Caixin
Nov 06, 2021 09:40 AM
WEEKEND LONG READ

Weekend Long Read: How China’s Data Regulations Can Meet the CPTPP Requirements (Part 1)

China can accept the CPTPP rules provided that compliance matters are considered when formulating detailed security assessment rules on cross-border data transfers.
China can accept the CPTPP rules provided that compliance matters are considered when formulating detailed security assessment rules on cross-border data transfers.

Whether China can accept the rules of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) on cross-border data flows has become a key issue that the country faces in its current participation in World Trade Organization’s (WTO) e-commerce negotiations and its potential accession to the trade pact.

China has made rapid progress this year in publishing data security laws. Although the regulatory framework for cross-border data flows has yet to be completed, it now contains the essential elements from which one can draw a preliminary answer to the question above.
I want to clarify the question that this article seeks to answer — whether China CAN accept the CPTPP’s rules on cross-border data flows, which is a compliance issue, by looking at domestic regulations and international rules to see if there are any fundamental conflicts. Whether China WILL actually choose to accept them is another issue and is more suited for intergovernmental negotiation. As to the WILL issue, one has to answer not only whether the international rules CAN be accepted, but also whether China SHOULD accept the rules, in which the international rules are assessed to see if they align with China’s national interests.


Let me start with my conclusion: I think we can accept the CPTPP’s rules on cross-border data flows, provided that compliance matters are considered when formulating detailed security assessment rules on cross-border data transfers.

This article is divided into four parts. The first part deals with the basic framework for China’s rules on cross-border data flows; the second part presents the extracted restrictions on cross-border data transfer; the third part examines compliance with CPTPP Article 14.11 on these restrictive measures. I offer my recommendations in the fourth part.


Definition of ‘cross-border data flows’

Under what circumstances is data considered to have been transferred overseas?

Although the phrase “transfer overseas” is used in China’s Data Security Law and the phrase “provide information abroad” is used in the Personal Information Protection Lawand the Cybersecurity Review Measures and Management of Automobile Data Security, none of these rules outline the key behaviors subject to regulation.

The aforementioned Information Security Technology — Guidelines for Data Cross-Border Transfer Security Assessment proposes that data shall be regarded as being transferred overseas when they have been stored outside China, a copy of the data is provided to subjects that are not under the jurisdiction of or not registered in China, or the data is stored in China but can be accessed and viewed by institutions, organizations and individuals outside of the country.

Although the guidelines have not been finalized, this definition is quite reasonable and could be formally adopted by policymakers. In other words, the definition of “data transfer,” which is similar to that of “export” in export control, consists of physical movement across a border and, possibly, any transfer that is “deemed” to be across a border. 
After studying the relevant provisions of the laws and regulations in effect in China, this article classifies the rules on cross-border data flows into five scenarios based on two aspects: the type of data processor (the “subject”) and the nature of the data (the “object”).


Scenario 1: Ordinary information processors that handle ordinary personal data

In this scenario, the subject is classified as an ordinary business and is not considered a critical business or critical information infrastructure operator (CIIO), and the object is non-important personal data.
The Personal Information Protection Law stipulates that personal information processors can provide personal information to any party outside China for business needs as long as they meet one of the following conditions:

• They have passed the security assessment overseen by the Cyberspace Administration of China (CAC) (specific procedures and standards to be developed);

• They have gained personal information protection certification through a specialized institution according to the provisions issued by the CAC (the certification is a third-party certification guided by the CAC that requires additional support systems);

• They have adopted the standard contract formulated by the CAC (standard contract to be developed by the CAC.);

• They have followed other conditions provided by law or in administrative regulations, or by the CAC.

Moreover, two additional conditions must be met.

First, processors must take the necessary measures to ensure that overseas recipients meet the protection standards stipulated in China’s Personal Information Protection Law. This is an adoption of the principle of equal protection required by the personal information protection laws of many countries. But China’s call for equal protection is limited to overseas data “recipients” rather than their overall legal environment. Second, processors must fulfill their notification obligations and obtain each data subject’s personal consent.


