Legislations that involve data protection or privacy always draw our attention because they often have implications to business transactions and file transfers. China's new Cybersecurity Law certainly falls into this category.
Overview of the China Cybersecurity Law
China's new Cybersecurity Law is a broad piece of legislation crafted to protect critical information infrastructure (CII) as well as personal information and other critical/important data. Among others, it requires the certification of security products, standardizes the use of personal information, defines various security requirements, and imposes restrictions on outbound data transfers. Businesses caught violating the law can be levied heavy fines and penalized with suspensions, closures, or license revocations.
Unless China responds positively to the appeal by various trade groups for postponement, the CyberSecurity Law should take effect on June 1, 2017. That’s just a couple of days away. If you have business operations in China or transact with organizations based there, there's a good chance you'll be affected.
Businesses whose data transfers might be impacted by the law
The provisions in the Cybersecurity Law that impact data transfers govern two sets of businesses: a larger set known as network operators and a small subset known as critical information infrastructure operators (CII operators). At first glance, these two sets appear to be composed of only a few enterprises. But at close inspection, the definitions turn out to imply a much wider scope.
For instance, while the term 'network operators' might initially be interpreted to mean telecommunciations companies, ISPs or cloud service providers, the law actually defines network operators as network owners, managers, and network service providers. That could mean any company who operates any type of network - even a small office LAN - and may therefore refer to practically any business out there.
Critical information infrastructure refers to infrastructure, which if destroyed, damaged, or suffering from data leakage "might seriously endanger national security, national welfare and the people's livelihood, or the public interest". Any infrastructure providing public communication and information services, power, traffic, water, finance, public service, or electronic governance is considered CII. Because it's not clear what exactly qualify as "seriously endangering national security" and the like, other organizations not mentioned here might just be considered CII operators as well.
These broad definitions make it hard for companies to determine exemption from the law without seeking guidance from regulators or legal experts. It's therefore best to play safe. If you think your business is covered, it probably is.
How does the law impact data transfers?
The first thing that jumps out in relation to data transfers are the data localization provisions. Multinational companies and foreign organizations operating in China often transfer certain information to their headquarters or other offices located in other parts of the world. Businesses may also have to transfer files to customers, suppliers, and other trading partners based overseas. Unfortunately, the data localization provisions of the Cybersecurity Law will now make these outbound file transfers extremely difficult.
Article 37, in particular, requires certain operators to store personal information and other critical data (that were collected or generated during the course of business operations) within mainland China. This provision, which originally only covered CII operators, has lately been expanded to include network operators, casting a much wider net that now impacts most businesses.
The expanded provision is stipulated in the draft regulations entitled "Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data Overseas", which was open for public comments from April 11 to May 11.
Personal information is normally part of various business processes, often incorporated in HR (Human Resource), sales, and marketing data, among others. Because some of these processes involve the transfer of data overseas, e.g. for further processing or data aggregation purposes, the onset of the data localization provisions can seriously disrupt current practices.
In cases where it's absolutely necessary to export personal information and other important data, the Cybersecurity Law may allow it, provided several conditions are met. One of these conditions is to first conduct security assessments in accordance with the measures mentioned earlier.
About the security assessments
There are basically two types of these assessments. There are self-assessments and there are regulator assessments. These assessments must focus on certain elements such as:
- the necessity of carrying out the cross-border data transfer;
- circumstances surrounding the presence of personal information and/or critical data;
- the security measures and security environment of both the recipient and the country in which the recipient operates;
- the risk of leakage, loss, falsification or misuse of the transferred data;
- and others.
Regulator assessments are required when certain circumstances arise. For example,
- the number of individuals whose personal information are included in the transfer is at least 500,000;
- the amount of data exceeds 1000 GB;
- it involves data relating to information about the security of certain CII;
- and so on.
You can find more details regarding these measures in this English translation.
How secure file transfers can help you pass the security assessments
Secure file transfer systems can help you pass these assessments by addressing the technical issues involved. For example, they can greatly enhance the security measures of the recipient and substantially reduce the risk of leakage, loss, falsification, or misues of the transferred data. Although there are certainly other factors involved, being able to strengthen your recipient's security measures and reduce critical risks can greatly improve your chances of passing the security assessments.
If you're not sure what characterizes a secure file transfer, we invite you to read the post
We here at JSCAPE are by no means law experts, so we encourage you to seek clarification/guidance from your legal counsel on the details and interpretation of China's Cybersecurity Law. If you just want to read more about the China's Cybersecurity Law, we recommend KPMG's overview on the subject. You may also read the unofficial English translation here.
Relevant content on this site
Want to be updated on posts like this? Connect with us...