The Cyberspace Administration of China published the Draft Administrative Measures on Evaluating the Security of Transmitting Personal Information Overseas June 13, prompting many to worry about the reemergence of data localization.
In 2017, when the CAC published the Draft Administrative Measures on Evaluating the Security of Transmitting Personal Information and Important Data Overseas, it would have been the first proposed general obligation of data localization for companies in mainland China, which was met with a strong negative reception and ultimately not enacted.
So, what can be said about the successor of the 2017 draft measures? Has data localization returned to the discussion table under another form, or is the 2019 draft solely detailing a new cross-border transfer framework for companies in mainland China?
Cross-border transfer of personal information overseas under a new approval process
A crucial modification in the 2019 draft measures is the complete overhaul to the approval process for the cross-border transfer of personal information overseas. As per Article 2 in the proposed legislation, “for the network operator intending to provide personal information it has collected during its business operations within the territory of the People's Republic of China overseas, a security assessment shall be conducted in accordance with the Measures,” and if the assessment reveals the cross-border transfer could result in undermining “national security or harm public interest or that it is difficult to effectively guarantee the security of the personal information, such cross-border transfer shall be banned.” While the 2019 draft measures does not prevent cross-border transfers of personal information overseas like the 2017 draft measures aimed to, this new assessment would effectively create a whitelisting system in which review and approval by the relevant authorities are mandatory prior to transferring any personal information overseas.
Therefore, any company in mainland China transferring personal information to itself or to a third party overseas would need to successfully go through the new approval process. The approval process can be broken down into three main phases:
- The review or drafting of contracts between the data exporter and the data importer(s) that must include all the clauses detailed between Articles 13 and 16 of the 2019 draft measures.
- The internal review by the data exporter following Article 17 of the 2019 Draft Measures and a declaration to the provincial-level cyberspace department by the data exporter, including the following information, per Article 4 of the 2019 Draft Measures：
- A declaration form.
- The contract signed by and between the network operator and the recipient.
- An analysis report for security risks of the cross-border transfer of personal information and security guarantee measures.
- Other materials required by the national cyberspace department.
- A cybersecurity assessment of the data exporter and a review of its declaration by the provincial-level cyberspace department in accordance with Articles 6 and 7 of the 2019 Draft Measures.
Only after this process is completed will a company be allowed to transfer personal information overseas under the proposed legislation. It must be noted that this approval can be revoked at any time during an examination by the relevant authorities under Article 11, without a right to oppose the decision. The examination can be done randomly as per Article 10 or following the report of an individual or organization as per Article 11 of the 2019 Draft Measures. Finally, companies will need to undergo the approval every two years or when a substantial change occurs to the transfer as per Article 3 in the proposed legislation.
The 2019 Draft Measures provides companies in mainland China with a stringent approval-based framework for cross-border transfer of personal information overseas. And while it could not be considered as enabling data localization, the new framework stringency is certain to create a trend of indirect data localization for companies unwilling or unable to go through the approval procedure and will keep data in mainland China.
Companies take a data localization stance as a response to the new system
Then without mention of any obligation of data localization from the 2019 Draft Measures, should companies be able to cast away their concerns of data localization? Unfortunately, data localization should remain a concern as an indirect effect of the new approval process for cross-border transfer of personal information overseas.
Under Article 6 of the proposed legislation, companies will need to submit to a cybersecurity assessment instead of a self-assessment, while still being subject to additional inspections under Article 10, which could cause companies to pushback against the legislation. Companies already wary of their internal cybersecurity processes inspected by third parties or government bodies could decide not to transfer personal information overseas to avoid inspection. Other companies could have their subsidiary submit to the review but could have their headquarters acting as data importer refusing to participate on internal security and confidentiality grounds. Some companies may be unable to participate due to their low level of maturity regarding compliance with mainland China's cybersecurity framework.
Another concern is the acceptance of the contract between the data exporter and the data importer. While most of the required clauses under Articles 13 to Article 16 are similar to other data processing agreements, some clauses could rebuke both data importers and data exporters. In particular, the clause under Article 14(2) of the proposed legislation is to provide “upon request by personal information subjects, provide duplicates of the contracts.” While this could be seen as a step toward transparency, it is unlikely companies will agree to this clause as it allows third parties to gain insight into their internal contractual workings. However, without this clause, the contractual relationship does not comply with the 2019 Draft Measures and requires a de facto data localization.
The stringency of the new framework would likely prevent small and medium enterprises from transferring personal information overseas as they lack the budget and time to perform the analysis report required under Article 4 of the 2019 Draft Measures. They may also be unable to negotiate a contract with the data importer following all the required clauses by Article 13 to 16 of the proposed legislation, preventing them from launching the approval procedure.
Without requiring data localization, the 2019 Draft Measures is certain to achieve a partial data localization on multiple companies unwilling to be the target of a cybersecurity assessment, without the means to perform the approval procedures, or with data importers unwilling to provide assistance during the review.
What to do next?
Companies have until July 13, 2019, to send comments on the proposed legislation to the CAC via email or through the CAC website. They can also contact their commercial chambers in mainland China and request to group multiple companies’ comments under their chamber of commerce participation. In 2017, companies grouped their comments for the 2017 Draft Measures together, which ultimately proved effective as data localization was abandoned in the second 2017 Draft Measures.
It is too early to determine what impact the 2019 Draft Measures will have on companies, although if passed in its current form, it would have an impact on all internal processes leveraging cross-border transfer of personal information overseas. Customer relationship management systems, human resources management systems and any other centralized internal services would be impacted by the proposed legislation and could be the target of a security assessment by the authority as per Article 6.
If we base our forecast on the development of the 2017 Draft Measures, the second version was heavily modified with the deletion of data localization obligation following a unified negative response from the business community. However, the global climate on data localization in 2017 was still mild, which cannot be said in 2019, where data localization has been pushed in major jurisdictions like Russia and India, and where a trade war is still being waged between the U.S. and China.
As a final word, the development of this draft should be closely watched as it could be the beginning of a new indirect data localization regime for all companies in mainland China or be the preservation of the current status quo for cross-border transfer of personal information overseas.
If you want to comment on this post, you need to login.