This article was written by Susan Ning(partner), WU Han(senior associate), YANG Nan(managing associate) and LI Huihui(assistant associate).
The Cybersecurity Law of the People’s Republic of China (the “Cybersecurity Law”), adopted by the Standing Committee of the National People’s Congress on November 7th, 2016, will take effect on June 1st, 2017. In order to ensure its implementation, the Cybersecurity Law set targets for construction of key areas of the system and for authorities to formulate specific implementation measures.
|Objectives of System Construction
||Most Relevant Clauses in Cybersecurity Law
|(1) formulate a catalogue of critical network equipment and special-purpose cybersecurity products;
|(2) establish a graded system for cybersecurity protection;
|(3) establish the scope and security measures for critical information infrastructure (“CII”);
|(4) formulate security review measures for network products and services;
|(5) formulate measures for the security assessment of personal information and important data to be transmitted abroad.
The Cyberspace Administration of China (the “CAC”) has now published for public comment first drafts of the measures to meet objectives (4) and (5)above. With the Cybersecurity Law soon to be effective, other measures which have not been issued as exposure drafts or formal versions will no doubt also be under discussion and formulation. Hence, enterprises and other social organizations should be aware of the latest legislative developments.
The Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Draft for Comment) (the “Assessment Measures”) was just issued on April 11th, 2017. This Article analyzes its main points, describes practical compliance by affected enterprises and points out the issues that need to be further clarified or improved.
||Legislative purpose and legislative basis
||Statutory assessment—time limit of assessment
||Scope of application (“shall apply”)
||Scope of data prohibited to be transmitted abroad
||Annual assessment and reassessment
||The principle of informed consent in personal information export
||Report of violations
||Responsibilities of the state cyberspace administration
||Responsibilities of industry regulators
||Conditions that may apply other agreements or provisions
||Scope of application (“apply mutatis mutandis”)
||Key assessment contents of security assessment
||Statutory assessment - applicable conditions
Legislative basis: the adoption of the Cybersecurity Law draws attention
The Assessment Measures find their legislative basis on the State Security Law of the People's Republic of China (the “State Security Law”) and the Cybersecurity Law. Article 37 of the Cybersecurity Law obliges CII operators to hold data locally, and the Cybersecurity Law, as the superior law requiring a mechanism for security assessment of data for export, is cited as the legislative basis of the Assessment Measures.
That the Assessment Measures are founded on the State Security Law is also worth pondering. Although there are only two clauses directly related to cybersecurity in the State Security Law, the Assessment Measures still expressly cite State Security Law as its legislative basis and clearly points out the guiding position in the Notice of the Draft for Comment. There are two points here. First, from the perspective of national strategy, cybersecurity is already an important part of state security and the mechanism for transmitting personal information and important data overseas is also integral to the whole cybersecurity system. Therefore taking the State Security Law as the legislative basis reflects recognition by the CAC of the significance of data export at the level of state security. Additionally there is room for interpretation that the principle of mutatis mutandis applies to “other individuals and organizations”. Second, from the perspective of law enforcement and judicial practice, the fact that the State Security Law is established as the legislative basis means that authorities can interpret “state security”, “state interests” and other concepts in the Assessment Measures by citing or referring to the State Security Law , in order to achieve the regulatory intention of expanding the data categories under supervision beyond what is controlled by “network operators”.
Nevertheless, some provisions in the State Security Law, such as “realization of the security and controllability of core network and information technologies, critical infrastructure, and information systems and data in key areas”, should not be considered or interpreted as the basis of the Assessment Measures. In addition, if the general principles provided in the State Security Law are used to interpret the Assessment Measures in the future, this may cause broadening or arbitrary interpretation and lead to inconsistency and uncertainty in regulatory enforcement. Therefore, when studying the Assessment Measures or conducting security assessment for data export, operators should not only focus on the Assessment Measures themselves but also keep track of how authorities have interpreted and implemented the Cybersecurity Law and the State Security Law.
Application: Expansion to both “Network Operators” and “Other Individuals and Organizations”
1. “Network Operators” – “shall apply”
The Assessment Measures explicitly point out that “if it is necessary for network operators who generate and collect personal information and important data during its operation within the territory of the People's Republic of China to transmit data abroad due to business needs, the Assessment Measures shall apply”.