Scenario 2: Ordinary information processors that handle important personal data

In this scenario, the subject is classified as a ordinary business and the object is important data, rather than ordinary data.
Existing legislation does not directly stipulate such cases. The Data Security Law states that specific measures will be drafted by the CAC under the State Council in conjunction with the relevant departments. But a rough idea can be gained from the Regulations on the Management of Automobile Data Security. Many automobile data processors will likely be classified as ordinary businesses, not CIIOs. Their processing of important data is a typical case in point for this scenario. 
In response, the regulations only offer one condition for overseas data transfer: the data shall, in principle, be stored in China. Where it is necessary to provide information abroad, the security assessment by the CAC shall be passed first. In addition, the regulations impose several obligations for data processors, including compliance with security assessment requirements, cooperation with the CAC on periodic reporting requirements.

Scenario 3: Important data processors that deal with personal information or important data

In this scenario, the subject is classified as important and the object is personal information and important data.
“Important data processors” mainly refer to CIIOs.

The Cybersecurity Law, Personal Information Protection Law and Data Security Law have a uniform position concerning the cross-border data transfer of CIIOs, and only provide one condition: that the data of CIIOs shall, in principle, be stored in the country. Should it be necessary for the data to be transferred outside the country for business needs, security assessment shall be conducted in accordance with the regulations formulated by the CAC with other related departments. The Personal Information Protection Law provides a more detailed definition of the subject. In addition to CIIOs, important data processors include personal information processors and government agencies that process personal information above a specific amount. According to the Measures on Security Assessment of Cross-Border Export of Data (draft issued for public comment in October 2021), the amount threshold is 1 million people's personal information. The conditions for cross-border data transfers are the same as those for CIIOs. 
Two key terms are elaborated here. 
The first is “critical information infrastructure” (CII). CII has three features:

• (1) It belongs to important industries and areas, including public communication and information services, energy, transportation, hydraulic engineering and water utilities, finance, public services, e-government services and defense-related science and technology industries, not excluding large internet platforms;

• (2) Once it is damaged, malfunctions or suffers data leakage, it may severely impair national security, national welfare and people’s livelihoods, as well as the public interest;

• (3) It is a network facility and information system.

CII is under the administration of the Ministry of Public Security and will be identified by authorities in various industries and areas (security protection authorities).

The Ministry of Public Security guides the formulation of CII identification rules, and the security protection authorities work out industrial identification rules and organize the identification.

For identification, three factors should be considered: (1) The importance to critical core businesses or provision of basic support; (2) The extent of the harm if damaged, or the harm to national security, national welfare and people’s livelihoods and the public interest; (3) The impacts associated with other industries and areas. The form of enterprise ownership should not affect CII identification. 
Currently, many regulations on CII protection are being prepared, a large number of which will be issued as national standards. Two core standards are the Information Security Technology — Requirements for Security Protection of Critical Information Infrastructure and Information Security Technology — Security Control Measures for Security Protection of Critical Information Infrastructure, with the latter as the concrete implementation of the former. The Control Measures is currently being drafted. The 2018 Draft for Comment for the Control Measures covers the cross-border transfer of CII information. Therefore, we believe that the formal Control Measures will define the cross-border transfer of the data processed by CII in more detail based on the above-mentioned principle that it shall be subject to a security assessment organized by the CAC. 
The second key term is “important data” (also translated as "key data") .

