China’s new data protection framework clearly creates a requirement for local storage and conducting a security assessment before personal information or important data is shared with other jurisdictions, but it is currently much less clear what types of entities fall under this requirement.
Localization and Transfer Assessment Requirements Related to CII Operators
Under the People’s Republic of China Network Security Law, also known as the Cybersecurity Law, personal information and important data collected and generated in the operation of critical information infrastructure operators (CII operators) is required to be stored in China and, before providing that information abroad, a security assessment is required to be passed. This new requirement caused a significant amount of concern for entities that fall within the category of CII operators because of the need to potentially restructure their data systems, but there was also a general appearance of acceptance within the business community due to the relatively targeted scope of the definition of CII operators and acknowledgement that critical infrastructures require elevated protections.
Potential Extension of the CII Operator Requirements to Network Operators
However, drafts of two materials published earlier this year would expand that burdensome obligation to network operators as well, a category of entities with a substantially broader definition potentially applicable to a majority of the entities operating in China (and which is broader than and inclusive of the definition of CII operator). The Security Assessment Measures on Personal Information and Important Data Export (Draft) (the Measures), and the recently updated Guidelines for Data Cross-Border Transfer Security Assessment (Draft) (the Guidelines), both clearly apply the localization and transfer restrictions to network operators.
This conflicting and unsettled nature of the Measures and the Guidelines make the environment more complicated for multinational companies doing business in China—particularly those that frequently transfer their customers’ personal information outside of Mainland China for global processing or insight analysis.
Legislative Hierarchy and Principles Indicate No Extension
The structural implications of China’s legal system indicate that the final version of the Measures and Guidelines are fairly unlikely to exceed the requirements in the Network Security Law itself. In China, a law is typically quite general and primarily provides high-level rules. The State Council then usually promulgates relevant implementing regulations for the law, which are detailed and more practical for application. In addition to implementing regulations, there may also be a combination of department rules, local legislation and sometimes guidelines to support the enforcement of the law, creating a hierarchy that often generally reflects the following:
Based on this simplified hierarchy, the relationship among the Network Security Law, the Measures and the Guidelines, should generally be as follows:
Therefore, the local storage and transfer assessment requirements under the Measures and the Guidelines would be an expansion of the obligation in the Network Security Law, resulting in implementing materials that create significant obligations overtly absent from the law being implemented. Theoretically, this type of an expansion should not occur according to the legislative system, and consistency principles indicate that the final version of the Measures and Guidelines should instead be aligned with the law itself.
Officials’ Comments Also Indicate No Extension
Recent remarks from senior officials in the Cyberspace Administration of China (CAC) also echo the position that the localization and security assessment requirements should not be extended to broadly apply to network operators. The deputy director of the CAC, Ren Xianliang, stated in a November 2017 press conference, “First, the local storage requirement is only for CII operators, not all of the network operators. Second, the data to be localized only includes personal information and important data, and it is from the perspective of the government to define which data is important, not the perspective of a company or any individual. Third, for data necessary to be exported, the law has established a system for that, which is that if the export of the data would not harm the national security and social public interest after the security assessment, it can be exported. Fourth, personal information can be exported if consents for the export are obtained from the personal information subjects, and worth noting is that voluntary acts including dialing international long-distance calls, sending international emails, and transnational shopping through the internet would be deemed as consent of the personal information subject to the export.” Another official, responsible for the Network Security Coordination Department of the CAC, had expressed an identical position at a press conference on May 31, 2017, the day before the Network Security Law became effective.
Preparing for the Next Steps
The final versions of the Measures and Guidelines are still being drafted and completed for implementation. While the versions published earlier in the year indicate an expansion of the local storage and transfer assessment requirement, recent statements from government officials, combined with the principles of the legislative system, indicate that the expansion may be more limited and could potentially even be removed or made into merely a recommendation for network operators. In these types of circumstances with unsettled, and potentially significant, legal requirements, many companies are taking basic preparation measures including mapping their data and gaining a better understanding of personal information and important data flows; an exercise which, even if these requirements are not ultimately implemented, is the foundation for a data protection program and useful for nearly all aspects of building an effective approach.