China Cybersecurity and Data Transfer Laws: Change is Coming

China’s new Cybersecurity Law will become effective on June 1, 2017. In addition to focusing on cybersecurity, the law also details how companies are to handle personal information and data. In determining what is allowed and not allowed for handling personal information in China, it is important to examine The Decision on Strengthening Information Protection on Networks (2012), The Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems (2013), and The Provisions on Protecting the Personal Information of Telecommunications and Internet Users (2013). There are also many industry-specific rules, including such rules for banking and credit information services. China’s new Cybersecurity Law adopts and modifies existing regulations and codifies them.

Under the new Cybersecurity Law, collecting any user’s personal information requires the user’s consent and network operators must keep collected information strictly confidential. Personal information is defined as information that can be used on its own or with other information to determine the identity of a natural person, including the person’s name, date of birth, ID card number, biological identification information (e.g. fingerprints and irises), address, and telephone number. Once such information has been de-identified, it is no longer subject to the requirement for personal information under the law.

According to the new Cybersecurity Law, network operators are subject to the following requirements when collecting and using personal information:

• Collection and use of personal information must be legal, proper and necessary.

• Network operators must clearly state the purpose, method, and scope of collection and use, and obtain consent from the person whose personal information is to be collected; personal information irrelevant to the service provided shall not be collected.

• Network operators shall not disclose, alter, or destroy collected personal information; without the consent of the person from whom the information was gathered, such information shall not be provided to others.

• In the event of a data breach or a likely data breach, network operators must take remedial actions, promptly inform users, and report to the competent government agencies according to relevant regulations.

• In case of an illegal or unauthorized collection and use of personal information, a person is entitled to ask a network operator to delete such personal information; when information collected is wrong, an individual can request correction.

Who are the network operators to which the new law will apply? Owners of networks, administrators of networks, and network service providers. Telecom and Internet service providers, clearly, but “network” is broad enough to go well beyond that.

Networks are systems consisting of computers or other data terminal equipment and relevant devices that collect, store, transmit, exchange, and process information according to certain rules and procedures (Article 76 of the new Cybersecurity Law). If you have a couple of computers at home that can share files, and perhaps a printer connected to them, you technically have a network. The law is not likely to go that far, but the generic definitions of network and network operators leave a lot of room for interpretation, which is exactly how the Chinese government wants it.

The new Cybersecurity Law also requires critical information infrastructure operators (CIIOs) store within China personal information and important data gathered and generated within China and conduct annual security risk assessments regarding their data. Though the definition of CIIO is yet to be clarified, we already know China’s yet to be finalized Measures for Security Assessment of Personal Information and Important Data Leaving the Country will likely require foreign companies doing business in China make big changes in how they handle data. The Cyberspace Administration of China (CAC) published a draft of Measures for Security Assessment of Personal Information and Important Data Leaving the Country back in April, raising many concerns for foreign businesses operating in China.

These Measures for Security Assessment would expand the data localization requirement to all network operators. This would mean that pretty much all personal information and important data collected by network operators within the PRC must be stored within China and not leave China, other than for “genuine business need” and after a security assessment. And if you think you may be a network operator, you probably are.

Since the new Cybersecurity Law does not differentiate between internal and external networks, it is broad enough to include any company that owns an internal network. Will your China WFOE be able to transmit employee information back to its overseas headquarters? In China’s Cybersecurity Law and Employee Personal Information, we set out best practices for doing this, but that was written before publication of the Draft Measures. Should the Draft Measures become effective — as expected — our views on data transfers will almost certainly toughen. Foreign companies are already setting up data centers in China so as to be able to keep data local and many of our clients are looking at doing the same.

We have been reluctant to write much about data and privacy protection in China because existing laws are both unclear and in a massive state of flux. But because this is so important and because this reluctance cannot extend to a client who needs to know what it must do now with specific data, we plan to write more often about these topics in the weeks and months ahead.

Please stay tuned.

We will be discussing the practical aspects of Chinese law and how it impacts business there. We will be telling you what works and what does not and what you as a businessperson can do to use the law to your advantage. Our aim is to assist businesses already in China or planning to go into China, not to break new ground in legal theory or policy.