Article by Daniel Albrecht

Summary: The Cybersecurity Law of the People’s Republic of China was issued on November 7, 2016, and officially put into effect June 1, 2017. The Cyberspace Administration of China (CAC) has released supportive measures to implement provisions of the Cybersecurity Law. These draft Measures provide guidelines for cross-border transfer of data, data security assessments, and the protection of data in relation to national and public interest. In 2017, the CAC published Measures on Security Assessment of Cross-Border Transfer of Personal Information and Important Data. The draft received immense feedback, leading to a second draft released in June 2019, Measures on Security Assessment of Cross-Border Transfer of Personal Information. The new draft will affect a wide range of domestic and foreign entities in China that have cross-border transfer needs.
Separating “Personal Information” and “Important Data”
On June 13, 2019, the Cyberspace Administration of China (CAC) released Measures on Security Assessment of Cross-Border Transfer of Personal Information. Regulations and guidelines provided in the draft pertain to network operators that export personal information data to recipients outside of China. It should be noted that the 2017 draft Measures applied to both “important data” and “personal information” data. However, the 2019 draft legislation omits the term “important data” and solely focuses on the export of “personal information.” The removal of the term implies that the CAC is now treating important data and personal information as separate categories that are subject to different requirements.[1] Therefore, the content in the new draft regulation only concerns the cross-border transfer of “personal information” collected within the territory of China.[2]
Data Localization Requirement
China’s Cybersecurity Law requires data localization for “critical information infrastructure operators” (CIIO’s) that collect and generate data within China. In other words, the provision requires that personal information and important data collected by CIIO’s within the territory of China will be stored in Chinese servers. The 2017 draft Measures attempted to bring clarification to this data localization rule. However, the draft expanded the data localization requirement to all “network operators,” causing controversy and confusion in the international community. Since “network operator” is more vaguely defined than CIIO’s, the 2017 Measures broadened the scope for the data localization requirement.
To make things more complicated, the CAC published the 2019 draft Measures without any mention of data localization requirements. Although there is no data localization provision in the new draft, it does not mean that network operators are exempt from data localization. Legal experts point out that China’s Cybersecurity Law overlaps with the new draft Measures, and CIIO’s are still obligated to follow data localization rules. However, with the cybersecurity law referring to “CIIO’s”, and the Measures only referring to “network operators,” there is room for interpretation regarding what entities will be impacted by data localization requirements.
Continue reading “Measures on Security Assessment of Cross-Border Transfer of Personal Information (2019 Draft)” »