On June 13, 2019, the Cyberspace Administration of China (CMA, 国家互联网信息办公室), an office that serves as China’s central internet regulator and censor, released the draft Measures for Security Assessment of Cross-border Transfer of Personal Information (the Measure, 个人信息出境安全评估办法) for public comment.
Following is a brief analysis on how this Measure, if adopted, could affect U.S. entities doing business in China or doing business with Chinese entities.
If a U.S. entity is a network owner, administrator or service provider that gathers personal information during its operation in China, it is a “Network Operator” under the Measure and is required to go through a security assessment before it transfers any personal information out of China. There are no threshold requirements: whether it is an entity with $10,000 annual gross revenues or $25,000,000, whether the entity transfers personal information of 10 or 50,000 customers or employees, the entity must comply with the Measure.
While the current law only imposes security assessments on “critical information infrastructure operators,” the Measure significantly expands the regulatory scope to cover all network operators. If a U.S. entity uses the Internet to collect personal information from China, it is treated as a “Network Operator” for the purpose of the Measure. A Network Operator is prohibited from transferring personal information overseas if it is unable to pass the security assessment.
The Measure further requires a Network Operator to report annually, to report any relatively major security incident, and to retain a record of cross-border transfer of personal information for at least five years. The Measure also mandates Network Operators to include the following terms and conditions in their agreements with overseas recipients: a Network Operator shall provide certain information to the owner of the personal information; shall provide a copy of the agreement(s) to the owner upon request; and shall convey the owner’s claims to the recipient and provide compensation to the owner if remedies from the recipient are not readily available.
Recipient of the Personal Information
A U.S. entity that receives personal information from Network Operators should also familiarize itself with the Measure. Here is why:
- An agreement between a Network Operator and the recipient of personal information must be submitted for review and the performance of the agreements regarding personal information is also subject to periodic review by the cyberspace administrative department.
- The Measure requires the agreement between the Network Operator and the recipient to include a slew of standard contractual terms. Among various terms and conditions, individuals whose personal information would be transferred have a right to seek remedies from the Network Operator and/or the recipient if his or her rights are violated. Termination of the agreement does not affect the Network Operator or the recipient’s obligations under the Measure, unless the recipient has destroyed or de-identified the personal information. A recipient shall provide access to individuals whose information would be transferred, and to respond, correct, or delete the personal information at his or her request within a reasonable time and at reasonable costs. In the event that any change of U.S. law affects the enforceability of the agreement, the recipient must immediately inform the Network Operator, which in turn, will report to the cyberspace administrative department.
- The Measure further limits the recipient’s ability to transfer the personal information to any third-party, except in very limited circumstances.
- The fact that the recipient had any major security incident will be considered by the cyberspace administrative department during a security assessment. Additionally, the cyberspace administrative department has authority to stop overseas transfer of personal information if the recipient experiences any major security incident or abuses data.
While the final Measure is likely to be different from the proposed draft, this draft embodies the trend that China is tightening its grip on cybersecurity governance. Bear in mind that only weeks prior to releasing this draft, on May 28, 2019, CMA released the draft Measures for Data Security Management (数据安全管理办法) for public comment. As China ramps up its speed in implementing its law on cybersecurity, we encourage all U.S. entities that do business in China or do business with Chinese entities to consult with those knowledgeable about the Measure to strategize and to prepare for future compliance.