However, as stated above, the Assessment Measures sit under the Cybersecurity Law which sets out in Article 37 that only “operators of a CII” shall conduct the security assessment of “personal information and important data collected and generated during its operation within the territory of the People's Republic of China” before it is transmitted abroad, rather than any network operators and any data they collect. As important “network operators”, CII operators are obliged to conduct security assessments of data to be transmitted abroad, due to the significance of the industry in which they are involved as well as the importance to national security and public interest of the data they control. The inclusion of all “network operators” in the Assessment Measures would significantly expand the scope of application of the security assessment for data export under the Cybersecurity Law, which, in comparison to Article 37 of the Cybersecurity Law, could be regarded as a major expansion of control. Considering the broad and ambiguous definition of “network operator”, such expansion of the application of the Assessment Measures will not only increase the obligations of “network operators”, but also bring great uncertainty to the compliance work of business operators.
Article 17 of the Assessment Measures defines some major terms about the scope of application set forth above. The definitions of “network operator” and “personal information” in the Assessment Measures are no different from those in the Cybersecurity Law, This indicates that the CAC acknowledges and aims to maintain consistency between the Assessment Measures and the Cybersecurity Law. On the other hand, the terms “transmission of the data abroad” and “important data” have a specific protocol in the Assessment Measures. Although “transmission of the data abroad” is clarified as the cross-border transmission of data in terms of geographic location, the specific method of transmission is not further specified. In the absence of a clear description, data export under the Assessment Measures is not only transmission through an electronic network, but may also include transmission by physical carriers such as servers, hard disks and paper-based materials, and any other method. The Assessment Measures also states that “important data” shall “refer to relevant national standards and important data identification guidelines”. However, except for the Information Security Technology - Guideline for Personal Information Protection within Information System for Public and Commercial Services issued in 2013, there is so far no other public “national standard” or “guidelines for identification of important data”. It is reported that the CAC is working with industry authorities to develop appropriate standards and identification guidelines for important data depending on the industry and aims to release the results of this work in the near future.
Given the ambiguity and uncertainty of these major terms, we recommend cautious study and assessment of the impact experienced by “network operators” arising from the application of the Assessment Measures.
2. “Other Individuals and Organizations” – “ mutatis mutandis”
In addition to clarifying under what circumstances the security assessment applies, the Assessment Measures state that they “are applicable mutatis mutandis to the security assessment for transmission abroad of the personal information and important data generated or collected by other individuals and organizations within the territory of the People's Republic of China.”
The term “mutatis mutandis” means “with necessary changes” which means that the Assessment Measures must apply to other organizations and individuals as they do to network operators but with any necessary changes.. This requirement may further expand the scope of security assessments of data exports, so it is likely that assessment may become generalized and normalized. As mentioned, compared with the Cybersecurity Law, the Assessment Measures address a wider category of “network operators” instead of “CII operators”. However, the further expansion of application to “other individuals and organizations” may unnecessarily burden numerous enterprises, individuals and other organizations operating complex and diverse data processing activities. Mitigating this may require more detailed specification of the Assessment Measures applying to online or offline activities, to specific industries or fields, or to specific purposes and situations. For example, do the Assessment Measures apply to a domestic travel agency which collects and provides personal information abroad for the purpose of organizing outbound travel? If yes, would this travel agency be capable of assessing the measures, ability and level of the security protection of the data receiver, as well as the network security environment of the country or region where the data receiver is located? Such issues will arise frequently during the implementation of the Assessment Measures, and it is to be clarified whether such situations are in line with the legislative and regulatory intent of the CAC.
Methods of Assessment: Feasibility to be improved
In view of the different types of data export, the "Assessment Measures" divide the security assessment into two categories: self-assessment (self-evaluation) and statutory assessment (assessment by third parties). In order to ensure the effectiveness of the security assessment to the greatest extent possible, the Assessment Measures provide for annual assessment and re-assessment in certain circumstances.
1. Statutory Assessment
Article 9 of the Assessment Measures clearly sets out the scenarios where data export must be reported to the industry regulator or supervisory authority for security assessment, i.e. the network operator is obliged to report to the relevant authorities for security assessment only when certain conditions are met.
