Since the Cybersecurity Law came into force in 2017, the data economy in China has been developing at an exceedingly fast pace. To better respond to this, the recent promulgation of the Data Security Law and the Personal Information Protection Law is aimed at helping establish a legal framework for China's data governance. Focused on protecting cybersecurity, data security and personal information rights and interests, these legislations will promote the sound development of data economy.

From the perspective of the overall national security outlook, the Cybersecurity Law and the Data Security Law are important components of the national security legal framework which is represented by the National Security Law. The core purpose of the Cybersecurity Law and the Data Security Law is to safeguard national sovereignty, security and public interests. As the fundamental law of the personal information protection regime, the Personal Information Protection Law is focused on protecting personal information rights and interests during the processing of such information, and promoting its reasonable use. Meanwhile, given the nature of the data itself and the focus of the data economy, the three pieces of legislation all provide corresponding legal obligations and liabilities on some similar issues. This means that a single processing activity by an enterprise may fall under the jurisdiction of all these three laws concurrently.

Among the many issues regulated by these statutes, cross-border transfer of data is a primary concern of many multinational corporations. This article aims to analyze the governance over cross-border transfer of data under China’s current legal framework and provide guidance on data compliance issues.

1.   Foundation of governance for cross-border transfer of important data and personal information

1.1   Article 37 of the Cybersecurity Law (“Article 37”) stipulates that “critical information infrastructure operators (CIIO) shall store personal information and important data gathered and produced during operations within the territory of the People's Republic of China. Where it is necessary to provide such information and data to overseas parties due to business requirements, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace administration authority in concert with the relevant departments under the State Council. Where the laws and administration regulations have other provisions, those provisions shall prevail.” It establishes the security assessment policy for cross-border transfer of important data and personal information, as well as the general principle and exception.

1.2  The “general principle” is that the personal information and important data gathered and produced by CIIO shall be stored locally. The “exception” is that where it is indeed necessary to provide personal information and important data to overseas parties due to business requirements, a security assessment shall be conducted. The “general principle + exception” mode only applies to CIIOs.

1.3   In order to implement the security assessment policy in Article 37, the Cyberspace Administration of China separately issued the Measures for Evaluating the Security of Transferring Personal Information and Important Data Overseas (Draft for Comment) in 2017 (“Measures for Evaluating”) and the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment) in 2019 (“Measures for Security Assessment”). In 2017, the National Information Security Standardization Technical Committee issued the Information Security Technology – Guidelines for Data Cross-Broder Transfer Security Assessment (“Guideline”). It's worth noting that Measures for Evaluating, Measures for Security Assessment and the Guideline all expanded the regulated subject CIIOs to network operators. And where it is indeed necessary to provide personal information and important data to overseas parties, a security assessment must be conducted and passing such security assessment is the only route to transfer such data to overseas.

2.  Enhanced governance for cross-border transfer of important data and personal information established by the Data Security Law and the Personal Information Protection Law

2.1   Cross-border transfer of important data under the Data Security Law

2.1.1 The Data Security Law basically followed the “general principle + exception” mode. For supervision rules against cross-border transfer of important data, article 31 of the Data Security Law stipulates that “the security administration of the cross-border transfer of important data collected and generated by operators of critical information infrastructure during their operation in China shall be subject to the provisions of the Cybersecurity Law of the People's Republic of China; the administrative measures for the cross-border transfer of important data collected and generated by other data processors during their operation in the People's Republic of China shall be formulated by the national cyberspace administration authority in collaboration with relevant departments of the State Council.”

2.1.2   Article 31 clearly specifies that the governance for cross-border transfer of important data against CIIO is the same as established by the Cybersecurity Law. However, the Data Security Law also includes “other data processors” into the regulated subject and stipulates corresponding legal liability for both CIIO and other data processors.

2.2   Cross-border transfer of personal information under the Personal Information Protection Law

2.2.1   Different from the strict governance under the Data Security Law, the Personal Information Protection Law stipulates several legal routes for cross-border transfer of personal information, of which security assessment is only one of the such routes.

2.2.2  Specifically, if the volume of personal information by any personal information processors reaches the minimum volume prescribed by the national cyberspace authority, such information processor shall, together with CIIOs, store the personal information collected or generated by them within the territory of the People’s Republic of China. Where it is indeed necessary to provide such information to an overseas recipient, a security assessment shall be passed. If the volume of personal information by any personal information processors does not reach the minimum volume, the information could be transferred when one of the following conditions has been met: a) where a certification of personal information protection has been given by a professional institution in accordance with the regulations of the national cyberspace authority; or b) where a contract in compliance with the standard contract provided by the national cyberspace authority has been concluded with the overseas recipient, stipulating the rights and obligations of both parties.

