Could the data be sent across the border?
How to comply with the Measures on Security Assessment of Cross-border Transfer of Personal Information and Important Data
On 7 November 2016, the National People's Congress enacted the Cyber Security Law of the People's Republic of China ("Cybersecurity Law"), effective on 1 June 2017. As an important supporting document to the Cybersecurity Law, the Cyberspace Administration of China (CAC) released the Measures on Security Assessment of Cross-border Transfer of Personal Information and Important Data (For Public Comments) ("Measures") to specifically protect personal information and important data. The Measures has a major impact on companies with demands for cross-border data transfer. This article interprets the main points of the Measures, and helps to clarify challenges and responses in compliance.
Impact of the Measures on Compliance
1. Legislative Basis
The National Security Law of the People's Republic of China ("National Security Law") and the Cybersecurity Law were defined as The Measures' legislative basis in the beginning. This indicated that the country attaches great importance to the liquidity security issues caused by cross-border data transfer. The security of cross-border data transfer became the core content of the overall national security framework with legislative confirmation. The Measures and other relevant national legislation are effectively converged. Therefore, we recommend that companies should not only pay more attention to the relevant provisions in the Measures, but also the relevant provisions and explanations in the National Security Law and the Cybersecurity Law in the process of cross-border data transfer assessment.
2. Who is subject to supervision?
As for the scope of application, since the Measures is based on the National Security Law and the Cybersecurity Law, the subject of cross-border data transfer security assessment is defined as "network operator" in the Measures. In accordance with the provisions of Article 2 of the Measures, it is a basic requirement that personal information and important data generated or collected during operations by all network operators within the territory of the People's Republic of China shall be stored within China; if it is necessary to transmit data abroad due to business needs, security assessments shall be conducted in accordance with the Measures. The scope of application of data security assessment mechanism under the Cybersecurity Law is expanded to some extent by the Measures and legal obligations of network operators have greatly increased. These changes should raise enough attention of companies subject to supervision.
3. Definition of cross-border data transfer in the Measures
According to the Measures, cross-border data transfer refers to the transmission of personal information and important data collected and generated during operations by the network operators in the territory of the People's Republic of China to institutions, organizations and individuals located outside the People's Republic of China.
In this definition, the concept of network operators and personal information follows the corresponding concepts in the Cybersecurity Law, which embodies the convergence between the Measures and the Cybersecurity Law. And "important data" was defined for the first time in the Measures, with clear statement that the importance of data is mainly reflected at the national and social level. The specific scope of the important data is defined "by reference to the relevant national standards and important data identification guide". We considered that the CAC will also work with the relevant industry authorities to further determine the related standards and identification guidelines of important data.
In addition, the definition of cross-border data transfer in the Measures also defined the physical concept of departure - data cross the border and provided to the outside subject, but no specific transmission method is identified. We suggest companies should consider data transmission method at a broader perspective (such as physical media), instead of being confined to network transmission.
4. Cross-border Security Assessment
The Measures divides the security assessment into two categories based on the specific characteristics of the data, self-assessment and regulatory assessment, and provides a clear assessment criteria from both qualitative and quantitative aspects.
Article 7 of the Measures clearly requires the network operator to conduct a data security assessment on its own before cross-border data transfer and be responsible for the assessment results. We understand that even if the enterprise is not defined as a key information infrastructure operation provider but as long as there is data outbound demand, security assessment should be conducted based on the contents of Article VIII. We noted that in the light of the content defined in Article 8, from the enterprise point of view of conducting the assessment, the difficulty is relatively high (especially the data outbound risk) and is a big challenge. To a certain extent, enterprise might consider to engage third party organizations to assist in assessment.
Furthermore, the data provided for the special circumstances specified in the Measures shall be submitted to the supervisory organization for the security assessment in accordance with the Article 9.
What can be learnt from the Measures?
The Measures is significant as the first important law of cross-border data management in China, to protect personal information and important data on national and individual levels of security interests. The Measures provides further clarification and refinement of the relevant requirements in the Network Security Law, providing guidance for enterprises to better implement their cross-border data transfer's requirements. Deloitte also predicts and expects to further improve the Measures and the implementation of the security assessment for specific industries by the national network and the relevant industry authorities.
From the enterprise point of view, with the wave of economic globalization, the Internet economy and cloud computing large data industry development, there will be more inevitable cross-border data transfer needs for enterprises in the daily business process and as a result, enterprises face a more stringent compliance environment to meet the requirements of the Measures. Based on this, we provide the following professional tips:
Firstly, be familiar with and continually follow the steps of the introduction of regulations, in order to strengthen the establishment of the data security and personal information protection system
We recommend enterprises should pay close attention to the follow-up amendments to the Measures and the interpretation of the relevant departments to reverse the inherent compliance thinking, take the initiative into manpower and material resources, in accordance with regulatory requirements for compliance construction, to avoid the law after the entry into force of illegal penalties. Therefore, how to understand the specific requirements of network security regulations and regulatory trends, will be the first step lowering the cost of violation of punishment. We recommend that enterprises should engage professional consultants, with a focus on business through the network security compliance system construction, compliance self-examination, a clear enterprise in the network security needs to key points, correct those gaps, strengthen data security and personal information protection system construction.
Secondly, early assessment, effective response for cross-border data transfer
In addition to the establishment of an effective compliance system, enterprises should also be prepared earlier with reference to the current requirements of the Measures to implement data outbound investigation, and carry out pre-assessment to effectively deal with the official release of the Network Security Law. We recommend that enterprises should engage third parties to conduct security assessment to improve the objectivity and effectiveness of the assessment, in order to reduce the compliance risk of the enterprise, in the light of the status quo of their own technical and legal knowledge reserves.
Deloitte is the world's leading network security consulting organization that provides enterprises with a comprehensive range of network security consulting services from evaluation, design and implementation. Deloitte China has equipped with a dedicated network security law research team who maintains close contact with national regulators, familiar with the requirements of safety regulations and has extensive experience in security consulting. Deloitte is able to help enterprises to address those challenges that brings from the Network Security Law.