Separate treatment of personal information and important data
By contrast with the draft Measures on Security Assessment of Cross-Border Transfer of Personal Information and Important Data (the 2017 Draft) published by the CAC back in 2017, the 2019 Draft specifically targets “personal information.” As regards personal information, it is worth noting that the 2019 Draft no longer specifically mentions the “data localization” requirement, instead placing more emphasis on the requirement to fulfill a security assessment before any cross-border transfer. This indicates the CAC’s intention to adopt different approaches to the data localization requirement for personal information and important data (which usually involves national security, social order and public interests), respectively.
Clarification on scope of applicability
The 2019 Draft clearly specifies that “foreign entities” will be required to fulfill the relevant obligations under the 2019 Draft through their authorized representatives or affiliates in China as long as they collect the personal information of Chinese users through the internet; by contrast, the 2017 Draft vaguely referred to “other individuals and entities” being subject to its requirements.
Key obligations of network operators under the 2019 Draft
- Security assessment prior to transfer
Before transferring personal data abroad, network operators must apply to the provincial cybersecurity administration for security assessment of the same (pre-export security assessment). The assessment must be repeated every two years or whenever there is a change in the purpose of such data export, the types of data being exported, or the period of overseas retention of such data.
The 2019 Draft lists the documents that must be submitted by the network operator when applying for a pre-export security assessment. These include, in particular, any related contracts or other legal documents that the network operator has signed with the recipients of the personal information (collectively, the Transfer Contracts) and its risk assessment report detailing its information security measures.
The 2019 Draft also outlines the following key considerations that the provincial cybersecurity administration will take into account when reviewing a pre-export security assessment, with a catch-all item that may include any other aspects that may be subject to evaluation:
- whether the transfer complies with relevant PRC laws, regulations and policies;
- whether the provision of the relevant Transfer Contract ensures in full the rights and interests of the subjects of personal information;
- whether the Transfer Contract can be duly executed;
- whether the network operator or recipients have a record of damaging the legitimate rights and interests of the subjects of personal information, and whether any significant network security incident has previously occurred; and
- whether the network operator collects personal information in a lawful and legitimate manner.
- Reporting and retention obligations
In addition, the 2019 Draft provides that network operators must (i) make an annual report before December 31 each year on personal information cross-border transfer, which must include confirmation as to whether the Transfer Contracts are properly performed,; and (ii) promptly report any major cybersecurity incidents to the provincial cybersecurity administration. In case of any major incident involving data loss or misuse, or when the legitimate rights and interests of the relevant individuals and the safety of personal information can be no longer protected, the competent cybersecurity administration may order the network operator to suspend or stop the cross-border transfer of personal information.
The network operator must also keep a record of all data transferred abroad for a minimum period of five years, including the date of the transfer, details of the recipients as well as the type, amount and sensitivity of the relevant information.
Observations
Although the 2019 Draft is yet to be finalized, we believe that it could serve as future guidance on good practice and practical requirements in relation to the cross-border transfer of personal information collected within China. While our China cybersecurity team will continue monitoring the legislation’s progress and keep you updated, it is recommended that you prepare yourself in advance to ensure future compliance, in particular by doing the following:
- reviewing and commenting on privacy policies to ensure those relating to the cross-border transfer of personal information are in compliance with Chinese laws and regulations;
- ensuring contracts or other legal documents to be signed with overseas recipients are prepared in compliance with the requirements under 2019 Draft and other applicable Chinese legal provisions; and
- delivering training specifically on data export to any employees who may handle and manage matters relating to the cross-border transfer of personal information.
Client Alert 2019-184