April 11, 2017, the Cyberspace Administration of China ("the CAC") promulgated a notice on Seeking Public Comments on the Measures on the Security Assessment for Personal Information and Important Data to be Transmitted Abroad (Exposure Draft) (the “Measures" or the “Consultation Paper”).  The Measures is a refinement of the State Security Law of the People's Republic of China and the Cybersecurity Law of the People's Republic of China, which provides the operational guidelines for those companies who need to transmit the data abroad.  We hope that the final version of the Measures will clarify some ambiguities on the basis of the Consultation Paper, but we expect that the final version would not make material modification to the Consultation Paper.

A.The definition of Network Operators, Outbound Transmission of Data, Personal Information  and Important Data

The Measures defines the aforementioned terms as follows:

Network operators means owners, managers and network service providers of network.

Outbound transmission of Data means providing overseas institutions, organizations and individuals with the personal information and important data generated or collected by network operators during their operation within the territory of the People's Republic of China.

Personal information means all the information recorded in electronic form or otherwise, which can be used, solely or together with other information, to determine the identity of a natural person, including but not limited to the name, date of birth, ID card number, personal biometric information, address and phone number of the natural person.

Important data means the data closely related to national security, economic development, and social and public interests. The more specific scope is determined by  the relevant national standards and identification guidelines for important data.

B.Regulatory Authority

Article 5 provides that the CAC shall conduct overall coordination for security assessment for the outbound transmission of data, and guide industrial authorities or regulators conduct security assessment for the outbound transmission of data.  Article 11 (3) under the Measures also mentions that the CAC, public security authorities, security authorities and other relevant authorities shall also have the right to determine whether the data can be transmitted abroad.  As far as we are concerned, in the future, the CAC shall coordinate regulatory authorities from respective industries to make a further distribution of responsibilities and refinement on the supervision of the outbound transmission of data.  Some authorities, including the People’s Bank of China, China Banking Regulatory Commission, China Securities Regulatory Commission, China Insurance Regulatory Commission and State Administration for Industry and Commerce of the People’s Republic of China, are likely to promulgate supporting regulations concerning the outbound transmission of data in the relevant industries.

C.The Type, Frequency and Key Points of the Security Assessment for the Outbound Transmission of Data

The Measures provides two assessment procedures:  self-assessment and regulatory assessment.  Except that under the circumstances specified in Article 9, when the assessment shall be carried out by the regulators, the network operators are allowed to conduct the self-assessment.

Article 12 under the Measures requires the network operators to conduct security assessment on the outbound transmission of data at least once a year.  In case of any changes to the data receiver, any major changes to the purpose, scope, quantity and type of the outbound transmission of data, or any major security events of the data receiver or the outbound transmission of data, another security assessment shall be conducted without delay.

Article 7 under the Measures requires a network operator shall, prior to the outbound transmission of data, organize the security assessment for the outbound transmission of data on its own, and be liable for the assessment results.  Meanwhile, the key points of the security assessment for the outbound transmission of data is further listed in the Article 8:

1) necessity of the outbound transmission of data;

2) personal information involved, including the quantity, scope, type and sensitivity of personal information, as well as whether the owner of personal information agrees to transmit his personal information abroad;

3) important data involved, including the quantity, scope, type and sensitivity of important data;

4) security protection measures and capability of the data receiver, as well as the network security environment of the country or region where the date receiver is located;

5) risks of leakage, damage, tampering and abuse of the data after being transmitted abroad and further transferred;

6) risks to national security, social and public interests, and personal legitimate interests arising from the outbound transmission of data and gathering the outbound data; and

7) Other important matters to be assessed.

For most multinationals, the data acquired in the People’s Republic of China is essential for the overseas ultimate controller and management to make researches and decisions on business strategies in the Chinese market.  Therefore, the first requirement concerning the necessity of transmitting the data abroad is easy to meet.  Regarding the second one, which is whether the owner of personal information agrees to transmit his personal information abroad, we recommend that the company shall enter into a data collection and use contract with clients in written form, and highlight the ownership, usage and transfer of the data and other relevant clauses in a prominent part of the contract.  With respect to the eighth one, because of the present absence of the more specific standards, if a company is insufficient with the manpower and expertise, we recommend that the company outsource the responsibility of the security assessment to a professional third party to reduce the compliance risk.

D.Assessment of Regulatory Authority

In accordance with Article 9 under the Measures, in any of the following circumstances, a network operator shall report to its industrial authority or regulator to arrange security assessment to determine whether the data shall be allowed to transmitted abroad:

1) the data to be transmitted abroad contains or accumulatively contains more than 500,000 users’ personal information;

2) the quantity of the data to be transmitted abroad is more than 1,000 gigabytes;

3) the data to be transmitted abroad contains data in the areas of nuclear facilities, chemical biology, defense industry, population and health, as well as the data of large-scale project activities, marine environment and sensitive geographic information and etc.;

4) the data to be transmitted abroad contains system vulnerabilities, security protection and other network security information of critical information regarding to the infrastructures;

5) an infrastructure operator of the critical information provides personal information and important data abroad; or

6) other data which may affect national security, and social and public interests, and are necessary for assessment as determined by the industrial authority or regulator.

7) if there is no definite industrial authority or regulator, the CAC shall organize the assessment.

E.The data which shall not be transmitted abroad

The Measures provides that under the following three circumstances, the data shall not be transmitted abroad:

1) the outbound transmission of personal information fails to be approved by the owner of personal information, or may jeopardize personal interests;

2) the outbound transmission of data causes security risks to the nation's politics, economy, technology and national defense, which may affect national security and jeopardize social and public interests; or

3) other data which are forbidden to be transmitted abroad as determined by the CAC, public security authority, security authority and other relevant authorities.

In summary, the promulgation of the Measures reflects the regulators’ attitude for information data to be transmitted abroad, which is “transmitting abroad under supervision”.  The regulators hold a positive attitude towards the data to be transmitted abroad if such data transmission are approved by the owner, with necessity and with no harm to the national security and social and public interests.  However, the definition of the important data under the Measures is quite vague and the Measures includes some ambiguous articles, for example, “other data which may affect national security, and social and public interests” and “other data which are forbidden to be transmitted abroad as determined by the CAC, public security authority, security authority and other relevant authorities”, which give rise to the unpredictability of the network operators when they are dealing with transmitting the information and data abroad. We hope that the official version will reduce the vague provisions and provide the network operators with more clarified guidance.