PRC issues security assessment measures for exporting data

The Cyberspace Administration of China issued a draft measures for public consultation, which expands the application of the security assessment requirement for exporting data outside of China.  These measures, if adopted, would have impact on a number of business involving cross-border transfers.

The Cyber Security Law which will come into force on 01 June 2017 has a controversial requirement (the Security Assessment Requirement) that all personal data and other important business data collected which operators of critical information infrastructure collected in China be store in China and that if export of such data is necessary out of business reason, a security assessment procedure be passed.  To further detail such requirement, the Cyberspace Administration of China issued on 11 April 2017 a draft Measures on Security Assessment For Export of Personal Information and Important Data (the Security Assessment Measures) for public consultation.  These Security Assessment Measures, if adopted in their current form, will significantly impact multinational companies’ business where personal data and important business data are stored and processed on a global basis.

Highlights

Although the Security Assessment Measures are designed to elaborate and to implement the Security Assessment Requirement, they expand the scope of application of such requirement.  We would like to highlight the following points for your attention.

1.         Scope of application

These Security Assessment Measures regulate the export of not only personal data but also other “important data,” which would include anonymous data.  Therefore, depersonalization may not be way to avoid the application of Security Assessment Requirement. 

Moreover, the data of which the export requires security assessment are no longer limited to data which operators of critical information infrastructure collect in China.  Rather, all network operators are required to follow the Security Assessment Requirement, wherein any owner or administrator of computer networks, either intranet or internet, will be considered a network operator.

2.         Security assessment requirement

The Security Assessment Requirement is comprised of the following three layers of requirements:

  • In principle, all personal data and important data which a network operator generate in China must be stored in China
  • If an export of data is necessary out of business reasons, in normal cases, the operator must perform a security assessment (at a frequency of no fewer than once a year) by itself with assessment results filed with the government
  • The export of data in sensitive scenario requires security assessment by the government.
3.         Application of government assessment

The scenario where export of data requires security assessment by the government include:

  • the data to be exported contains personal information about 500,000 or more people
  • the size of data is more than 1,000GB
  • the data concerns nuclear facilities, bio-chemistry, national defense, health and population information, large-scale projects, marine environment and sensitive geographic information data
  • the data include network security information relating to critical information infrastructures, including system vulnerabilities, security defence and other network security data
  • operators of critical information infrastructure provide data overseas, and
  • other circumstances where the export of data affect the national security and public interests.

Observations and recommendations

As illustrated above, if the Security Assessment Measures are adopted in their current form, the Security Assessment Requirement will apply to a wider scope of businesses than those under the Cyber Security Law.  Obviously, the Security Assessment Requirement likely applies to companies in the finance, public transportation, and telecommunication business sectors, which are listed in the Cyber Security Law as sectors where information infrastructure would likely be considered critical.  These Security Assessment Measures suggest that, in addition to those business sectors listed in the Cyber Security Law, some other business operations are likely required to follow the Security Assessment Requirement.  They are:

  • healthcare, pharmaceutical, and medical device business, including, in particular, clinical trials and business involving process and analysis of large amount of patient data
  • business consultation business, including in particular, collection and analysis of large amount of information about consumer spending, and
  • research and survey business, including, in particular, collection, process, and analysis of big data such as information about natural resources, traffic, social behaviors, industrial behaviors, etc
To prepare for possible impact by the Security Assessment Measures, we suggest:
  • companies in the healthcare, pharmaceutical, medical device, consultation, and research and survey business sectors review their business streamlines to assess the possibility that their business operation be captured by the Security Assessment Requirement and take into account this possibility in future business planning
  • companies consider relocating their IT resources (such as servers) to China for their China business since we can see, as a general trend, China government has increasingly strengthened cyber security and data protection requirements
  • The Security Assessment Measures are still in the public consultation stage and companies which have concerns about the Security Assessment Requirement and other provisions in the Security Assessment Measures may submit their views and suggestions.  We are happy to consolidate your comments and to submit the same to the government.

This document is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document. Simmons & Simmons is registered in China as a foreign law firm. We are permitted by Chinese regulations to provide information on the impact of the Chinese legal environment and also to provide a range of other services. We are not admitted to practise in China and cannot, and do not purport to, provide Chinese legal services. We are, however, able to co-ordinate with local counsel to issue a formal legal opinion should this be required.