TC 260 circulates revised draft guidelines on data export security assessments
On 30 August 2017, the National Information Security Standardisation Technical Committee (TC 260) circulated for public comment the second draft of the Guidelines for the Security Assessment of Outbound Data Transmissions (Draft) (数据出境安全评估指南(征求意见稿)).
The guidelines establish the criteria, procedures and standards for carrying out security assessments of proposed data exports and partially implement the Cybersecurity Law of the People's Republic of China 2016 (中华人民共和国网络安全法), which requires operators of critical information infrastructure (CII) to store in China personal information and important data collected or generated in China and prohibits CII operators from transmitting this data abroad before passing a security self-assessment and in some cases a security assessment organised by a government agency.
Like the first draft, the second draft imposes assessment requirements on not only CII operators, but all network operators, that is, owners, managers and service providers of a website, offline network or intranet.
The second draft clarifies the following terms:
  • "Domestic operation" includes foreign network operators that conduct business in or provide goods or services to China, where personal information and important data are involved.
  • "Important data" does not include state secrets or any data lawfully available through government channels.
  • "Data export" means a network operator that collects or generates personal information or important data during domestic operations and transmits the data one time or continuously to a foreign institution, organisation or individual.
  • "Consent of data subject" means a written statement or other behaviour that clearly authorises a data export.
  • The process for conducting a security assessment involves the following steps, depending on whether a security self-assessment is sufficient or a security assessment organised by a government agency is also required:
    • Self-assessment: preparation of a data export plan analysing the purpose of a proposed data export, that is, to determine if it is lawful, legitimate and necessary and assuming the plan passes the purpose test, an analysis of the risk of disclosure, damage, tampering or abuse after the data is exported or re-transferred by the recipient.
    • Government assessment: assuming the plan passes both the purpose test and the risk test and government approval is required, approval of the data export plan by the national network information department and the sender's regulator(s).
Comments on the second draft may be submitted to TC 260 until 13 October 2017.
Market reaction
Paul McKenzie, Partner, Morrison & Foerster, Beijing and Shanghai:
"Companies hoping that there would be clarity by now need to continue to be patient. The second draft is clearly the product of a lot of discussion and debate. Even though they are not drafted to be binding standards, the guidelines reflect the views of regulators and will when issued inform enforcement practice. But in some respects they still reflect positions inconsistent with the 2016 Cybersecurity Law itself and are highly unpopular with both domestic and foreign businesses. Will data export restrictions apply only to CII operators or to network operators generally? Will the authorities seek to apply them even to foreign companies with no network infrastructure in China if they do business with Chinese customers? These threshold questions will not be fully resolved until the draft is finalised."
Action items
GC for any business in China (or any foreign individual or entity that does business in China) that transmits abroad personal information or important data will want to review IT infrastructure and work with technology and government relations colleagues to ensure that the business develops and implements effective security assessment and compliance mechanisms.