On 13 June 2019, the Cyberspace Administration of China (“CAC”) released the Draft Measures on Security Assessment of Cross-border Transfer of Personal Information (“Draft Measures”) to solicit public comments. Prior to that, the same authority has issued another draft regulation for comments related to the same matter on 11 April 2017, namely the Draft Measures on Security Assessment of Cross-Border Transfer of Personal Information and Important Data (“2017 Draft”). The Draft Measures, to a large extent, resets the regulatory framework constructed under the 2017 Draft. Several key features of the Draft Measures are summarised below:
- Separation of Personal Information and Important Data
The Draft Measure only dealt with personal information, while the 2017 Draft covers both personal information and important data. It means that the authority intends to regulate the cross-border transfer of personal information and important data under two different systems. It is believed that the Draft Measures, once passed, will significantly influence the compliance management of many companies with data export needs.
- Expanded Scope of Application: All Network Operators and Even Overseas Operators
Under Article 37 of the Cybersecurity Law of China (“CSL”), critical information infrastructure operators (“CII Operators”) shall conduct a security assessment where it needs to transfer personal information and important data abroad. Like the 2017 Draft, Article 2 of the Draft Measures goes far beyond CII Operators and expands the scope to all network operators, which includes network owners, network administrators, and network service providers.
In addition, Article 20 provides that an overseas operator that collect personal information in China shall fulfil its duties via a domestic legal representative or agency. However, further clarification is needed; it is unclear what kind of local presence will suffice as a “legal representative or agency.”
- Two-Tier Supervision: Approve and Appeal
Having removed sector-specific regulators, the Draft Measures now confines the supervision to cyberspace administrations at national and provincial levels. The provincial administrations are responsible for general supervision and management, such as to review and to approve security assessment. It is worth noting when conducting such assessment, the authority will take into account the data compliance history of the network operators or information recipients.
Also, for the assessment results issued by the provincial administrations, network operators are allowed to appeal to the national administration.
- Chinese Version of SCC
Among the assessment materials required under Article 4, there is one transfer agreement between the network operator and the recipient. To restrain personal information transfer via contracts is not uncommon and can be seen in the General Data Protection Regulation (“GDPR”). Like the EU Standard Contractual Clauses (“SCC”), the Draft Measures have stipulated duties and responsibilities of the network operators and information recipients separately under Article 13 to 16.
A great number of such duties put emphasis on the protection of the legal rights of data subjects. The network operator and recipient shall include in the agreement that data subjects are the beneficiaries of subject rights protection clauses. It is the freedom of the data subject to claim damages from either of two parties and the chosen party or parties shall compensate the subject unless otherwise proved of no liability. This will, without doubt, urge network operators to fulfil their supervision of information recipients and therefore better protect the data subjects and the safety of information transfer.
The retransfer of the information shall generally be prohibited under the agreement unless duties to inform and to obtain consent are fulfilled. The information recipient must promise to stop such transfer upon request by the data subject and to demand the third party to destroy the information already received. The network operator must also promise to compensate the data subjects first when the latter’s legal rights are infringed due to such retransfer.
The duties and responsibilities will not only allow data subjects to defend their rights more effectively but also help relevant authorities with the supervision work. However, under such SCC-alike obligations but without binding corporate rules under GDPR, it may be rather onerous for the internal transfers within different affiliates of one multinational corporation.
- Comprehensive Supervision
According to Article 3, information transfers to different recipients shall be assessed separately. Although it waives the duty to reassess on transfers to one identical recipient, a reassessment is still mandatory at a period of two years or when the purpose of transfer, types of information to be transferred or retention period changes. It is unclear whether such a change shall be a substantive one or not.
To strengthen the supervision force, the Draft Measures also state that the cyberspace administration may suspend or terminate information export in the event of data breach, data abuse or where legal rights of data subjects cannot be secured.