Following the publication of the Measures for Data Security Management (draft for public comments)1 on 28 May 2019, the Cyberspace Administration of China further released the Measures for Security Assessment of Cross-border Transfer of Personal Information (draft for public comments) (Cross-border Transfer of PI Draft or Draft) on 13 June 2019, which targets an important element of data management – that is, “cross-border transfer of personal information (PI)”2. In comparison with the previously published Measures for the Security Assessment of Cross-border Transfer of Personal Information and Important Data (draft for public comments)3andthe Information Security Technology – Guidelines for Data Cross-border Transfer Security Assessment (draft for public comments)4, the Draft has put forward a different regulatory framework for cross-border transfer of PI.
Highlights of the Cross-border Transfer of PI Draft include:
I. Adjusting security assessment system
The Draft no longer distinguishes the various extent of sensitivity, and quantities among PI, and so forth5. Rather, it provides that prior to cross-border transfer of PI, network operators must apply to the relevant local branch of the Cyberspace Administration of China (Cyberspace Authorities) for security assessment. To avoid causing excessive burdens on network operators, the Draft also stipulates that it is not necessary to apply for multiple assessments if PI is frequently or continuously provided to the same recipient. However, as a qualification condition, the Draft also stipulates that for every two years, or when there are changes to the purpose, type or preservation time of PI, then, such cross-border transfer of PI should be reassessed.
II. Establishing mandatory contract terms system
According to the Draft, one of the documents that must be submitted for security assessment is the cross-border transfer of PI contract between the network operator and the overseas recipient. The Draft also provides that such contract must include mandatory terms and conditions such as the purposes and types of transfer, network operator’s necessary obligations, recipient’s necessary obligations, etc. After careful perusal, we suggest paying particular attention to the following essential terms6:
|(1)||When the lawful rights and interests of a PI subject (Individual) are violated, the Individual can claim damages against the network operator and/or the recipient (unless the network operator and/or recipient can prove that they are not liable). Moreover, if the Individual cannot obtain damages from the recipient, the network operator shall pay damages first;|
|(2)||The network operator shall at the request of the Individual provide the Individual with a copy of the cross-border transfer of PI contract;|
|(3)||The recipient shall provide the relevant Individual with access to his/her PI. The recipient shall also respond, correct or delete the relevant information pursuant to the Individual’s request at a reasonable cost, and within a reasonable time; and|
|(4)||The recipient must not transfer the PI received to any third parties, unless the conditions prescribed under the Draft are satisfied (including the four conditions, such as the relevant consent from the Individual having been obtained when sensitive PI is involved, etc.)|
We understand that an important purpose for the setting up of the contract terms system, is to monitor overseas recipients indirectly by means of contract management.
III. Establishment of record retention and annual reporting systems
The Draft prescribes that a network operator shall establish a record of cross-border transfer of PI (the contents of which shall meet the requirements under the Draft) and keep the record for at least 5 years. At the same time, a network operator must report to the Cyberspace Authorities on the status of overseas transfer of PI, contract performance, and so forth by 31 December every year. In addition, in case of a relatively large-scale data security event, the network operator shall make timely report to the Cyberspace Authorities.
IV. Establishment of other regulatory systems
The Draft has introduced several other regulatory systems, including: (1) in some specific circumstances (e.g., network operators’ or recipients’ large-scale data leakage or abuse), the Cyberspace Authorities have power to require network operators to suspend or terminate the overseas transfer of PI; (2) if overseas organisations collect PI in the course of their business operations from users who are in China through the Internet, they shall fulfil obligations as network operators through their legal representatives or organisations in China; and so on.
From a practical point of view, some of the issues provided under the Draft may still require further clarification7. That being said, in comparison with previous drafts8, the regulatory framework reflected in the Cross-border Transfer of PI Draft seems more reasonable, and could be more conducive to facilitating the safer circulation of PI.
1 For a preliminary interpretation of the Measures for Data Security Management (draft for public comments), please refer to Deacons’ article – Deeper data compliance and protection requirements – China releases Data Security Management Measures (draft for public comments) (See https://www.deacons.com/news-and-insights/publications/deeper-data-compliance-and-protection-requirements-china-releases-data-security-management-measures.html).
2 The second paragraph of Article 28 of the Data Security Management Measures (draft for public comments) provides that “the provision of personal information to abroad shall follow relevant regulations”. Here the Measures for Security Assessment of Cross-border Transfer of Personal Information (draft for public comments) can indeed be part of the aforesaid “relevant regulations”.
3 On 11 April 2017, the Cyberspace Administration of China released theMeasures for the Security Assessment of Cross-border Transfer of Personal Information and Important Data (draft for public comments). Looking from the aspect of assessment procedures, the foregoing draft does not distinguish the differences between PI (for which the personal legal rights and interests are the emphasis) and important data (for which the national security and social interests are the focus), but uniformly adopts the Network Operator Self-assessment Approach and the Government Security Assessment under Special Circumstances Approach, to manage cross-border transfer of information and data.
4 On 30 August 2017, the General Administration of Quality Supervision, Inspection and Quarantine of China, and the Standardization Administration of China, jointly released the recommended national standards Information Security Technology – Guidelines for Data Cross-border Transfer Security Assessment (draft for public comments). With respect to security assessment, the foregoing draft basically follows the arrangements of the Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (draft for public comments), and furthermore, puts forward three different compliance models for cross-border transfer based on the different importance and sensitivity levels of data.
5 The Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (draft for public comments) provide that, the various extent of sensitivity, quantities, ranges, types of PI and whether the subjects of PI have agreed with the cross-border transfer, etc. are all emphases of security assessment. Whether or not the PI can be transferred abroad, and which transfer compliance model can be used, shall be determined by the assessment results and the particular situations of the data.
6 From our understanding, the network operator and recipient have the rights to stipulate detailed language and arrangements of the terms, if principles reflected in the mandatory contract terms can be met.
7 For example, ”part II. Establishing the mandatory contract terms system” of this article states that, according to the Draft, the transfer of PI contract shall stipulate that a network operator, in case being requested by an Individual, shall provide the Individual with a copy of the relevant cross-border transfer of PI contract. However, taking into account the commercial needs (such as protecting trade secrets, etc.), the Draft should further clarify whether a complete and entire copy of the contract must be provided, or whether irrelevant commercial clauses can be redacted, etc.
8 Relevant previous drafts primarily include the Measures for the Security Assessment of Cross-border Transfer of Personal Information and Important Data (draft for public comments) and the Information Security Technology – Guidelines for Data Cross-border Transfer Security Assessment (draft for public comments) (please also see footnotes 3 and 4 above).