TC 260 Circulates Draft Guidelines on Security Assessment of Data Exports

On 27 May 2017, the National Information Security Standardisation Technical Committee (“TC 260”) circulated for public comment the Guidelines for the Security Assessment of Outbound Data Transmissions (Draft).

The draft guidelines flesh out the Measures on Security Assessments for the Export of Personal Information and Important Data (Draft for Comments) by establishing the criteria, procedures and standards for carrying out security assessments of data exported from China.

The draft measures will partially implement the Cybersecurity Law of the People’s Republic of China 2016 (“2016 Cybersecurity Law”), which requires operators of critical information infrastructure (“CII”) to store in China personal information and important business data collected in China and prohibits CII operators from transmitting this data abroad before passing a security assessment.

The draft measures require network operators, which includes all network owners, managers and service providers, to conduct a security assessment before exporting personal information and important data. The draft guidelines also expressly apply to all network operators, and not just CII operators, and impose compliance requirements in relation to data exports under certain specified circumstances.

The draft guidelines also contain a detailed set of assessment methods and criteria for determining if a data export adversely impacts personal rights and interests, national security or the public interest.

Market Reaction

Jeanette Chan, Partner, Paul, Weiss, Rifkind, Wharton & Garrison, Hong Kong

“The draft guidelines, like the draft measures, extend the data localisation requirement to network operators, and not just to CII operators as stipulated under the 2016 Cybersecurity Law. If enacted in its present form, the draft guidelines would greatly enhance the regulatory burden on companies transferring data out of China. In addition, other requirements included in the draft guidelines, such as political and legal assessments of data receiving countries, pose further compliance challenges to businesses operating in China.”

Action Items

The final versions of the draft guidelines, the draft measures and other implementing measures for the 2016 Cybersecurity Law will be promulgated in the near future. General Counsel for any business in China that transmits data abroad will want to closely monitor these developments and work with technology and government relations colleagues to ensure that the business develops and implements effective data security compliance mechanisms.