On June 13, 2019, the Cyberspace Administration of China (the “CAC”) released Draft Measures on Security Assessment of Cross-Border Transfer of Personal Information (“Draft Measures”) for public comment, the window for which ends July 13, 2019.
The CAC had previously released Draft Measures on Security Assessment of Cross-Border Transfer of Personal Information and Important Data (“Draft Measures on PI and ID”) for public comment on April 11, 2017, which adopts the same regulatory means for personal information and important data, but this law has not entered into effect. Given that the Draft Data Security Administration Measures (released on May 28, 2019) addressed the cross-border transfer of important data and these Draft Measures address the cross-border transfer of personal information, we expect the cross-border transfer of personal information and important data would be subject to different treatment than they would under the Draft Measures on PI and ID.
Below are key provisions under the Draft Measures.
Localization and Consent Requirement
The Draft Measures do not contain an express localization requirement for network operators with respect to the transfer of personal information outside of China. Additionally, other than with respect to sensitive personal information (discussed below), such transfer no longer requires the data subject’s consent.
Application Scope of Security Assessment
The Draft Measures, like China’s Cybersecurity Law, use the term “network operator” to refer to an entity or person who owns or manages a network, or to a network service provider. Under the Draft Measures, the cross-border transfer of personal information (which occurs when a network operator provides personal information collected during business operations in China to an entity or person overseas) would trigger a security assessment by the competent cyberspace administration authority. Unlike the Draft Information Security Technology-Guidelines for Data Cross-Border Transfer Security Assessment, the Draft Measures do not specify what “domestic operation” means or provide additional color on the scope of qualifying cross-border transfers, leaving uncertainty regarding how broadly the security assessment requirement would apply to such transfers.
In practice, many foreign entities that have established Chinese subsidiaries may collect the personal information of domestic users via the Internet. The Draft Measures mandate such foreign entities carry out their obligations through a domestic legal representative or entity. In such cases, if the Chinese subsidiary of a multinational company transmits domestic employees’ or users’ personal data overseas (e.g., to headquarters located outside of China) or the parent (or related) foreign entity directly collects such data through the Internet, its Chinese subsidiary is subject to the Draft Measures.
The Draft Measures do not address whether foreign entities with no Chinese subsidiaries nonetheless must set up a Chinese presence responsible for performing security assessments on applicable cross-border transfers under the law.
Triggering Events Leading to a Security Assessment
The Draft Measures require that network operators report to the local cyberspace administration authority for a security assessment before transferring personal information across borders. This means that the Draft Measures change the existing process, established by the Draft Measures on PI and ID, of self-assessment and mandatory assessment by the competent government authorities. (The external security assessment requirement holds true regardless of the volume of cross-border transfers at issue or the number of individuals whose personal information is impacted.) To receive a security assessment by competent cyberspace administration authority, network operators must submit an application letter, the agreement executed by the network operator and receiver, a report analyzing the security risks of the contemplated transfer and security measures implemented, and any other materials required by the CAC.
Security assessments would be performed with respect to individual receivers of the personal information. Multiple security assessments would be required if the information is transferred to multiple receivers, though, in cases of multiple or continuous provisions of personal information to the same overseas receiver, it is not necessary to conduct multiple security assessments.
The Draft Measures also provide that network operators must undertake a security assessment every two years or when the purpose/type of cross-border transfer of personal information changes or the retention period outside of China changes.
Reporting and Records Obligations
The Draft Measures require network operators submit annual reports to their local cyberspace administration authority regarding the conditions of applicable cross-border transfers. The Draft Measures also contain a data breach notification obligation requiring network operators to promptly notify local cyberspace administration authorities of “major” data incidents.
Network operators also are required to keep records of applicable cross-border transfers for at least five years. The records should include the:
- date of the transfer;
- basic information about the receiver, such as the name, address and contact details;
- type, volume and extent of sensitivity of personal information transferred outside of China; and
- other information required by the CAC.
Suspension or Termination of Cross-Border Transfers of Personal Information
Cyberspace administration authorities may require network operators suspend or terminate cross-border transfers of personal information if (1) network operators or recipients suffer “major” incidents of data breach or “abuse”; (2) it is near-impossible or impossible for data subjects to protect their legitimate rights and interests; or (3) the network operator or receiver is incapable of safeguarding the security of the personal information at issue.
Content Requirements for Cross-Border Transfer Agreements
The Draft Measures shed considerable light on content requirements for cross-border transfer agreements between network operator and the receiver (“Agreements”), which must clearly cover, among other things, the following:
- the purpose, type and retention period of the cross-border transfer at issue;
- data subjects are the beneficiaries of the Agreement’s provisions related to the data subject’s rights and interests;
- data subjects whose legitimate rights and interests in their personal information are harmed can seek damages from either or both the network operators and recipients allegedly responsible, who should compensate the data subjects by way of damages, unless the network operators and/or recipients can prove they are not liable;
- if it becomes impossible to implement the existing Agreement because of legal or regulatory changes in the recipient’s jurisdiction, the Agreement must be terminated or a new security assessment must be performed; and
- Termination of the Agreement would not exempt contractual responsibilities and obligations of the network operator and the receiver unless the receiver destroys received personal information or anonymizes such information.
Network Operator/Receiver Obligations
Agreements must clearly set forth specific obligations of network operators and receivers, which the Draft Measures specify. Network operators’ duties, for instance, include providing a copy of the Agreement to a data subject upon request; receivers, in turn, are responsible, among other things, for complying with data subjects’ requests for access, correction or deletion of their personal information.
Limitations on the Receiver’s Transmission of Personal Information to a Third Party
Agreements should stipulate the conditions under which receivers may transmit the personal information received to a third party. Doing so is prohibited unless the following conditions are satisfied:
- the network operator informs the data subject of information including the purpose of the transfer, the identity and nationality of the third party, and the type of personal information transmitted;
- the receiver guarantees that, upon the data subject’s request, it will cease providing the information to third parties and ask third parties who previously received the information to destroy it;
- the data subject consents to the transmission of sensitive personal information; and
- the network operator pledges to provide advance compensation to data subjects whose legitimate rights and interests were harmed due to the transfer.