Opinion: How China Can Meet the CPTPP’s Data Requirements (Part 2)
This is the second of a three-part story. Read part 1 here.
Regulatory measures can have a restrictive effect by setting criteria for cross-border data transfer. Such “restrictive measures” are subject to international economic and trade rules. Based on Part I’s content alongside other provisions in the laws and regulations, six restrictive measures on cross-border data flows can be sorted out.
Personal information protection certification and the standard contract
These two are common restrictive measures on personal information cross-border transfer in the personal information protection laws of most countries. The Personal Information Protection Law of China was modelled after other countries’ frameworks, such as the EU General Data Protection Regulation (EU GDPR). The personal information protection certification and standard contract of the EU GDPR are the specific means of implementing the principle of equal protection. The principle of equal protection is also stipulated in the law of China, although the details for personal information protection certification and the standard contract are waiting to be framed by implementation regulation in the future.
Security assessment conducted by the Cyberspace Administration of China (CAC)
As a major restrictive measure on China’s cross-border data transfers, the concrete measure of security assessment is not finalized. Here, the analysis is mainly derived from the 《数据出境安全评估办法（征求意见稿）》 published on Oct. 29, 2021 and the exposure draft of the Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (2017).
The provision of the security assessment in the law of China states: “Data that must be transferred cross-border for business needs shall pass the security assessment conducted by the CAC.” Two key points of the security assessment can be inferred here.
First, the question of whether the data “needs” to be transferred cross-border.
The 《数据出境安全评估办法（征求意见稿）》 stipulates that the legality, legitimacy and necessity of the cross-border data transfer shall be assessed. According to the exposure draft of the Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (2017), the legality aspect emphasizes whether the situation involving the cross-border data transfer is expressly forbidden by the laws and regulations or competent administrations. The legitimacy aspect involves the specific conditions, including whether the transfer has the data subject’s personal consent. The necessity aspect reviews whether the business need is authentic, such as for performance of contract, etc. Although the terminology “needs” looks like a “necessity test” and seems high in standards but, in reality, it merely ensures that the cross-border data transfer will not break the baseline of the laws and regulations.
Second, the question of whether the data is “secure” after the cross-border transfer.
This question can be answered mainly through assessing the security risks involved in data transfer. Therefore, a comprehensive consideration should be given to the data’s properties, possibility of security incidents and influence caused by a security incident. The key points for data properties are the types of data, i.e., whether the data belongs to personal information, important data or other data; the amount and scope of data, i.e., whether the range of the cross-border data transfer is minimized, and whether the data has been desensitized or anonymized through technical processing. On the aspects of the possibility and influence of a security incident, it emphasizes the proper legal instrument between the data sender and data receiver that stipulates duties of data protection; the security protection capability of the data receiver, particularly whether its data protection level has met the criteria required by PRC’s laws, regulations and mandatory national standards; the risks of data being leaked, tampered, lost, re-transferred, illegally acquired or abused during and after the cross border transfer; and the political, legal and cybersecurity environment of the country where the data receiver is located. For the last factor, the data retrieving power and procedures of the receiving country’s law enforcement agencies and government may be considered.
The purpose of the security assessment is to ensure the data is secure after the cross-border transfer instead of setting obstacles. Therefore, facilitating business is an important factor that is considered in developing the security assessment system. Facilitating business is mainly reflected by the frequency of conducting the security assessment. According to the 《数据出境安全评估办法（征求意见稿）》, the security assessment result is valid for two years, unless material changes occur. These include changes in the purpose, scope, type, or duration of the data transferred; changes in the way by which the data receiver processes the data; changes in the control power of the data sender or data receiver; or, changes in the legal environment of the data receiving country. Thus, the security assessment will not cause great trouble in the day-to-day operation of enterprises.
In addition, some experts have mentioned a “whitelist” system for cross-border data flows. For example, it has been proposed in the cross-border data cooperation between the Chinese mainland and Hong Kong that the central government of China and the local government of Hong Kong will both certify a data center in Hong Kong. If the data center passes the certification, it can receive data from the mainland unhindered. This system may spread more widely to other countries and regions in the future through bilateral data security agreements. The “whitelist” system is directly related to the cross-border data transfer realized by international treaties and agreements. It can be reasonably inferred that the security assessment must be conducted when identifying the whitelist region and signing the bilateral data security agreements. The content and criteria of the assessment should have no essential difference from the general cross-border data transfer security assessment conducted by the CAC.
Data security review
The data security review is not specified clearly in the relevant laws and regulations of cross-border data transfers. However, since it has a significant impact on whether the data can be transferred cross-border, it also belongs to the restrictive measures of cross-border data transfer.
The Data Security Law establishes the need for a data security review system, as specified by the Cybersecurity Review Measures (Revised Draft). The revised draft states that a security review shall be conducted if the data processing activities carried out by data processors have the potential to harm national security. The “data processing activities” here should logically include cross-border data transfers. In particular, the draft proposes that operators who hold the personal information of more than 1 million users shall undergo a security review when being listed abroad.
