A draft regulation released on April 11, by the Cyberspace Administration of China could have a significant effect on foreign companies with operations in China that store or transfer data overseas.

The draft rules, entitled the Measures for the Security Assessment of Personal Information and Critical Data Leaving the Country, are intended to assist in the implementation of China’s new Cybersecurity Law, which takes effect on June 1.

The draft security measures appear to expand the scope of China’s data localization and security review requirements to a wider range of companies than originally thought covered by the Cybersecurity Law.

If issued in their current form, the draft security measures could dramatically increase compliance costs for China-based companies that transfer or store data overseas. They would also stoke further fears of IP theft in a country already well-known for IP abuses.

The draft security measures follow the recent issuance of a controversial draft regulation calling for a security review of certain imported foreign IT equipment and services to ensure they are “secure and controllable” — a designation whose exact parameters have yet to be clearly defined. If both measures are enacted in their present form, China will have established technology and data security reviews on both the inbound and outbound side, providing wider latitude for government agencies — including those with links to the country’s military and security agencies — to request data and confidential information from foreign companies, particularly those in the IT sector.

Set out below is an analysis of the central provisions of both the Cybersecurity Law and draft security measures, and how they would apply to foreign businesses.

Cybersecurity Law

Article 37 of the Cybersecurity Law requires “Key Information Infrastructure Operators” to store, on PRC servers, all personal information and “critical data” collected or processed through their operations in China. The law also restricts the transfers of such data overseas unless required for a “critical business purpose” and only following a government-defined security review.

These provisions represent some of the strictest data localization requirements in any jurisdiction worldwide and have been the subject of a significant level of criticism from foreign trade associations as well as governments. But this criticism was somewhat muted due to assumptions that the restrictions would only be applied to KIIOs, and that the definition of KIIO’s would be narrow.

However, if promulgated in their current form, the draft security measures would appear to expand the Cybersecurity Law’s data localization and security review requirements to all “network operators” operating in China (Article 3) — a term with potentially vast reach. They would also apply the “security assessment” requirement to all individuals or organizations in any industry (Article 16) that collect or transfer critical or personal data falling under the criteria set out in Article 9 of the draft (see below).

What is a KIIO and what obligations may be imposed?

The precise definition of KIIO remains vague in both the Cybersecurity Law and the draft security measures. Under the Cybersecurity Law, a KIIO includes any company in certain public-facing sectors such as “public communications, information services, energy, transport, water conservancy, finance, public services, and electronic government, etc.,” or any information infrastructure whose destruction or data leakage may cause harm to China’s national or economic security.

Under the law, KIIOs are required to store on PRC servers all personal information and “critical data” (undefined) they collect or produce in China. Where it is “necessary” to transfer such information overseas “due to business requirements,” the transfer may only be carried out following a security review.

The specifics of this security review are the main focus of the draft security measures.

How are data storage and overseas transfers handled in the draft security measures?

In a sense, the draft security measures would all but amend the law they intend to clarify. They do so in two ways.

First, the draft rules would impose the data localization requirement for KIIOs on “network operators,” despite the fact that network operators are not explicitly subject to these requirements in the Cybersecurity Law.

“Network operators” are defined as “those entities that own or administer a network, and to network service providers.” The definition is also somewhat vague, but would appear to encompass all technology/online companies and, potentially, any company that uses its own IT networks or infrastructure.

Second, the draft measures would extend the security review requirements not only to KIIOs and network operators, but also to all “other individuals or organizations collecting or generating personal information or critical information within the territory of the People’s Republic of China.” This appears on its face to be a dramatic expansion in the reach of the original law and would seem to impose a de facto data localization requirement for all companies operating domestically whose data meets the relevant Article 9 conditions set forth below.

How are security assessments handled under the draft security measures?

In most cases, network operators are permitted to conduct their own assessment for overseas data transfers based on the type of personal information involved, the necessity for the cross-border transfer and the attendant risks.

But the draft security measures would require network operators and other parties to entrust an industry regulator to conduct a security review under the following conditions set out in Article 9:

•  The data aggregates or contains the personal information of more than 500,000 individuals;

•  The volume of the data exceeds 1,000 GB;

•  The data contains information concerning nuclear facilities, chemistry biology, national defense and the military, population health, large-scale engineering projects, the marine environment or sensitive geographic information, etc.;

•  The data relates to cybersecurity information such as system vulnerabilities or security measures for key information infrastructure;

•  The cross-border transfer of personal information and important data is conducted by a KIIO; or

•  The country’s national security or the societal or public interest may be affected and the competent industry regulator or supervisor has deemed a security assessment necessary.

While the subject of Article 9 is technically limited to “network operators,” the security review requirement defined by this article also appears to apply to KIIOs by virtue of their inclusion in the triggering criteria above. The review also appears to apply to all “other individuals and organizations collecting or processing personal information in China” through the extension provided in Article 16. Given this ambiguity, it seems reasonable to assume that the subject of Article 9 will be tightened in the final version of the measures.

The draft’s reliance on individual industry regulators to carry out the security assessments also suggests that these security reviews may be applied unevenly across industries, thus potentially posing further hurdles for companies whose products or services straddle different sectors.

Under what circumstance can data be blocked from transfer overseas?

Article 11 sets out a range of conditions under which transfers may be blocked:

•  The data subjects (the parties whose data is being stored) have not consented to the cross-border transfer of the information or where the transfer may cause harm to an individual’s personal rights and interests;

•  The cross-border transfer may cause risks to national security, the economy, science and technology or national defense, or might influence state security or damage societal rights and interests; or

•  Other situations where state information or public security agencies have determined that no overseas transfer shall take place.

Some of these conditions appear discretionary in nature, raising concerns they could be applied unevenly or on an ad-hoc basis by state authorities.

What form of notice and consent is necessary prior to overseas transfer?

Article 4 of the draft security measures reiterates the need to adequately inform and obtain the consent of the data subject regarding the purpose of any overseas transfer, as well as the scope of the transfer, its content, recipient, and the country where that recipient is located. The draft fails to clarify whether such consent may be given at the time of collection (its most likely reading) or prior to the data transfer.

The law further states that where the information involves a minor, consent may be given by that minor’s guardian.

Next?

When the PRC Cybersecurity Law was passed, its data security provisions were criticized by the American Chamber of Commerce in China for being “vague, ambiguous, and subject to broad interpretation by regulatory authorities.” If anything, these concerns are aggravated by the draft security measures, as they appear to apply to an even wider range of companies and circumstances.

The draft security measures are open to comment until May 11, although the CAC may well be willing to review comments filed after this date. Companies potentially affected by them may wish to forward their concerns to their trade associations, government trade offices, or directly to the CAC.

photo credit: 金山岭长城 - Jinshanling Great Wall via photopin (license)