2.3  The Guideline could be a reference for the measures of security assessment for cross-border transfer of important data and personal information. However, as the Guideline was issued four years ago, much before the promulgation of Data Security Law and the Personal Information Protection Law, the applicability is debatable.

3.     Compliance Suggestions

3.1   Use data mapping and implement a classified and graded data protection system

3.1.1   Data mapping means sorting out the status of all data collected, processed and stored by a company itself in the course of business. Specifically, such mapping should help to sort out the following: the type of data collected; the specific department that collects, uses, and maintains the data; where the data is stored; to whom the data is transferred; when and where the data is processed; how long the data is stored; and the security control measures for the data, etc.

3.1.2  The classified and graded data protection system is stipulated in the Data Security Law, which is similar to the classified protection system for cybersecurity specified in the Cybersecurity Law. The core of such a protection system is carrying out classified and graded data protection depending how important such data is to economic and social development, and how much damage will be caused to national security, public interests, or the legitimate rights and interests of individuals or organizations in the event that the data is tampered with, destroyed, leaked, or illegally obtained or used. For companies, the first step is to assess and confirm whether they qualify as CIIO or not, and whether the data to be transferred abroad is important data or the core data of the state.

3.1.3   Data mapping and the classified and graded data protection system will help companies accurately and quickly identify the corresponding data categories when they need to transfer data abroad. They will then be able to evaluate and confirm what measures need to be taken to meet compliance requirements. Moreover, it is also important as part of an overall data compliance system so that the companies could implement corresponding compliance obligations while make better use of the data.

3.2   Identify the data to be transferred abroad

Before transferring data abroad, a company should first consider the following factors: a) whether the data to be transferred is personal information or important data; b) whether the data processor (e.g. the company) is a CIIO or not. These factors would determine how the transfer would be regulated and corresponding compliance requirements applied to such transfer. Due to the importance and complexity of the CIIO, the following will only focus on the identification of personal information and important data.

3.2.1   Identification of important data

According to the Administrative Measures for Data Security (Draft for Comment), important data refers to data for which any disclosure may directly affect national security, economic security, social stability, public health and safety. In general, important data excludes information on production and operation and internal management of enterprises and personal information, etc. This creates some uncertainty in the identification of such important data as the scope of national security is broad and vague.

According to the Data Security Law, the relevant national data security authority shall make overall planning for and coordinate relevant departments in formulating the catalogues for important data. Each region and department shall, in accordance with the classified and graded data protection system, determine the specific catalogue for important data for the respective region and department, and in relevant industries and areas. If such important data catalogue has not been published yet, the appendix “Important Data Identification Guideline” of the Guideline can give us some guidance. The appendix lists the important data of 26 specific industries such as natural gas, coal, petrochemical, electric power, defense and military industry, etc.

On September 23, 2021, Information Security Technology – Identification Guide of Key Data (Draft for Comment) was issued. It is worth noting that it clarifies the characterization and the basic process of identifying important data.

3.2.2   Identification of personal information

Compared with the identification of important data, the identification of personal information is relatively clearly regulated. According to the Personal Information Protection Law, personal information refers to any kind of information related to an identified or identifiable natural person electronically or otherwise recorded, excluding information that has been anonymized. The definition emphasizes the identifiability (including “identifiable”  and “identified” ). With continuous development of data processing technology, exponential increase of data volume and integration, it's expected that the range of such data that can be used to identify natural persons or related to natural persons will become broader.

3.3   Confirm the obligations under the applicable laws and regulations

3.3.1   After identifying whether a company is CIIO, and whether the data is important data or personal information or both, the next step is to confirm the applicable laws and regulations with corresponding compliance requirements.

3.3.2   When confirming this, a company should take the relevant industry into consideration. A company should also pay close attention to the development of relevant laws and regulations as more specific measures are to be launched in the future. For example, the Provisions on Vehicle Data Security Management (for Trial Implementation) came into effect on October 1st, 2021 which has specific stipulations on the cross-border transfer of vehicle data. On September 30, 2021, the Ministry of Industry and Information Technology issued the Administrative Measures for Data Security in the Field of Industry and Information Technology (for Trial Implementation) for public comments. Specific provisions are made to regulate the governance of important data and core data in the field of industry and information technology.