It is worth noting that Item (5) of Article 9 exactly describes the circumstances in Article 37 of the Cybersecurity Law, but items elaborating other situations are not mentioned in either the Cybersecurity Law or the State Security Law. The Assessment Measures not only widen the category of the persons, the "subject" of security assessment for data export, but also widen the scope of the "objects", namely "data".
Second, only Items (1) and (2) of Article 9, contain a requirement for the amount of information or data, and other items are determined only by the nature of the data or the subject of the transmission. However, since the types of industry covered by the identification standard is relatively broad, many enterprises are uncertain about whether they need to file for assessment. Therefore, if the provisions of the Assessment Measures are to be strictly complied with in practice, follow-up implementation rules may be needed to clarify the data of importance as well as the categories of subject industries so that network operators are able to evaluate the applicability of the statutory assessment mechanism, thus enhancing the practicability of this mechanism.
Item (6) of Article 9, covers circumstances “which may affect the national security and social public interests, so that the industry regulator or supervisory authority decides to assess.” This is a somewhat uncertain condition. Although in the State Security Law the concept of "state security" has been defined, the concept of "social public interests" has never been clarified in any laws or regulations. The affected legal interests are not entirely clear and the introduction of the discretionary power of an industry regulator or supervisory authority as one of the standards for determining whether a statutory assessment is required, will also add uncertainty to this new mechanism.
Last, the Assessment Measures require that the statutory assessment "should be completed within sixty working days, and feedback on the result of security assessment should be delivered in a timely manner to the network operator and reported to the state cyberspace administration". It is recommended that the feedback of security assessment from industry regulator or supervisory authority should include, at a minimum, their decision on whether the data is approved to be exported and the main reasons for the decision. This will help ensure the transparency and predictability of the rights and obligations of network operators regarding the statutory assessment. However, currently the Assessment Measures remain silent on questions such as whether the assessment authority will issue written opinions on the approval or disapproval of data export, whether network operators are entitled to apply for administrative review in the event of disapproval, and how the administrative review should be conducted in practice. These issues are important to network operators when they perform their obligations of security assessment for data export.
Even when the data to be exported is not required to go through a statutory assessment, the Assessment Measures still require network operators to carry out a self-assessment, i.e. to conduct a security assessment before exporting data and to take responsibility for the assessment results. However, it is understood that enterprises only get limited guidance with only one provision simply stating the relevant obligation and requirement for self-assessment.
Although Article 8 specifies the review focus during a security assessment, the Assessment Measures do not specify the form of a self-assessment or the retention of assessment results, nor does it emphasize the specific responsibility for the assessment results. In view of the lack of clear guidance, enterprises may have less incentive to conduct self-assessments proactively, and also industry regulators or supervisory authorities may lack specific guidance when inspecting self-assessments.
Regardless of the diverse varieties of data export, security assessments should focus on certain important aspects pursuant to Article 8 of the Assessment Measures. In this regard, even in security assessments organized by network operators themselves, it is still necessary to examine things like the network security status of the data receivers and their locations, as well as the potential risks after data export. From the perspective of the party conducting the assessment, it may be very difficult to carry out an effective assessment of such things (especially the risks after the data export) and in practice (such as the above example of a travel agency), and this will undoubtedly further affect the practicality of self-security-assessments.
3. Annual Assessment and Reassessment
In addition to self-assessment and statutory assessment, the Assessment Measures also require network operators to carry out “annual assessment” and “reassessment” of data export "according to the status of business development and network operations" and the actual situation of data exporting (such as a change of data receivers, substantial change of the purpose, scope, amount and category of exported data, major security incidents of data receivers or the data itself, etc.). Similar to the issues with self-assessment and assessment by others, further clarification of relevant terms such as "substantial changes" and "major security incidents", will affect the practicality of re-assessment.
4. Data prohibited from being transmitted abroad
In addition to imposing security assessment obligations on network operators exporting certain data, the Assessment Measures also explicitly prohibit the transmission abroad of certain data. This data is directly ruled out from any security assessment mechanism for data export and becomes absolutely “domestic” data.
