CAC Circulates Draft Rules on Exporting Personal Information and Important Data

On 11 April 2017, the Cyberspace Administration of China (“CAC”) circulated for public comment the Measures on Security Assessments for the Export of Personal Information and Important Data (Draft for Comments). The draft will partially implement the Network Security Law of the People’s Republic of China 2016.

Under the draft:

  • “Personal information” means electronic or other types of records capable of identifying a natural person’s identity either by itself or in combination with other information, including without limitation a natural person’s name, date of birth, identification number, personal biometric information, address and phone number.
  • “Important data” means data closely related to national security, economic development, and the public interest as specified in national standards and important data guidelines.

The draft requires a “network operator”, that is, any network owner, manager or service provider, to:

  • Store in China personal information and important data collected and generated during their China operations.
  • Obtain consent from data subjects before exporting their personal information.
  • Conduct a self-assessment of network security before carrying out any “data export”, that is, transmitting personal information and important data to organisations, groups or individuals outside China.
  • Conduct an additional self-assessment whenever:
    • the recipient of a data export is different;
    • the purpose, scope, amount or type of data exported changes significantly; or
    • a major security incident occurs to the data recipient or the exported data.

The draft also requires a network operator to submit to a government organised security assessment in certain circumstances and prohibits the export of certain data.

Market Reaction

Marissa Dong, Partner, Jun He, Beijing

“The cross-border data transfer assessment requirement may potentially impact the data transfer by China-based operations in this fast-developing digitised world with their headquarters, business partners, regulators and so on in other jurisdictions. Companies which have adopted a cloud solution for internal management on a global basis will need to revisit their IT infrastructure, data storage and transfer arrangements, and internal rules to prepare for the measures.”

Action Items

General Counsel for any company with China operations will want to closely study the draft and revisit the company IT infrastructure to determine the implications and changes that the new data export development might bring to the company businesses.