On 19 May 2017, the Cyberspace Administration of China (the CAC) released a revised draft of its Security Assessment for Personal Information and Important Data Transmitted Outside of the People’s Republic of China Measures (the Second Draft Export Review Measures).
The draft emerged just over a week after public comments closed on the first draft of the measures, which we discussed in our earlier briefing here (the First Draft Export Review Measures). There was a significant volume of industry commentary, and the Second Draft Export Review Measures do, to some extent, relax some of the more stringent requirements stated in the First Draft Export Review Measures originally due to become law on 1 June, 2017 when China’s Cyber Security Law takes effect. However, the revised draft measures as set out in the Second Draft Export Review Measures still leave a significant compliance challenge for multi-national corporations operating in China (MNCs). In addition, the test for when a data localization requirement will kick in has not really changed under the Second Draft Export Review Measures — the fundamental position remains that without security review approval and clearance data cannot be exported and must be (logically) stored in China.
Headline changes are:
Implementation of localisation measures delayed to 31 December, 2018: While the Cyber Security Law will take effect beginning 1 June, 2017, the data localisation measures applicable to “network operators” will take effect on 31 December, 2018, introducing a grace period that will be important for MNCs to evaluate their data processing and storage arrangements under the new law.
Implied consent will suffice for data subject-initiated exports of personal data: A key question that arose under the First Draft Export Review Measures was the standard of data subject consent required in order to allow exports of personal data from mainland China. Would an express form of opt-in consent be required, or would a more relaxed standard of implied consent be acceptable? The Second Draft Export Review Measures confirmed the latter, providing that acts initiated by data subjects, such as making international telephone calls, sending emails or instant messages to overseas recipients and making cross-border transactions online would be sufficient to imply consent to export. Understanding the precise scope for implied consent to export personal data from China will be one of the key areas of interest for MNCs evaluating the impact of the Cyber Security Law. While no doubt a welcome piece of news for those assessing the impact of the localisation requirement, the CAC’s acceptance of implied consent is yet to be reconciled with the requirement (retained in the Second Draft Export Review Measures) that the export of personal data be “necessary.”
No consent required for emergency transfers: The Second Draft Export Review Measures sensibly exempts transfers necessitated by an emergency that endangers the life or property of data subjects.
Material transfers still require official review, but…
- No 1,000 GB trigger: The First Draft Data Export Review Measures proposed a number of thresholds which, if triggered, would require network operators to submit to an official data export security review. An export volume of 1,000 GB or more was included amongst the triggers, irrespective of the sensitivity of the information. This has been dropped.
- Exports by operators of critical information infrastructure not deemed material: The First Draft Export Review Measures had effectively deemed any export of personal data or imported data by an operator of Critical Information Infrastructure (CII) to be a material export requiring official review. The Second Draft Data Export Review Measures removes this trigger, meaning that data exports by CII operators are assessed with reference to the same triggers as those by network operators. This is logical and welcome.
The remaining triggers for official review of a data export are whether or not the export involves:
- personal data of more than 500,000 data subjects
- nuclear facilities, bio-chemistry, national defence and military sectors, public health and other such fields, as well as data on large-scale engineering projects, marine environments and sensitive geographical information; and
- system vulnerabilities and security safeguards for key information infrastructure or other such-like cyber security information.
Scope of “Personal Data” expanded to include location and behavioural information: Like the First Draft Export Review Measures, the Second Draft Export Review Measures contain a non-exhaustive definition of “personal data”. The new version clarifies that location data and behavioural data may alone, or in combination with other information, be personal data within the meaning of the export review measures.
Review process time frame and ability to stop exports: Article 10 of the First Draft Export Review Measures had proposed a 60 business-day time frame for regulatory authorities to provide network operators with feedback on export review assessments. This long-stop period has been replaced with a more general requirement for the authorities to provide feedback in a timely manner. This is not very helpful, as it introduces uncertainty for MNCs. The version of Article 10 in the Second Draft Export Review Measures includes a materially revised stipulation that reviewing authorities shall direct that an export be stopped if any of the matters listed in Article 9 are identified in relation to an export, namely:
- the export would violate laws, regulations or departmental rules;
- data subjects have not consented to the export of personal data;
- the export is likely to prejudice the public or national interest;
- the overseas transmission of data would jeopardise the security of national politics, military affairs, society, scientific and technological matters, information, ecology, resources, nuclear facilities and so forth; and
- any other situations where the CAC, the Ministry of Public Security or the Ministry of State Security and so forth determine that the export cannot take place in accordance with law.
The last two matters listed above are new . It is hard to envisage how a transfer overseas of data could harm “ecological” or even “resource” security, but we take this as an implicit reference to information e.g. on ecological damage or abuse of natural resources and so forth which are not at the level of state secrets (noting the previous cases where China determined that the location of natural resources was determined to be a state secret with respect to certain foreign individuals). There is still a carve out for state secrets in Article 14 (Article 15 in the First Draft Export Review Measures), which appear to remain regulated under the general rules governing state secrets, which provide for criminal penalties in certain cases.
The changes introduced by the Second Draft Export Review Measures make a few sensible technical adjustments and include a temporary reprieve from China’s new data localisation measures through to 31 December, 2018. Given the typical lead times for technology procurement, most MNCs will be forced to make decisions on their processing arrangements long before this date materialises. However, the broad thrust of the First Draft Export Review Measures has not changed nor has the scope, in part determined by the definition of “network operators,” been clarified.
For many MNCs, the main practical benefit of the grace period will be to enable time to gain a better understanding of the standards of export review that the authorities will apply. It will also allow MNCs to assess alternative approaches to compliance with the Second Draft Export Review Measures.