Article 11 expressly lists three categories of data which it is prohibited to export, but the specific scope of this data remains unclear currently. First, as for personal information, apart from reiterating the principle of informed consent for data export, the identification standard and scope of “may jeopardize personal interests” are still vague. The vagueness of the drafting - “may affect national security and jeopardize social and public interests” or the introduction of the discretion of “relevant authorities” in the catch-all clause for risk assessment increases uncertainty and makes the enforcement less authoritative and practicable.
Legal responsibility: potential loophole for reference to “relevant laws and regulations”
As the critical method to ensure effective implementation, Article 14 of the Assessment Measures provides a penalty for violations of the Assessment Measures. However, the rule is simple and general and only specifies that violations of these Measures “shall be penalized in accordance with relevant laws and regulations”.
As discussed, the Cybersecurity Law and the State Security Law are explicitly cited as the legislative basis of the Assessment Measures. Thus, Article 14 remains meaningful where any violation against the Assessment Measures could be punished in accordance with the Cybersecurity Law or the State Security Law. For example, where a CII operator violates the rules of security assessment for data export, it could be punished pursuant to Article 66 of the Cybersecurity Law. Another example is that where a person or an agency illegally transmits data involving national secrets abroad, such person or agency could be punished pursuant to the provisions related to national secret protection under the State Security Law and the National Secret Law. Furthermore, for stipulations in the Assessment Measures which are same as those in other laws and regulations, such as the principle of informed consent in Article 4, punishments set forth in those laws and regulations could be cited in case of violation of the Assessment Measures.
As mentioned above, the Assessment Measures create expansion and connectivity with superior laws in terms of various aspects such as applicable subjects and scope of data, and there may exist legal lacunas on penalty. For example, where a network operator fails to carry out a self-assessment in accordance with Article 7 of the Assessment Measures, relevant authorities may be unable to impose a penalty pursuant to Article 14. The main reason being that there are no other laws or regulations imposing a self-assessment obligation for data export on network operators and thus there are no applicable penalties. If this is common then the regulation provided by the Assessment Measures on relevant data export could hardly be implemented. From another perspective, however, if enlarging or arbitrary interpretation is adopted for “relevant laws and regulations” in order to impose a penalty, the authority of the Assessment Measures and related supervision would weaken. Therefore, the obscure drafting of the penalty clause will substantially impair the judgment of operators for their legal responsibility of non-compliance.
As the first specialized legislation covering data export from China, the Assessment Measures, which although a draft, is of great significance in securing personal information and important data and advancing the building of a system of data security protection for our country. The eighteen articles of the Assessment Measures provide specific rules for export of personal information and important data in terms of core aspects such as scope and conditions for their application, the parties subject to the rules and mechanisms of assessment, and corresponding legal responsibility. In particular the Assessment Measures set forth specific and detailed guidance regarding the security assessment for data export in the Cybersecurity Law. All these contribute to the knowledge of data holders and transmitters (such as enterprises) on the compliance landscape and general legal obligations for data export when the Assessment Measures are finalized and takes effect.
However given the complexity, sensitivity and practicality of supervision in data localization and cross-border transmission, the current draft Assessment Measures still have a series of issues pending clarification and perfection. Not just “network operators”, but more and more enterprises inevitably generate demand for cross-border data transmission with the growth of the Internet economy and the big data industry. Consequently more parties fall within the scope of application of the Assessment Measures. In fact, enterprises may already need to consider security assessment for data export as a practical matter and the aforesaid pending issues we have highlighted would arise unavoidably in practice. Therefore, from the perspective of implementation, way the revision of the draft addresses these issues will affect the implementation of the mechanism of security assessment for data export and its impacts upon the daily operations of enterprises. Therefore, enterprises may want to pay close attention to the follow-up development of the legislation and official comments, as well as participating in the consultation process (due on 11th May) proactively. In addition, enterprises can prepare now by learning about the measures and running a preliminary assessment on their own data export in accordance with the current draft. This will help deal effectively with various follow-up supporting measures including the Assessment Measures which may be promulgated around the time when the Cybersecurity Law takes effect.
Notice of the Cybersecurity Administration of China on Seeking Public Comments on the Measures on the Security Assessment of Network Products and Service (Exposure Draft), February 2nd, 2017, please see http://www.cac.gov.cn/2017-02/04/c_1120407082.htm. Notice of the Cyberspace Administration of China on Seeking Public Comments on the Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Exposure Draft), April 11, 2017, please see http://www.cac.gov.cn/2017-04/11/c_1120785691.htm
See Article 1 of the Assessment Measures.
