An updated and substantially more onerous draft of China’s long-awaited position on cross border data transfers has just been published. The Measures on Personal Information Cross Border Transfer Security Assessment (“Measures”) apply to all “Network Operators” and will require specific action to be taken by all businesses that send personal information out of China.
Offshore Companies with China Operations are in Scope and Under Increasing Regulatory Focus
Similar to the extraterritorial effect of Europe’s GDPR, the Measures also appear to cover personal information collected by overseas businesses from individuals in China. This would directly impact the many organisations that currently operate their China business on a remote or virtual basis.
It also specifies that overseas entities collecting data in China will need to comply with the duties and obligations of a network operator “through its legal representative or entities in China”. While the details of this are unclear, the inference is that organisations with China operations may either need to appoint a local representative or establish their own legal presence in China if they do not already have one. This aligns with the broader trend of encouraging local establishment or the creation of local partnerships by foreign businesses. For example, several new guidelines, including MLPS 2.0, now make unclear but distinct references to cloud services in China being delivered from infrastructure based in China.
The Measures provide the Cybersecurity Administration of China (CAC) with wide ranging powers to scrutinise organisations and the flexibility to request any information where they deem it necessary. Coupled with recent enforcement activity and proactive Cybersecurity Law compliance audits, it is essential that businesses get their China data strategy in order.
What you will need to do:
- All network operators (and not just critical information infrastructure operators) will now have to undertake a security assessment before transferring personal information overseas, and file this with the local CAC. The local CAC will also engage technical experts to conduct its own security evaluation based on your report. Given the scale of the China market this process has the potential to create significant administrative delays, so businesses should consider preparing and filing their security assessments as soon as possible.
- Establish data transfer agreements with all offshore data recipients. There are now specific clauses that should be included in such agreements. These agreements also need to be filed with the local CAC.
- Check your notices and consent language to ensure you have provided sufficient notice to data subjects regarding proposed cross border data transfers.
- Submit an annual report to the CAC on the status of cross border transfers and the performance of data transfer agreements.
- Maintain a log of all cross-border transfers of personal information for at least five years.
- All businesses should establish and maintain an effective incident response plan and report all major data security incidents “immediately”.
- Appoint an officer within your organisation to take control of addressing annual reporting requirements and liaising with the relevant authorities. If you are a foreign entity, consider appointing a local representative to address compliance with China data protection and security requirements.