China to implement widespread data localization for personal information and important data
On 11
April 2017 the Cyberspace Administration of China (CAC) released the “
Measures on the security assessment of cross-border transfer of personal information and important data (Draft for comments)
” (the Measures) for public comments. The Measures are at first to be understood as the complement of the data localization provision of the Cybersecurity Law (CSL) laid in
Article 37
for Critical Information Infrastructure (CII), which stated that “
a security assessment shall be conducted in accordance with the measures formulated by the CAC in concert with relevant departments under the State Council
”. However, the Measures do not solely focus on the data localization obligations and the requirements to undergo a security assessment for CII to proceed with cross-border transfer of personal information and important data. The Measures further expand the scope of obligations to the whole spectrum of Network Operators while further creating new obligations supplementing the data localization requirement, leading to a widespread implementation of data localization for personal information and important data along with the standardization of the cross-border transfer of personal information and important data legal framework.
1
Pushing data localization forward
The first element to be noted is that the Measures further detail and greatly expand the scope of data localization which was meant by the CSL to solely cover personal information and important information collected and processed in Mainland China by CII.
While the concept of personal information was directly defined in
Article 76.5
of the CSL, the principle of “important data” was not, leading to different interpretations of the scope of the data considered as important data and required to be localized. The
Article 17
of the Measures goes forward defining important data as “
data in relation with national security, economic development, as well data closely related to the interest of the society as defined by relevant national standards and the guidelines on the identification of important data”
. While concise, this definition is meant to be further supplemented by national standards and the mentioned guidelines that are yet to be made public, most likely once the Measures are promulgated.
The major shift concerning the scope of the data localization is to be noticed on the subject of the data localization obligation. While the CSL was only targeting at CII in
Article 37
, the scope of the Measures goes far beyond the CII as stated in
Article 2
“
The personal information and important data should be stored domestically if they are collected or created by Network Operators during their operation within the People’s Republic of China
”. Network Operators without regard to their status as CII will then have to abide by the obligations of data localization and the different processes set by the Measures to ensure the legality of their cross-border transfer of personal information and important data. By including all Network Operators, the Measures do provide for a standardization of Mainland China cross-border transfer of personal information and important data legal framework.
2
Setting new obligations
As such the Measures create a new data localization obligation on Network Operators not categorized as CII to store domestically personal information and important data collected or created within Mainland China. But they create as well various obligations on Network Operators transferring personal information or important data overseas that refine and supplement the data localization obligation.
One of the key corollary obligations from the Measures is to further emphasize on the collection of the consent from the owner of the personal information and to further detail the requested consent. To the purposes, means and scope of the collection and the use of the personal information are necessary to disclose to the owner of the personal information, prior to collecting and using their personal information, to form a valid consent as stated in
Article 41
of the CSL.
Article 4
of the Measures reinforces the requirements of the CSL with more information required to be disclosed to the owner of the personal information are as follows:
-
the purpose of the cross-border transfer
-
its scope
-
its content
-
the country or address of the Network Operator transferring the personal information
-
the country or address of the party receiving the personal information
Furthermore, the Measures specifically cover cases where the owner of the personal information is a minor in the second sentence of
Article 4
, then requiring the Network Operators to ensure that the consent from the guardian of the minor has been obtained.
In addition to the obligation to further inform owner of the personal information to obtain his informed consent, the Measures, also create a new filling obligation that would befall on Network Operators where they meet one of the criteria set by
Article 9
of the Measures concerning the transfer or storage of personal information abroad:
-
the personal information stored or accumulated include more than 500,000 persons
-
the data exceed 1,000 GB
-
the data are in relation with nuclear facilities, biochemistry, the defense industry, population health-data, large-scale engineering activities, oceanic environment, sensitive geographic information, etc.
-
the data are in relation with CII vulnerabilities, security and other cybersecurity information
-
the Network Operators providing the personal information or important information cross-border transfer is a CII
-
the transfer could impact national security and public social interests, or other factors that industry supervisors and regulators should consider