China Issues Draft Rules on Cross-border Data Flows

It is difficult to see how prior regulatory approval of every transfer of personal data from China is workable, says Hogan Lovells partner Mark Parsons.

The CAC (Cyberspace Administration of China) has released a draft guideline on cross-border data transfers under the country’s cybersecurity law.

The law went into effect on 1 June 2017 and is considered more broad than comparable privacy measures such as the EU’s GDPR (General Data Protection Regulation). GDPR restricts EU institutes’ data and information from being transferred to a non-EU country for security reasons. The European Commission can decide if a third country has adequate protections in place.

Law firm Hogan Lovells published an APAC Data Protection and Cyber Security Guide earlier this year, in which it noted that China’s cybersecurity law still lacked specifics in critical areas, including with respect to international data transfers and the “as-yet unfinalised data export review procedure”.

The cross-border data transfer guideline is key to resolving the long resolved uncertainty. The published draft comes in the midst of US-China trade tensions and will do much to revive concerns that China is pursuing outright data localisation. In April it was reported that China would put data-onshoring rules on hold while trade talks were ongoing.

According to Global Times, the latest draft guideline will prevent the flow of personal information overseas if it ‘risks undermining national security and public interests’, or if the security of personal information cannot be effectively guaranteed.

The draft covers not only operators of critical information infrastructure referred to in the cybersecurity law, but also “network operators”, a much wider scope of businesses operating in China – essentially every business that operates network infrastructure in mainland China.

Chinese network operators and foreign entities that collect online personal information in China for business purpose. It says that personal information, including ID numbers, addresses and phone numbers collected by network operators should be assessed before being sent overseas.

Network operators need to report to the provincial-level cyberspace administrative department and apply for a security assessment before providing personal information collected in China to overseas receivers. Separate applications are needed in the case of multiple receivers.

The draft said that the security assessment will focus on whether the data being sent overseas is legitimate, whether the data transfer protects the legal rights of the person who possesses the information, and whether the network operators or overseas receivers have any history of internet security incidents.

Internet operators need to set up a file on the cross-border data transfer and keep it for at least five years, including information on the identities of overseas receivers and on the sensitivity of the personal information. They additionally need to report to provincial-level cyberspace departments annually.

Hogan Lovells’ partner Mark Parsons explained that the draft guidelines raise a number of areas of critical concern for multi-nationals operating in China:

“First, the extension of the export control beyond critical infrastructure to all network operators, which a very broad class of businesses. We had a glimpse at this possibility when the first draft guidelines came out but thought this idea had been shelved. Now the proposal has been revived, and we see that the export review process has been tightened to require prior approval of all personal data exports leaving mainland China, rather than the self-assessment process we had seen under the previous draft.”

According to Parsons, it is difficult to see how prior regulatory approval of every transfer of personal data from China is workable.

“This round of draft measures go even further by bringing businesses collecting data from offshore into scope – these organisations would be required to appoint an onshore representative. The draft measures also require a model form of contract which, in line with the EU model, would give data subjects direct rights of enforcement against offshore transferees.”

The CAC said in a statement that the purpose of the guideline is to protect personal information security, safeguard the country’s cyberspace sovereignty, national security, public interest as well as the legitimate interest of citizens.

The draft is open for consultation until 13 July.

To Top