Organizations doing business in China should pay attention to recent action by the Cyberspace Administration of China regarding the regulation of cross-border personal information transfers.
On June 13, 2019, the Cyberspace Administration of China published draft Measures on Security Assessment of the Cross-Border Transfer of Personal Information. The June 13 draft, also called Measures for the Assessment of the Exit of Personal Information, and other slightly varied names due to differing translations, builds on the China Personal Information Security Specification issued in 2017. The draft measures also represent the latest efforts by the Chinese government to implement China’s Cybersecurity Law, which went into effect in 2017.
What Is the China Personal Information Security Specification?
The China Personal Information Security Specification, which went into effect in 2017, is China’s version of the EU’s General Data Protection Regulation, or GDPR. Issued by the Standardization Administration of China, the China Personal Information Security Specification addresses the collection, processing, transfer and disclosure of personal information, as well as the consent needed to collect personal information in the first place and establishes procedures for addressing security incidents. The specification’s formal title is Information Security Technology — Personal Information Security Specification (GB/T 35273-2017).
Interestingly, compliance with the China Personal Information Security Specification is not mandatory, although the Chinese government looks at compliance with the specification as an indicator that the nation’s cybersecurity law requirements are being satisfied.
The Difference Between Measures
While the China Personal Information Security Specification addresses broad aspects concerning the handling of personal information, the draft measures focus more specifically on the cross-border transfer of personal information.
The draft measures issued in June 2019 are the latest version of the China Cyberspace Administration’s efforts to regulate this area. Back in 2017, the China Cyberspace Administration issued draft Measures on Security Assessment of Cross-Border Transfer of Personal Information and Important Data. Interestingly, the China Cyberspace Administration now seems to be handling regulation of personal information and important data separately, as in May 2019, it issued draft Data Security Administration Measures that address the cross-border transfer of important data.
The comment period on the June 2019 version of the draft measures on personal information closed in July 2019.
What Do the Draft Measures on Personal Information Do?
The draft measures require network operators to provide a security assessment to a local cyberspace administration authority before the cross-border transfer of personal information occurs. The local cyberspace administration authority then conducts its own assessment and reports its findings to national authorities.
Under the draft measures, network operators are required to provide copies of their contracts with data receivers to the local cyberspace administration authority along with reports analyzing security risks of cross-border transfer of personal information and the security measures taken.
Personal information is what identifies a person either alone or in combination with other information. Personal information includes the name of a person, birth date, identification number, personal biometric information, address, phone number and so on.
Significant data breaches are to be reported to the local cyberspace administration authority.
Under the China Cybersecurity Law, certain personal information and important data must be stored within China unless entities have passed a security assessment, among other things. Data that affects national security, damages the public interest or is difficult to protect may not be transferred cross-border under the draft measures.
What Should Organizations Do?
Entities doing business in China might want to begin preparing to comply with the assessment and reporting requirements of the draft measures. They may also need to modify their contracts with data receivers to adhere to the specific requirements of the draft measures. Additionally, organizations may need to localize data where they cannot meet the requirements of the draft measures or choose not to.