China Issues Draft Rules on Cross-border Data Flows

The CAC (Cyberspace Administration of China) has released a draft guideline on cross-border data transfers under the country’s cybersecurity law.

The law went into effect on 1 June 2017 and is considered more broad than comparable privacy measures such as the EU’s GDPR (General Data Protection Regulation). GDPR restricts EU institutes’ data and information from being transferred to a non-EU country for security reasons. The European Commission can decide if a third country has adequate protections in place.

Law firm Hogan Lovells published an APAC Data Protection and Cyber Security Guide earlier this year, in which it noted that China’s cybersecurity law still lacked specifics in critical areas, including with respect to international data transfers and the “as-yet unfinalised data export review procedure”.  The cross-border data transfer guideline is key to resolving the long resolved uncertainty. The published draft comes in the midst of US-China trade tensions and will do much to revive concerns that China is pursuing outright data localisation. In April it was reported that China would put data-onshoring rules on hold while trade talks were ongoing.

According to Global Times, the latest draft guideline will prevent the flow of personal information overseas if it ‘risks undermining national security and public interests’, or if the security of personal information cannot be effectively guaranteed.  The draft covers not only operators of critical information infrastructure referred to in the cybersecurity law, but also “network operators”, a much wider scope of businesses operating in China – essentially every business that operates network infrastructure in mainland China.

Chinese network operators and foreign entities that collect online personal information in China for business purpose. It says that personal information, including ID numbers, addresses and phone numbers collected by network operators should be assessed before being sent overseas.

Network operators need to report to the provincial-level cyberspace administrative department and apply for a security assessment before providing personal information collected in China to overseas receivers. Separate applications are needed in the case of multiple receivers.

The draft said that the security assessment will focus on whether the data being sent overseas is legitimate, whether the data transfer protects the legal rights of the person who possesses the information, and whether the network operators or overseas receivers have any history of internet security incidents.

Internet operators need to set up a file on the cross-border data transfer and keep it for at least five years, including information on the identities of overseas receivers and on the sensitivity of the personal information. They additionally need to report to provincial-level cyberspace departments annually.

Source: Regulation Asia