The Cyberspace Administration of China (CAC) on June 13 published the draft Measures on Security Assessment of Personal Information (PI) Cross-Border Transfers (draft "Measures") for comments due by July 13, apparently replacing the CAC's April 2017 draft Measures on Security Assessment of PI and Important Data Cross-Border Transfers (2017 Draft). The procedural requirements for security assessments prior to cross-border transfer, including repetitive pre-transfer security assessments, would be onerous and unnecessarily costly, and adding to concern about the risk of compromise of proprietary information. The need for security assessments will put pressure on foreign investors to locate data processing operations in China, the additional cost of which may disincentivize foreign investment, particularly among new market entrants. However, it appears that actual compliance with cross-border privacy protection obligations does not appear to be more onerous than under the GDPR.
The draft Measures impose more extensive security assessment requirements than under the 2017 Draft. The 2017 Draft would have required Network Operator (NO) self-assessments prior to cross-border transfer and required a security assessment by industry regulators or regulatory departments only when the conditions specified in Article 9 of the 2017 Draft are met (especially based on size of data set, number of people whose PI is involved, or PI provided overseas by Critical Information Infrastructure NOs).
By contrast, the draft Measures would require all NOs to apply to their provincial-level cyberspace administration (CA) for approval of their security assessment prior to any cross-border transfer of PI; submit separate applications for each cross-border recipient of PI (Recipient); and renew the security assessment once every two years or in case of any change to the purpose of the cross-border transfer, type of PI concerned, and time period for which the PI is to be retained overseas. PI generally consists of name, DOB, personal ID number, personal biometric information, address and telephone number.
The contract between the NO and Recipient is among the application documents for security assessment under the draft Measures. The contract must clarify the rights and interests of the subject of the PI, and the obligations and responsibility of the NO and Recipient, including:
(1) that the subject of PI be the beneficiary of the terms of the contract involving the rights and interests of the subject;
(2) the subject's right to claim compensation for damage from either or both the NO and Recipient (the NO bears advance liability);
(3) termination should performance become difficult because of changes to the legal environment in the Recipient's country;
(4) survival after termination of the contract of terms regarding the obligations of the NO and Recipient to the rights and interests of the subject unless the PI has been destroyed or anonymized by the Recipient;
(5) the subject's right to receive a copy of the contract; and
(6) the Recipient's obligation to notify the NO of any change in its legal environment warranting notification of such change by the NO to its provincial-level CA.
The contract must also specify:
(1) that retransfer by the Recipient to third parties is not permitted unless the PI subject has been informed or that the subject has consented if Personal Sensitive Information (PSI) is involved;
(2) that the Recipient has agreed at the subject's request to stop transmission to and require third parties to destroy PI which has already been received; and
(3) that the NO agrees in advance to compensate the subject for any harm to the subject due to PI transmission to third parties.
The security assessment would focus on effective contract performance, sufficient protection of the PI subject's rights and interests, compliance with Chinese regulations and policies, the history of any harm by the NO or Recipient to PI subjects or major cybersecurity incidents, and that the PI is legally and properly obtained by the NO. Assessments are to be completed by the CA within 15 working days subject to extension in complex situations. The NO may appeal an assessment conclusion. The NO is required to maintain cross-border PI transfer records for at least five years, and file annual reports to the CA on cross-border PI transfers and contract performance.
CAs are to conduct periodic inspections of NOs, focusing on contract performance and fulfillment of obligations, and may order suspension or termination of cross-border provision of PI in the event of:
(1) significant data leakage or data abuse by an NO or Recipient;
(2) the PI subject's rights and interests not being protected or not being easily protected; or
(3) the NO or Recipient being incapable of protecting PI security.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.