【Legislation】China to implement widespread data localizationa

China to implement widespread data localization for personal information and important data

On 11 April 2017 the Cyberspace Administration of China (CAC) released the “Measures on the security assessment of cross-border transfer of personal information and important data (Draft for comments)” (the Measures) for public comments. The Measures are at first to be understood as the complement of the data localization provision of the Cybersecurity Law (CSL) laid in Article 37 for Critical Information Infrastructure (CII), which stated that “a security assessment shall be conducted in accordance with the measures formulated by the CAC in concert with relevant departments under the State Council”. However, the Measures do not solely focus on the data localization obligations and the requirements to undergo a security assessment for CII to proceed with cross-border transfer of personal information and important data. The Measures further expand the scope of obligations to the whole spectrum of Network Operators while further creating new obligations supplementing the data localization requirement, leading to a widespread implementation of data localization for personal information and important data along with the standardization of the cross-border transfer of personal information and important data legal framework.

 The first element to be noted is that the Measures further detail and greatly expand the scope of data localization which was meant by the CSL to solely cover personal information and important information collected and processed in Mainland China by CII.

While the concept of personal information was directly defined in Article 76.5 of the CSL, the principle of “important data” was not, leading to different interpretations of the scope of the data considered as important data and required to be localized. The Article 17 of the Measures goes forward defining important data as “data in relation with national security, economic development, as well data closely related to the interest of the society as defined by relevant national standards and the guidelines on the identification of important data”. While concise, this definition is meant to be further supplemented by national standards and the mentioned guidelines that are yet to be made public, most likely once the Measures are promulgated.

The major shift concerning the scope of the data localization is to be noticed on the subject of the data localization obligation. While the CSL was only targeting at CII in Article 37, the scope of the Measures goes far beyond the CII as stated in Article 2 “The personal information and important data should be stored domestically if they are collected or created by Network Operators during their operation within the People’s Republic of China”. Network Operators without regard to their status as CII will then have to abide by the obligations of data localization and the different processes set by the Measures to ensure the legality of their cross-border transfer of personal information and important data. By including all Network Operators, the Measures do provide for a standardization of Mainland China cross-border transfer of personal information and important data legal framework.

 As such the Measures create a new data localization obligation on Network Operators not categorized as CII to store domestically personal information and important data collected or created within Mainland China. But they create as well various obligations on Network Operators transferring personal information or important data overseas that refine and supplement the data localization obligation.

One of the key corollary obligations from the Measures is to further emphasize on the collection of the consent from the owner of the personal information and to further detail the requested consent. To the purposes, means and scope of the collection and the use of the personal information are necessary to disclose to the owner of the personal information, prior to collecting and using their personal information, to form a valid consent as stated in Article 41 of the CSL. Article 4 of the Measures reinforces the requirements of the CSL with more information required to be disclosed to the owner of the personal information are as follows:

• the purpose of the cross-border transfer

• its scope

• its content

• the country or address of the Network Operator transferring the personal information

• the country or address of the party receiving the personal information

Furthermore, the Measures specifically cover cases where the owner of the personal information is a minor in the second sentence of Article 4, then requiring the Network Operators to ensure that the consent from the guardian of the minor has been obtained.

In addition to the obligation to further inform owner of the personal information to obtain his informed consent, the Measures, also create a new filling obligation that would befall on Network Operators where they meet one of the criteria set by Article 9 of the Measures concerning the transfer or storage of personal information abroad:

• the personal information stored or accumulated include more than 500,000 persons

• the data exceed 1,000 GB

• the data are in relation with nuclear facilities, biochemistry, the defense industry, population health-data, large-scale engineering activities, oceanic environment, sensitive geographic information, etc.

• the data are in relation with CII vulnerabilities, security and other cybersecurity information

• the Network Operators providing the personal information or important information cross-border transfer is a CII

• the transfer could impact national security and public social interests, or other factors that industry supervisors and regulators should consider

If Network Operators fall within one of those categories, they shall report to the relevant industry supervisor or regulator, or the CAC if it is not possible to assess which governmental body to contact, to proceed with the security assessment.

One of the core requirements of the Measures is without any doubt the obligation to undergo a security assessment for Network Operators sending personal information and important data overseas.

The Measures further address the security assessment in its form, timeline and requirement. First of all, the Measures clearly state in Article 7 that the security assessment must be made prior to the cross-border transfer of personal information or important data. As such the security assessment must be placed early in the transfer timeline. Article 7 also further develops on the means of delivery of the security assessment by clarifying that the actor providing the security assessment is the Network Operator itself, except when the Network Operators meet on of the criteria set by Article 9. If it does, then the security assessment will have to be organized by the relevant industry supervisor or regulator, or ultimately the CAC if it is not possible to assess the correct governmental body to contact. Where the security assessment is self-undertaken by the Network Operators, it will have to follow the criteria set by Article 8 of the Measures along with potential further requirements for their industry set by the industry supervisors or the regulators in accordance with Article 6 and Article 8.7. It is to be noted that while it was expected from the CSL that the security assessment was to be made by a third party, the transfer of the assessment to the Network Operators itself in most cases will provide more flexibility to the Network Operators through a self-assessment of which liability will be borne by the Network Operators according to Article 7. As such it is not further detailed that the security assessment can be provided by a third party on behalf of the Network Operators, but this point may be covered by further amendments to the Measures.

Furthermore, it must be acknowledged that the security assessment necessary for the cross-border transfer is not a definitive assessment. Article 12 of the Measures provides that the process must be repeated on an annual basis and should be reiterated each time when a substantial modification of the data transfer is made in accordance with the criteria given in the second paragraph or Article 12.

 While the Measures are a greatly expected addition to the CSL to further interpret its provisions on data localization, the current draft goes far beyond the expected scope. By extending the range of covered Network Operators and clarifying the rules concerning the collection, storage and transfer of personal information and important information overseas, the Measures act as a sign that Chinese provisions on cross-border transfer of personal information and important data are aligning with international common practice, a sign supported by the provisions of Article 15, which states that if China and the country/region of the receiving party have a treaty on the exchange of personal information and important data, such treaty would overrule the Measures, allowing us to hypothesize on future bilateral data transfer agreements between China and other countries/regions around the world.

鸣谢：上海市瑛明律师事务所，本文著作权归作者所有

关于我们：

“金融法视界”（FinancialLaw View）公共账号旨在传播和分享金融及资本市场原创或深度的文章、视点及热点资讯，为金融和资本业界人士提供信息交流平台。

1.01³⁶⁵=37.8；跬步千里，每天进步0.01，一年可进步37.8

0.99³⁶⁵=0.03；不进则退，每天退步0.01，一年则退至0.03

“金融法视界”伴您每天进步1点点！

关注我们：

1、查找“金融法视界”或“flview”

2、扫描二维码

分享：

“你有一个苹果，我有一个苹果，我们交换一下，还是一个苹果；你有一个思想，我有一个思想，我们交换一下，一个人就有两个以上的思想”。知识分享是我们前进的动力，如果您喜欢这篇文章，欢迎分享至朋友圈；点击右上角按钮→分享到朋友圈。同时我们热切希望聆听您的见解，热切欢迎您的投稿，联系邮箱[email protected]

创始人兼总编陈贵 微信账号：adamchen2

免责声明：

《金融法视界》所载信息仅供一般参考，并非适用于某具体案件或情形。虽然本平台已致力于提供准确和及时的资料和信息，但本平台不能保证其准确性，亦不对其中任何观点、内容或版式给阁下造成的任何损失承担责任。©版权所有，转载务必注明来源。