On June 13, 2019, the Cyberspace Administration of China (the “CAC”) released Draft Measures on Security Assessment of Cross-Border Transfer of Personal Information (“Draft Measures”) for public comment, the window for which ends July 13, 2019.
The CAC had previously released Draft Measures on Security Assessment of Cross-Border Transfer of Personal Information and Important Data (“Draft Measures on PI and ID”) for public comment on April 11, 2017, which adopts the same regulatory means for personal information and important data, but this law has not entered into effect. Given that the Draft Data Security Administration Measures (released on May 28, 2019) addressed the cross-border transfer of important data and these Draft Measures address the cross-border transfer of personal information, we expect the cross-border transfer of personal information and important data would be subject to different treatment than they would under the Draft Measures on PI and ID.
Below are key provisions under the Draft Measures.
Localization and Consent Requirement
The Draft Measures do not contain an express localization requirement for network operators with respect to the transfer of personal information outside of China. Additionally, other than with respect to sensitive personal information (discussed below), such transfer no longer requires the data subject’s consent.
Application Scope of Security Assessment
The Draft Measures, like China’s Cybersecurity Law, use the term “network operator” to refer to an entity or person who owns or manages a network, or to a network service provider. Under the Draft Measures, the cross-border transfer of personal information (which occurs when a network operator provides personal information collected during business operations in China to an entity or person overseas) would trigger a security assessment by the competent cyberspace administration authority. Unlike the Draft Information Security Technology-Guidelines for Data Cross-Border Transfer Security Assessment, the Draft Measures do not specify what “domestic operation” means or provide additional color on the scope of qualifying cross-border transfers, leaving uncertainty regarding how broadly the security assessment requirement would apply to such transfers.
In practice, many foreign entities that have established Chinese subsidiaries may collect the personal information of domestic users via the Internet. The Draft Measures mandate such foreign entities carry out their obligations through a domestic legal representative or entity. In such cases, if the Chinese subsidiary of a multinational company transmits domestic employees’ or users’ personal data overseas (e.g., to headquarters located outside of China) or the parent (or related) foreign entity directly collects such data through the Internet, its Chinese subsidiary is subject to the Draft Measures.
The Draft Measures do not address whether foreign entities with no Chinese subsidiaries nonetheless must set up a Chinese presence responsible for performing security assessments on applicable cross-border transfers under the law.
Triggering Events Leading to a Security Assessment
The Draft Measures require that network operators report to the local cyberspace administration authority for a security assessment before transferring personal information across borders. This means that the Draft Measures change the existing process, established by the Draft Measures on PI and ID, of self-assessment and mandatory assessment by the competent government authorities. (The external security assessment requirement holds true regardless of the volume of cross-border transfers at issue or the number of individuals whose personal information is impacted.) To receive a security assessment by competent cyberspace administration authority, network operators must submit an application letter, the agreement executed by the network operator and receiver, a report analyzing the security risks of the contemplated transfer and security measures implemented, and any other materials required by the CAC.
Security assessments would be performed with respect to individual receivers of the personal information. Multiple security assessments would be required if the information is transferred to multiple receivers, though, in cases of multiple or continuous provisions of personal information to the same overseas receiver, it is not necessary to conduct multiple security assessments.
The Draft Measures also provide that network operators must undertake a security assessment every two years or when the purpose/type of cross-border transfer of personal information changes or the retention period outside of China changes.
Reporting and Records Obligations
The Draft Measures require network operators submit annual reports to their local cyberspace administration authority regarding the conditions of applicable cross-border transfers. The Draft Measures also contain a data breach notification obligation requiring network operators to promptly notify local cyberspace administration authorities of “major” data incidents.
Network operators also are required to keep records of applicable cross-border transfers for at least five years. The records should include the:
- date of the transfer;
- basic information about the receiver, such as the name, address and contact details;
- type, volume and extent of sensitivity of personal information transferred outside of China; and
- other information required by the CAC.
Suspension or Termination of Cross-Border Transfers of Personal Information
Cyberspace administration authorities may require network operators suspend or terminate cross-border transfers of personal information if (1) network operators or recipients suffer “major” incidents of data breach or “abuse”; (2) it is near-impossible or impossible for data subjects to protect their legitimate rights and interests; or (3) the network operator or receiver is incapable of safeguarding the security of the personal information at issue.
Content Requirements for Cross-Border Transfer Agreements
The Draft Measures shed considerable light on content requirements for cross-border transfer agreements between network operator and the receiver (“Agreements”), which must clearly cover, among other things, the following:
- the purpose, type and retention period of the cross-border transfer at issue;
- data subjects are the beneficiaries of the Agreement’s provisions related to the data subject’s rights and interests;
- data subjects whose legitimate rights and interests in their personal information are harmed can seek damages from either or both the network operators and recipients allegedly responsible, who should compensate the data subjects by way of damages, unless the network operators and/or recipients can prove they are not liable;
- if it becomes impossible to implement the existing Agreement because of legal or regulatory changes in the recipient’s jurisdiction, the Agreement must be terminated or a new security assessment must be performed; and
- Termination of the Agreement would not exempt contractual responsibilities and obligations of the network operator and the receiver unless the receiver destroys received personal information or anonymizes such information.
Network Operator/Receiver Obligations
Agreements must clearly set forth specific obligations of network operators and receivers, which the Draft Measures specify. Network operators’ duties, for instance, include providing a copy of the Agreement to a data subject upon request; receivers, in turn, are responsible, among other things, for complying with data subjects’ requests for access, correction or deletion of their personal information.
Limitations on the Receiver’s Transmission of Personal Information to a Third Party
Agreements should stipulate the conditions under which receivers may transmit the personal information received to a third party. Doing so is prohibited unless the following conditions are satisfied:
- the network operator informs the data subject of information including the purpose of the transfer, the identity and nationality of the third party, and the type of personal information transmitted;
- the receiver guarantees that, upon the data subject’s request, it will cease providing the information to third parties and ask third parties who previously received the information to destroy it;
- the data subject consents to the transmission of sensitive personal information; and
- the network operator pledges to provide advance compensation to data subjects whose legitimate rights and interests were harmed due to the transfer.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code