China’s Network Security Law (NSL), adopted late last year, is set to take effect on June 1, 2017. One of the most important provisions of the NSL is Article 37, which requires operators of critical information infrastructure to store personal information and important data within China.

Transferring such information overseas is only permitted after the information is assessed by the competent authority. Critical information infrastructure is broadly defined in the NSL as any information system important to national security, citizen welfare and public interest, such as public communications and information services, energy, transportation, water conservancy, finance, public services, e-government and other important industries and fields.

On April 11, 2017, the Chinese Cyberspace Administration published a notice, seeking public comments on its proposed rules. The rules covered security assessment of transfer of personal information and important data abroad, essentially administrative rules to implement Article 37 of the NSL.

However, there is one glaring difference between these proposed rules and Article 37 of the NSL. Network operators are similarly defined in both the NSL and the proposed rules as owners or managers of network and network service providers. But the proposed rules impose the data export restrictions not only on the operators of critical information infrastructure, as in the NSL, but also on all other network operators.

The European Union’s data protection practice drew a lot of criticism by prohibiting companies from transferring personal data of EU citizens to countries which have not been deemed to provide an adequate level of data protection. In comparison, China's restriction on data export under the proposed rules is much more extensive and stringent.

China not only limits cross-border transfer of personal information, but also requires security assessment for transfer of important data. It vaguely defined important data to be data that is closely related to national security, economic development, and societal public interest, with specific reference to some yet-to-be-published guideline. In addition, certain data cannot be transferred whatsoever.

If the proposed rules are adopted as is, which is speculated to be the case, personal information and important data collected and generated in China are required to be stored in China. If such personal information or data needs to be transferred overseas, safety assessment should be conducted either by the network operators or by the relevant regulatory authorities, depending on the nature of the personal information or data.

The following data would not be allowed to be transferred overseas:

  • Personal information, if the subject of the personal information does not consent to the transfer, or the transfer may harm the interests of the individual.
  • The data transfer poses national political, economic, scientific or technological risks, may affect national security or harm societal public interests.
  • Other data that cannot be transferred as determined by relevant departments such as the national network information department (网信部门), public security department (公安部门) and other security department (安全部门).

Prior to transfer any personal information or important data, the network operator should carry out a security assessment for the data transfer at least on an annual basis. The proposed rules suggest seven factors as the focus of the assessment including the need for the transfer, the sensitivity of the data, the measures for security protection and the risks of the transferred data being compromised.

If the personal information or important data meets any of the following requirements, the network operators should report the prospective data transfer to relevant industry regulatory or supervisory authorities (行业主管或监管部门):

  • The data contains personal information of more than 500,000 people.
  • The amount of data is over 1000GB.
  • The data contains information about nuclear facilities, chemistry, biology, national defense, military, and public health or information relating to large-scale engineering projects.
  • The data contains information relating to network security or system vulnerabilities of key information infrastructure.

Even if certain information covered by the proposed rules luckily falls under the self-assessment category, the network operator still faces significant compliance risks. It is required to report the self-assessment to the industry regulatory or supervisory authorities and will be held responsible for the assessment results.

In addition, the network operator also is required to assess the security protection levels of the data recipient and the risk of the data being comprised--hardly something that the network operator can easily determine with certainty.

Thus many Chinese companies are likely to turn to domestic partners in transactions where data exchanges are necessary, including the much anticipated rise of big data, deep learning, cloud services and SaaS. Companies who find it a business necessity to transfer data overseas are encouraged to set up internal security assessment procedures based on the factors in the proposed rules or engage outside experts.

Ning Zhang and Wei Zhang are partners at MagStone Law, a law firm specializing in China related transactions.