At present, the most direct definition of important data is derived from the Vehicle Data Regulation: “Once data is falsified, destroyed, leaked or illegally accessed and used, it may impair national security, the public interest or the lawful rights and interests of individuals and organizations.” Therefore, important data is not merely associated with national security and the public interest, but may include data related to the lawful rights and interests of individuals and organizations. In contrast, the Data Security Law carves out a separate regulatory framework for “national core data”, which refers to data that “concerns national security, national economic lifelines, important public livelihood areas and major areas of public interest.” Based on this definition, national core data falls within the scope of important data. Among important data, the portion that is extremely important and related to national security and major areas of public interest can be categorized as “national core data.” Therefore, some experts have pointed out that important data has a broad scope and wide coverage in the business sector, so a lot of attention should be paid to its protection, while national core data has a narrower scope and cannot be accessed by a majority of organizations, so it must be subject to much stricter management. 
However, the Data Security Law does not clarify the stricter management system for national core data. In terms of cross-border data flows, we at least know that important data can only cross borders after a security assessment. Is it impossible for national core data to be transferred out of the country even though it is subject to security assessment? Must it be stored domestically? The answers remain unknown, but we can reason out what to expect. 
The identification of important data should be in line with the Information Security Technology — Identification Guide of Important Data, which is still being prepared. Compared with the appendix Important Data in the Information Security Technology —Guidelines for Data Cross-Border Transfer Security Assessment issued in 2017, the Identification Guide of Important Data will classify important data into “7+1” categories according to factors such as data function and post-damage impact, instead of by national industries.

The above classification describes the features of important data in multiple aspects so as to help the identification authorities identify important data. However, regions and departments should work out their own important data catalogues according to their actual conditions.


Scenario 4: Data supply requests from foreign judiciaries or enforcement authorities


This situation is stipulated by the Personal Information Protection Law and Data Security Law. Cross-border data transfer shall be subject to agreed-upon treaties or the principle of equality and reciprocity, and must be approved by the competent authorities. 
Concerning the previous hot issue of accounting documents, the China Securities Regulatory Commission (CSRC) has maintained its position. If the U.S. Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) make a request for assistance in an investigation, the relevant documents must be provided through the regulatory cooperation channels and must not be transferred overseas without the permission of the regulatory authorities. This is in line with the Personal Information Protection Law and Data Security Law.


Scenario 5: Applicable international treaties or agreements


According to the Personal Information Protection Law and Automobile Data Regulation, international treaties or agreements that China has participated in or signed are applicable to cross-border data transfer. But according to the Personal Information Protection Law, such a case is only applicable to the cross-border transfer of personal information by ordinary data processors. CIIOs still have to receive security assessments. 
Here, international treaties or agreements should be those made especially for cross-border data flows, such as the APEC Cross-border Privacy Rules (CBPR) or bilateral data security treaties between China and other countries or regions. So far, China has not signed such a treaty. However, the provisions in the Personal Information Protection Law and Automobile Data Regulation imply China’s positive and open attitude toward such international treaties.


Summary 


Of the aforementioned five scenarios of cross-border data transfer, the latter two are relatively special. In particular, the fourth case is essentially aimed at government law enforcement, rather than “business needs” as mentioned in the CPTPP regulations on cross-border data flows. 
The first three scenarios that relate to business needs can be generally divided into two categories. First, personal information handled by ordinary data processors can realize cross-border data flows through personal information protection certification and the standard contract formulated by the CAC. The second is the security assessment conducted by the CAC. Security assessment is appropriate in almost all instances, particularly situations in which cross-border data flows can only be realized through security assessment, since great importance is attached to the subject of data processing or the data object being processed. 
Note that it is clear that the security assessment can only be conducted by the CAC at present. This means that the self-assessment mentioned in the exposure draft of Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment issued in 2017 and the provincial cyberspace administration assessment in the exposure draft of the Measures on Security Assessment of the Cross-border Transfer of Personal Information issued in 2019 are no longer applicable. With CAC as the only authority to conduct security assessment, it is beneficial to unifying the criteria of assessment in application. Meanwhile, since the applicable situation of the security assessment is mainly related to cases in which either the subject of data processing or the data object being processed concerns national security or the public interest, the power of security assessment shall belong to a central governmental agency, which, in regard of cyberspace issues, is CAC.

Xu Chengjin is a researcher at the Center for International Economic and Technological Cooperation.

This commentary is the first of a three-part series.

Contact editors Michael Bellart (michaelbellart@caixin.com) and Heather Mowbray (heathermowbray@caixin.com)

Download our app to receive breaking news alerts and read the news on the go.

Get our weekly free Must-Read newsletter.

You've accessed an article available only to subscribers
VIEW OPTIONS
Share this article
Open WeChat and scan the QR code