See Article 37 of Cybersecurity Law: “The operator of a CII shall store within the territory of the People's Republic of China personal information and important data collected and generated during its operation within the territory of the People's Republic of China. Where such information and data have to be provided abroad for business purpose, security assessment shall be conducted pursuant to the measures developed by the CAC together with competent departments of the State Council, unless otherwise provided for in laws and administrative regulations, in which case such laws and administrative regulations shall prevail.”
See Article 25 and Article 59 of the State Security Law.
see Article 25 of the State Security Law.
See Article 2 of the Assessment Measures.
According to the system of the Cybersecurity Law, the provisions regarding “CII” are set after the section “General provisions” of the chapter “Security of Network Operation”, which could be regarded as a special regulation. For introduction of “CII”, please refer to Article 31 of the Cybersecurity Law: “For CII in important industries and sectors such as public communications, information service, energy, transport, water conservancy, finance, public service and e-government, and other CII that, once damaged, disabled or data disclosed, may severely threaten the national security, national economy, people's livelihood and public interests, the State shall give them extra protection on the basis of the graded system for cybersecurity protection. The specific scope and security measures for CII shall be developed by the State Council. ”
See Article 17 of the Assessment Measures: Definitions of the following terms in these Measures:
"Network operators" refers to owners, managers and network service providers of networks.
"Transmitting data abroad" means providing overseas institutions, organizations and individuals with the personal information and important data generated or collected by network operators during their operation within the territory of the People's Republic of China.
"Personal information" refers to all the information recorded in electronic form or otherwise, which can be used, solely or together with other information, to determine the identity of a natural person, including but not limited to the name, date of birth, ID card number, personal biometric information, address and phone number of the natural person.
"Important data" refers to the data closely related to national security, economic development, and social and public interests. Refer to relevant national standards and important data identification guidelines for its specific scope.
See Article 76 of the Cybersecurity Law.
See Article 16 of the Assessment Measures.
See Article 8(4) of the Assessment Measures. The European Union requires a determination of adequacy so that the transmission of data will be allowed. Other jurisdictions restrict the cross border transmission of data according to the type of such data.
The author considers it common for network operators to control data containing or containing in aggregate the personal information of more than 500,000 users or bigger than 1000 GB, with the increasingly developed Internet economy and big data industry. If a specific network operator is a multinational enterprise or has extra-territorial business offices, the data exchange within such enterprise would extremely probably fall into the scope of application of the Assessment Measures.
See Article 2 of the State Security Law.
See Article 10 of the Assessment Measures.
See Article 7 of the Assessment Measures.
See Article 8 of the Assessment Measures: “During security assessment for the data to be transmitted abroad, highlighted assessment shall be made in the following aspects:
(1) Necessity of transmitting the data abroad;
(2) Personal information involved, including the quantity, scope, type and sensitivity of personal information, as well as whether the owner of personal information agrees to transmit his personal information abroad;
(3) Important data involved, including the quantity, scope, type and sensitivity of important data;
(4) Security protection measures, ability and proficiency of the data receiver, as well as the network security environment of the country or region where the date receiver is located;
(5) Risks of leakage, damage, alteration and abuse of data after being transmitted abroad and further transferred;
(6) Risks to national security, social and public interests, and personal legitimate interests arising from transmitting the data abroad and gathering the data to be transmitted abroad; and
(7) Other important matters to be assessed.”
See Article 12 of the Assessment Measures: “A network operator shall, in light of its business development and network operation, conduct a security assessment for the data to be transmitted abroad at least once a year, and shall report the assessment information to the industrial authority or regulator concerned without delay.
In case of any changes to the data receiver, any major changes to the purpose, scope, quantity and type of the data transmitted abroad, or any major security events of the data receiver or the data to be transmitted abroad, another security assessment shall be conducted without delay.”
See Article 11 of the Assessment Measures.
See Article 5 and Article 77 of the National Security Law.
See Article 11 of Decision of the Standing Committee of the National People’s Congress on Strengthening Information Protection on Networks and Article 56 of Law of the People's Republic of China on the Protection of Consumer Rights and Interests.