China Issues Draft Measures on Personal Information Cross-Border Security Review

On June 13, the CAC issued the Personal Information Cross-Border Security Review Measures (Draft) (个人信息出境安全评估办法(征求意见稿)). The Draft has 22 provisions, covering the security review criteria for cross-border transfer of personal information, contracts related to personal information cross-border transfer, legal rights and obligations related to cross-border data transfer, security risk and measures. Comments are due by July 13.

The Draft requires personal informational collected by network operators within China to undergo a security assessment. In particular, network operators shall report to provincial cyberspace agencies for security assessments before exporting data. Application materials shall include contracts with a data recipient and assessment of data security risks and safety measures related to personal data exports. Reassessment is required every two years, or when the purpose, type or storage period of personal data transfer changes.  The export of personal data that may impair national security, the public interest, or fail to effectively protect personal information is not permitted.

Provincial cyberspace agencies shall reach a decision within 15 working days after receiving the application. The review period may be extended in complex situations. The security assessment shall evaluate elements including:

  • whether the transfer complies with the relevant national laws, regulations and policies;
  • whether the contract fully protects the legitimate rights and interests of individuals;
  • whether the contract will be fully carried out;
  • whether the network operator or recipient has a history of damaging the legitimate rights and interests of individuals, or has had a major data breach;
  • whether the network provider obtained the personal information in a legal method;
  • other elements (Article 6).

The determination of the security assessment can be appealed by network operators to central cyberspace agencies.

According to the Draft, even after data export is approved, cyberspace agencies may request network operators to suspend or terminate exporting personal data if:

  • the network operators or data recipients have large scale data breaches or data misuse;
  • individuals cannot protect, or have difficulties protecting, their own own legal rights;
  • when network operators or recipients are unable to protect personal information security.

It has a whistle blower provision under which any individuals or entities can report to cyberspace agencies if there is any violation of law with regard to data exports.

The Draft also sets out several other obligations for network operators, including maintaining the record of personal data exports for at least five years, an annual report to provincial cyberspace agencies of personal data exports, timely report of any large-scale data breach to provincial cyberspace agencies, and elements included in contracts with data recipients.

The Draft requires the contract between network operators and data recipients for data exports to specify legal obligations of both sides, including that the data recipient shall not transfer the data to a third party unless four requirements are met.

In addition, the Draft defines personal information as various information recorded by electronic or other means that can identify the natural person’s personal identity alone or in combination with other information, including but not limited to the name of the natural person, date of birth, ID number, personal biometric information, address, phone number, etc. Personal sensitive information is defined as personal information that, once it is leaked, stolen, tampered with, or illegally used, may endanger the personal safety and property of the subject, or cause damage to the reputation and physical and mental health of the owner of the information.

The Draft focuses on the obligations of network operators and the protection of personal data safety, rather than the necessity of the cross-border transfer.  Experts view this method as following the EU’s Standard Contractual Clauses. Different from a previous version, which has provisions of self-assessment and third-party assessment under six circumstances, this Draft requires provincial agencies’ security assessment for the cross-border transfer of all personal information before it can be exported.