Faegre Drinker Biddle & Reath LLP, a Delaware limited liability partnership | This website contains attorney advertising.
June 28, 2017

Draft Guidelines Released for Securing Cross-Border Data Transfers Out of China

With the Cybersecurity Law of China effective on June 1, 2017, and the draft data transmission measures pending finalization, Chinese regulators on May 27, 2017, published another draft rule as a piece of the newly formed China cross-border data transmission regulatory puzzle.

The “Information Security Technology-Guidelines for Data Cross-Border Transfer Security Assessment” (Draft Guidelines) were drafted by the National Information Security Standardization Technical Committee of China (TC260). As a technical committee led by Cyberspace Administration of China (CAC) and Standardization Administration of China (SAC), TC 260 has authority to draft technical standards for encryption, big data and other cybersecurity related subjects. The Draft Guidelines, though voluntary by nature, are helpful for industry players to understand the “security assessment” required under the Cybersecurity Law, and what future data transmission measures will possibly look like.

The Draft Guidelines define “data cross-border transfer” as “network operators” providing “personal information” or “critical data” collected in China to non-Chinese entities or individuals outside of China “in electronic form,” and further define the action of such data “provision” as including delivering, releasing or otherwise making the data accessible. They even seem to suggest that the network operators enabling users to transmit data shall be responsible for data transfers made by their users.

These “data cross border transfers” are allowed only if the network operator has completed a “security assessment” to prove the proposed transfer is (i) lawful and appropriate, and (ii) with controllable risks. An assessment report is required to be kept for at least five years. Most importantly, the Draft Guidelines for the first time map out standards and protocols for assessment of the two essential criteria, namely, “lawful and appropriate,” and “risk controllability”

1. “Lawful and Appropriate”

The “lawful” standard will be met if the proposed transfer is not explicitly prohibited by Chinese law or challenged by the government agencies, and in the case of “personal information,” such transfer has been consented to by the individual data subjects (it also seems to indicate that, in certain emergencies, serious harm to individuals’ personal or property safety may negate such consent).

The “appropriate” standard will be met if the proposed transfer is necessary for conducting a legitimate business, satisfying a contractual or legal obligation, complying with Chinese legal requirements or fulfilling international judicial assistance.

2. “Risk Controllability”

The risk levels of the proposed transfer will be evaluated with two dimensions: (i) the impact of the data (with five numerical grades); and (ii) the possibility of security breach incident (with three numerical grades). This matrix shows how to determine risk levels (graded as low, medium, high, or extremely high) based on the grades of these two dimensions:

Possibility of Security Breach Incidents
Impact of the Data 1 2 3
≥5 High Extremely High Extremely High
4 Medium High High
3 Low Medium High
2 Low Medium Medium
1 Low Low Medium

Proposed transfer with “high” or “extremely high” risk levels (the shadowed boxes in above table) will be prohibited.

When evaluating the “impact of the data,” if the data is “personal information,” the following matrix will be used:

Sensitive nature of the data Impact Class of the Data
Majority Sensitive Personal Information 3
Limited amount of Sensitive Personal Information 2
No Sensitive Personal Information 1
Adjustment
Volume Scope Processing
If the data involves more than 500,000 individual data subjects within one year, the impact class should be lifted to a higher level. If the scope of the data exceeds the minimum necessary for the purported purpose, the impact class should be upgraded to a higher level. If measures are taken to effectively de-identify the data, the impact class should be degraded to a lower level.

The Draft Guidelines define “Sensitive Personal Information” as information that disclosure or illegal use of may cause harm to the subject’s personal or property safety, or may cause damages to the subject’s personal reputation or physical and mental health, or may result in discriminatory treatment against the involved person. The Draft Guidelines define “Personal Information” as “All kinds of information in electronic or other recoding forms that can be used on its own or with other information to identify a natural individual’s identity, or to reflect a specific natural individual’s activities, including but not limited to a natural individual’s name, date of birth, ID number, contact, personal biometric information, address, financial account password, assets status, location, behavior information,” and etc.

When evaluating the “impact of data” for “critical data,” the following matrix will be used:

Nature of the data Impact Class of the Data
Critical Data 4
Adjustment
Volume Scope Processing
If the critical data exceeds 1000 GB, the impact class should be lifted to a higher level. If the scope of the data exceeds the minimum necessary for the purported purpose, the impact class should be lifted to a higher level. If measures are taken to effectively de-sensitize the data, the impact class should be downgraded to lower level.

As “Critical Data” is not defined in the Cybersecurity Law and the definition proposed in the draft data transmission measures was very broad, the Draft Guidelines were intended to help make this term ready for practical use. Exhibit A of the Draft Guidelines contains a non-exhaustive list of identified Critical Data on a sector-by-sector basis for 28 sectors including certain manufacturing industries, public utility services, oil and natural gas, telecommunications, financial services, food and health care industries, and e-commerce. Notably, the clinical trial data for Class II or Class III medical devices and food safety traceability data are identified as Critical Data.

Finally, the evaluation of “possibility of security breach incidents” would encompass review of a whole set of factors in relation to (i) the robustness of the data management programs and technical safeguard capabilities of both the data transferor and data recipient, (ii) a due diligence on the data recipient to verify qualification to conduct business, track record in relation to cybersecurity and general compliance, and its “background” if the transfer involves Critical Data, and (iii) the legal and political environment of the jurisdiction where the recipient is located. More detailed criteria are set forth for each of the above components.

Taking the transferor’s data management programs as an example, a “robust” program would entail at least the following:

  • A comprehensive protocol and process for cross-border data transmission
  • Dedicated personnel and adequate training for data transmission related positions
  • Proper contractual clause with the data recipient requiring the recipient to cooperate with security audits, assist the data subjects or the transferor to conduct reasonable investigations relating to the data transfer, refrain from further distribution, disclosure or transfer of data without authorization of the data subjects and the transferor, and take necessary security measures to ensure confidentiality and completeness of the data (this to a certain extent resembles the model clause mandated under the data transfer regulatory regime in EU)
  • Capabilities to audit the efficacy of protocol and process
  • A proper plan to respond to emergencies
  • Capabilities to respond to individual claims of data subjects
  • Detail process for reporting security breach incidents

The Draft Guidelines were subject to public comments until June 27.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Related Topics