detailed above. For example, this will include operators of cross-border e-commerce platforms or foreign group companies collecting the personal information of domestic customers through their official websites for registration, online shopping and delivery.

The Draft Measures do not state whether foreign companies without Chinese subsidiaries must establish a Chinese presence responsible for performing security assessments in relation to any applicable cross-border transfers. However, Article 20 of the Draft Measures requires entities that collect personal information in China but have no operations in China to fulfil the obligations imposed on the network operators through their legal representatives in China. The requirement for security assessments will put pressure on foreign companies to locate data processing operations in China.

Further clarifications required

Although the proposed Measures may change following public consultation, the proposed Draft demonstrates that China is taking cybersecurity governance seriously.Overall, it appears that compliance with cross-border privacy obligations will not be more onerous than under the equivalent provisions of the GDPR. Furthermore, although the new Draft Measures provide much detail on how cross-border transfers are to be handled, unanswered questions remain. For example, the new Draft refers to network operators as “network owners and administrators and network service providers”. As such, if the new Draft Measures are eventually implemented, they could have far reach and apply to many companies and organisations.

It is also not clear if intra-group data transfers will be treated any differently and whether for the security assessment will be undertaken at the parent or subsidiary company level.

We will continue to provide updates on the status and implementation of the new Draft Measures.

The official Chinese version of the new Draft Measures is available here. For more information contact, Partner, James Tumbridge at jtumbridge@vennershipley.co.uk