China's Cybersecurity Law has for many months lacked a finalized regulatory framework. Recently, the finalization of this framework has been further delayed in connection with protracted and inconclusive trade negotiations between China and the United States. After a suspension of those talks, a number of draft regulations have been published that would, once finalized, serve to flesh out this framework. This post relates to one such draft regulation that promises to be of particular importance.
On June 13, the China Cyberspace Affairs Commission published a draft of a regulation called the Measures on Security Assessments of Cross-Border Transfers of Personal Information (Draft for the Solicitation of Comment) (the "Draft Measures"). The Draft Measures are open for comment from the public until July 13, 2019. It is not clear when a finalized version of the Draft Measures might be published after that, or when it might go effective.
The Draft Measures would impose heavy burdens on the conduct of cross-border transfers of personal information. In some cases, these burdens may be so heavy as to make the transfer practically impossible.
The following is a summary of principal features of the requirements of the Draft Measures:
- Network operators (any enterprise in China that operates a computerized information network that consists of two or more interlinked devices - in effect, any business of substance) must apply for and pass a security assessment of each proposed transfer of personal information which they collect in the course of their operations in China to destinations outside of China. (Personal information is defined in the Draft Measures as "all categories of information that is recorded by electronic or other means and that can, on its own or when combined with other information, identify a natural person, including but not limited to a natural person's name, birth date, identification card number, individual biometric information, residential address, telephone number and so forth.")
- Network operators must enter into a contract with its offshore recipient (which in practice thus far has included group company affiliates as well as unaffiliated third party recipients). The contract must contain certain required content that are intended to provide contractual protections for the security of the personal information. No standard form has as yet been published. The contract must be submitted as part of the application for a security assessment.
- Network operators must prepare a report analyzing the security risks involved in the cross-border transfer and its security safeguard measures. The report must also be submitted as part of the application for a security assessment.
- Network operators must at least apply for the security assessment before transferring personal information to destinations outside of China. It is not clear whether the security assessment must also be completed and passed before the cross-border transfer may proceed.
- The application is to be submitted to the Provincial-level cyberspace administration. After review for completeness, the Provincial-level cyberspace administration is to complete the security assessment within 15 working days. Extensions are possible for complicated fact patterns. (It is not clear who would grant or approve the extension, or how to apply for one.)
- The security assessment must be repeated every two years, or when there is a change in certain fundamental parameters of the cross-border transfer.
- A cross-border transfer will not be allowed where the security assessment confirms that it may impact national security or harm the public interest, or where it is difficult to protect the personal information.The Draft Measures do not designate an objective standard for making these determinations.
- Network operators will be required to maintain records of their cross-border transfers of personal information and maintain them for 5 years, and report on their cross-border transfers to a government agency prior to December 31 each year.
- Network operators will be required to report relatively large data security incidents to a government agency.
The following are important takeaways from the Draft Measures:
- The Draft Measures only apply to cross-border transfers of personal information. The P.R.C. Cybersecurity Law also establishes a category called "important data" and further rulemaking is therefore still awaited for this other category.
- The Draft Measures do not include exemptions (derogations) from the obligation to conduct a security assessment. As currently drafted, each and every cross-border transfer (except for multiple or continuous provisions of personal information to the same recipient) is subject to the requirement.
- The Draft Measures do not contain a provision for a "White List" or "Adequacy List" of jurisdictions to which cross-border transfers can be made without a security assessment.
- The Draft Measures do not create an exemption allowing cross-border transfers that rely on pre-approved, pre-cleared security safeguard technology.
- The Draft Measures do not create an exemption for employee personal information, or for intracompany transfers among group affiliates.
- The Draft Measures do not contemplate an accreditation system under which network operators having good information security practices can be certified and accredited, and do not create an exemption for cross-border transfers that are proposed by network operators that have been so certified and accredited.
- The sheer size of the Chinese economy and number of electronic transactions threaten to overwhelm the Chinese government when applications for security assessments start to be filed. It is not clear how China's government will cope with the likely information overload. Delays and logjams seem likely. The deadline (of 15 working days) for completing the security assessment appears outright unrealistic. Much electronic commerce, particularly international transactions, stand likely to be held up in bottlenecks.
The Draft Measures do not go quite so far as to impose an outright data localization requirement. By subjecting cross-border transfers of personal information to the security assessment requirement, the Draft Measures do contemplate and allow them, at least in theory. Still, in practice the Draft Measures would create a serious new obstacle to the conduct of what should be routine international electronic commercial exchanges by enterprises doing business in China. The Draft Measures need, but lack, a pragmatic system of derogations, pre-clearances, accreditations and White Lists that will keep the Chinese government from having to undertake the unrealistically monumental task of reviewing practically each and every cross-border transfer of personal information, and enterprises doing business in China from having to prepare complex application materials and then await clearances that may be a very long time in coming.
Unless and until the Draft Measures are revised to include such a system, it will stand to impose a heavy burden on cross-border transfers of personal information from China. The burden may be heavy enough to cause some businesses to consider establishing servers in China on which personal information can be stored and processed locally. Fortunately, the Draft Measures are only in draft form and this omission can still be remedied. The general public should hope to see a more well-developed framework in the next version of the Draft Measures.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 750 lawyers practicing throughout a network of 14 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy and technology sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.