The security review is focused on the potential impacts to national security. On one hand, the security review pays attention to national core data, important data and mass personal information, of which mass personal information can basically be understood as important data. This shows that objects under the supervision of a security review are data related to national security and important public interests. On the other hand, the security review attaches importance to the risk of data being influenced, controlled and maliciously exploited by foreign governments after the completion of a cross-border transfer. This kind of risk is identified as a typical national security risk.
Compared with the security assessment of cross-border data transfers, the security review has a scope of application not limited to cross-border data transfers, but its focus is specific to national security risks. The security assessment of cross-border data transfers is applicable to the Critical Information Infrastructure Owners (CIIO)and important data related to national security and public interests, as well as personal information and important data cross-border transfers implemented by ordinary data processors. At this time, the security assessment values whether the legitimate rights and interests of individuals or organizations will be infringed upon, not national security. In addition, the security review is procedurally similar to the foreign investment security review, which also focuses on national security, giving great power to the review authority. Therefore, some experts claim that such a security review is a very special means of deterrence and will not be applied to every cross-border data transfer.
Restrictive measures imposed to deal with misconduct
Both the Personal Information Protection Law and Data Security Law have provisions on this, and there are two situations that call for the measures. First, when overseas organizations or individuals infringe upon China’s personal information rights and interests or endanger China’s national security or public interests, the CAC may restrict or prohibit the provision of personal information to them. Second, if other countries or regions take discriminatory prohibitive or restrictive measures against China on data-related issues, China may take countermeasures against them according to the actual situation. The second situation is essentially a reciprocal retaliation.
The Data Security Law stipulates that export controls shall be imposed on the data that are controlled items in accordance with the law. This means that China will adopt licensing administration for such data and review license applications for cross-border data transfer on a case-by-case basis.
Prohibition of cross-border data transfer
China has no general rules banning cross-border data transfers. In the future, national core data may be generally banned from being transferred overseas, but this needs to be specified. At present, the prohibition of cross-border data transfers is mainly adopted by the relevant regulations of specific industries, and it has two main expressions.
First, data is prohibited from being provided abroad, or shall be stored in China. For example, Article 6 of the Notice of the People’s Bank of China on Financial Institutions’ Protection over Personal Financial Information stipulates that “the storage, processing and analysis of personal financial information collected within the territory of China shall be carried out in China... Banking financial institutions shall not provide domestic personal financial information abroad.” However, such prohibition may not be absolute. The Personal Financial Information Protection Technical Specification issued in 2020 specifies that personal financial information collected and generated in China shall be stored, processed and analyzed in China. If there is a business need to provide such information for overseas organizations, it shall meet a series of requirements, which include having data subject’s expressed consent, passing cross-border transfer security assessment, and supervising overseas receiving institutions to ensure the performance of data protection duties and obligations.
Many so-called provisions prohibiting cross-border data transfers are similar to the above provisions. They seem to require data to be stored locally, but there is usually an added note stipulating that where there is a business need for cross-border data transfer, the data can be transferred overseas after undergoing a security assessment. In essence, cross-border data transfer is allowed if it passes the security assessment.
Second, the server is required to be located in China. For instance, Article 34 of the Map Administration Regulation requires that the “internet map service unit shall set up the server for storing map data in the People’s Republic of China.” Article 10 of the Population Health Information Administration Measures (Trial Implementation) stipulates: “Neither storing population health information in overseas servers nor hosting and leasing overseas servers is allowed.” According to Article 10 of the Measures for the Administration of Electronic Banking, “The electronic banking operating systems and business processing servers of Chinese banking financial institutions shall be set up in the People’s Republic of China; those of foreign financial institutions may be set up in or outside the People’s Republic of China. Where they are established abroad, the corresponding foreign financial institutions shall set up facilities and equipment that can record and store business transaction data in the People’s Republic of China, meet the requirements of on-site inspection by the financial regulatory authorities and be able to meet the requirements of investigation and evidence collection by Chinese judicial organs in the event of legal disputes.” These three provisions reflect two different rationales behind the rulemaking.
First, it is considered that as cross-border data transfers will generate great security risks, it is absolutely not allowed. This is the case for map data and population health information. Under these circumstances, the relevant data is more likely to be national core data, so it is prohibited from being transferred overseas. Second, regulators reserve the right of jurisdiction. This is the case for the electronic banking operating system. As long as the regulators’ requirements for investigation and evidence collection are met, and there are copies and backups in China, the data can be transferred overseas.
What’s banned and what’s allowed?
To sum up, China rarely bans cross-border data transfers, except for extremely important data that may be potentially identified as national core data. Despite other so-called prohibitions of cross-border data transfers or local storage requirements, a cross-border data transfer is allowed nevertheless after passing the cross-border transfer security assessment or data security review, meeting the requirements of personal information protection certification or the standard contract, conforming to the jurisdiction of the regulators, or passing export control license approval. There is a relatively special situation in which China can unilaterally take measures for restricting cross-border data transfer, and this is when an overseas subject engages in discriminatory and improper conduct.
Xu Chengjin is a researcher at the Center for International Economic and Technological Cooperation.
Contact editor Bertrand Teo (firstname.lastname@example.org)
Download our app to receive breaking news alerts and read the news on the go.
Get our weekly free Must-Read newsletter.
- MOST POPULAR