Posted on: April 27, 2017in Blog
China Expands Data Transfer Requirements for its Cybersecurity Law
As I explained earlier in my blog about understanding China’s Cybersecurity Law, China is unveiling its Cyber sovereignty strategy by releasing regulations, policy statements and guidelines over time. The latest release was on April 11, 2017, when the Cybersecurity Administration of China (CAC) released their draft of “Security Assessment Measures for Cross-Border Transfer of Personal Information and Important Data.”
Cross-Border Transfer Draft Overview
The Transfer Draft, as it is being referred to, provides guidelines for conducting assessments on data originally created, or stored, in China before the data can be transferred to a jurisdiction outside of mainland China. The Transfer Draft also extends this requirement to all Network Operators (not just organizations who are considered CII or Critical Information Infrastructure). This controversial draft is under consideration until May 11 and is bound to the Cybersecurity Law that will go into effect June 1, 2017.
We knew the Transfer Draft was forthcoming and anticipated it would provide clarity on data management for CII’s. While the Transfer Draft does provide detailed requirements for the data localization, it goes a step further by expanding data localization scope, which creates some uncertainty as to how data localization should be implemented. Furthermore, up until the Transfer Draft, only organizations considered as CII needed to worry about data localization. The Transfer Draft expands the scope to cover both CIIs as well as network operators.
Therefore, be warned, if adopted, the April 11 Transfer Draft could potentially impose data localization requirements on multinational companies (MNCs) who previously believed they were not subject to these rules as non-CIIs. If adopted, MNCs will need to re-evaluate their data localization plans in order to mitigate cybersecurity compliance risk.
Transfer Draft extends requirement to Network Operators
The Cybersecurity Law Article 37 already requires CIIs and network operators to store personal information and important data gathered and produced during their operations in China on servers within mainland China. It also specifies only CIIs will need to obtain a security assessment from the authorities if such data is to be provided abroad. Article 2 of the new Transfer Draft expands Article 37 to include network operators to comply with the rule:
Network operators shall store personal information and important data gathered and produced during operations within the territory of China. Where it is necessary to provide such information and data to overseas parties due to business requirements, a security assessment shall be conducted in accordance with these measures.
The definition of “network operator” under the Transfer Draft remains consistent with CSL definition, which states: the owner or an administrator of a computerized information network system, or a network service provider.
This means that all network operators will be required to store, within the territory of China, personal information and critical data that they collect or generate in the course of operating their business in China. And if they have a business need to transmit data outside of China, they must undergo a security assessment.
Data Transfer Security Assessments
The Transfer Draft proposes two different possibilities for security assessments:
- Proactive self-assessment conducted by the operator’s organization.
- Reactionary official assessment undertaken by the appropriate government authorities.
Organizations doing business in China are encouraged by the draft to choose option 1—annually conduct Data Transfer self-assessments for Cyber compliance. Consistent with the CSL, the Transfer Draft suggests the following items be considered within the self-assessment:
- What is the likelihood of the data being transferred to cause harm to national security, public interest, and an individual’s legitimate interest once the data is abroad?
- What are the risks of the transferred data being disclosed without authorization, destroyed, modified, misused, or otherwise compromised?
- What is the network security environment of the recipient country/region? Can it be trusted?
- What is the adequacy of the data protection measures the data recipient is capable of adopting?
- What is the quantity, scope, type, and sensitivity of the personal information and “important data” to be transferred? The Transfer Draft defines “important data” to mean “data closely related to national security, economic development, and public interest.”
- Does the data really need to be transferred or can the issues being considered be solved with the data staying in China?
The Transfer Draft recommends an organization conduct self-assessments if there is a significant change in business operations. It also recommends a self-assessment should there be (heaven forbid) a serious security breach incurred by the recipient or anything pertaining to the data being transferred.
In addition to the self-assessment performed by the organization, network operators shall also obtain an official security assessment from the relevant government authorities if any one of the following circumstances applies:
- The data to be transferred is from sectors such as nuclear, biochemical, national defense, military, healthcare, marine engineering, or contains sensitive geographic data
- The data concerns security vulnerabilities and protection of CIIs
- The personal information to be transferred concerns more than 500,000 individuals
- The data to be transferred exceeds 1 Terabyte (1,000 Gigabytes)
- CIIs provide personal information and important data abroad
- Any cross-border transfer that shows potential to affect national security and public interest
An official data transfer assessment is required to be completed within 60 working days by the relevant government authorities. The results of the official assessment need to be reported to the CAC. Organizations do not want to fail one of these reviews.
“Off Limits” for Data Transfer
The article also explains how the Transfer Draft prohibits the cross-border transfer of personal information and important data in any of the following three scenarios:
- Missing consent. A business entity will be required to provide the transfer purpose, scope, content, the data recipient, and the recipient’s country/region of the transfer, and obtain the sender’s consent prior to transfer. Missing consent means data can’t be transferred. Cross-border transfer of personal information pertaining to minors will need to obtain the consent of the minor’s legal guardian.
- Potential national security risk. Proposed cross-border data transfer cannot be transferred if it could possibly jeopardize national security, public interest, and/or cause harm to the government, economy, science, and/or national defense.
- The Catch All. When government authorities simply deem the transfer inappropriate (yep, they can do that).
Recommendations for Organizations doing Business in China
- Prepare an assessment check list by gathering information regarding past and planned data transfers. Start with details such as the data type, quantity, sensitivity of the data, and the adequacy of data protection measures of the recipient vendor and of the country/region where the recipient resides;
- Evaluate your policies and procedures for your China operations and ensure adequate notice has been given to your users and proper consent has been obtained with regards to all cross-border data transfers;
- Conduct a global vendor assessment and eliminate high-risk vendors.
We will know more soon--very soon
We will be watching this unfold over the next few weeks. Currently, the Transfer Draft has only been published for comment and is not a final regulation; however, it does provide a glimpse of what the final regulation may require. The public comments period for the Transfer Draft is scheduled to end on May 11.
According to my sources at the American Chamber of Commerce (AmCham) and the United States Information Technology Office (USITO), a number of US MNCs are currently expressing their concern over the Transfer Draft Measures. We suspect we will see some changes between May 11 and June 1 but don’t hold your breath. As stated before, China is very serious about protecting its data and establishing its Cyber Sovereignty.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted September 13, 2017
Taking a Team Approach to eDiscovery Projects
Posted September 06, 2017
3 Document Review Tips from eDiscovery Project Management Experts
Posted August 31, 2017
China’s VPN Crackdown Weighs on Foreign Companies There
Posted August 30, 2017
A Simple Approach to Managing Healthcare Data and eDiscovery
Posted August 23, 2017
Why New Healthcare Technology Needs to Keep eDiscovery in Mind
Posted August 17, 2017
Healthcare and eDiscovery: Top Challenges for Providers, Counsel, and Litigation Support
Posted August 10, 2017
Webinar Q&A Featuring Panelists from Office 365 and X1
Posted August 02, 2017
PREX17 | 6th Annual Conference on Preservation Excellence
Posted August 02, 2017
ILTACON 2017 | D4 Booth #238 and Executive Roundtables
Posted July 28, 2017
Far East Review: Experts Weigh In on China & Japan's Growing eDiscovery Markets