Data protection law and transferring personal data out of China


Complying with the fast changing data protection law in China has become increasingly important for non-Chinese companies doing business in China or targeting the Chinese market in the recent years. Especially regarding transferring personal data out of China. With the recent Chinese Cyber Security Law and its regulations on cross-border data transfer, the legislators have gradually established a comprehensive data protection framework and cross-border data transfer mechanism, which stipulates many requirements to localisation and international transfer of data. Although many technical methods are yet to be defined, it would be wise for foreign companies, that need to transfer data out of China, to already take steps to comply with the current Chinese data laws and upcoming detailed rules.

A comprehensive, but undetailed framework for data protection  

Data protection and personal data cross-border flow has always been important for non-Chinese companies in China, and legal risks, especially in terms of penalties for failing to comply, has become significantly costly due to the Chinese Cyber Security Law that came into force on 1 June 2017. 
The new law established a comprehensive framework for data protection in China. However, the Cyber Security Law only stipulates the need of a review mechanism when transferring data out of China. It does not describe in detail, how companies should conduct security assessments etc. Article 37 of the Cyber Security Law refers to the requirement, that companies must be able to document how and where their data is stored and processed, and they must perform a security assessment of cross-border transfer of data collected by the operator of the Critical Information Infrastructure (CII), but Article 37 does not define the security review mechanism in detail.



The Security Assessment Method 

On 11 April 2017, the Chinese National Internet Information Office promulgated the Assessment Method, which provides detailed guidance for the assessment requirement in the Cyber Security Law. At this stage, the Assessment Method is still a draft, but very often, the structure of a draft and most of the content is retained in the finalised bill. Therefore, non-Chinese companies can benefit from making themselves familiar with the draft. 
The Assessment Method is supposed to provide detailed rules on data transfer in light of the Cyber Security Law, which reflects a growing trend of data localisation and sets up a threshold for data being transferred out of China – which makes The Assessment Method especially relevant to non-Chinese companies. Article 37 particularly provides that personal and important business data collected and generated by CII operators in China shall be stored within China, and an extra security assessment is required before transferring data out of China. However, the Assessment Method broadens the scope of assessment and provides more detailed rules on compliance.
Article 37 applies only to CII operators, but the Assessment Method provides that the assessment process for international data flow should apply to all network operators. 



The negative list: Data that cannot exit China

The following data may not be transferred out of China: 
  • Personal information without the consent of the subject of personal information, or which may be against personal interests
  • Data with security risks related to the national political, economic, scientific and technological, the national defence area, or which may affect the national security, or cause damage to public interest 
  • Data otherwise defined by the national network departments, public security departments, other security departments and other relevant authorities.
Before personal information is transferred, the purpose, scope, content, receiver and recipient of the data shall be stated to the subject of the personal information and consent is to be obtained. Minors' personal information is subject to the consent of their guardian.

Security assessment before and after transfer

Data collected in China should in principle be stored in China, but it is possible to transfer data out of China due to 'business needs', provided that a security assessment is conducted. 

Before the transfer

Before the transfer, network operators should ask themselves:
  • How necessary is the data transfer?
  • To which extent is personal information included? Including the amount, scope, type, degree of sensitivity of the personal information, and whether the personal information subject agrees.
  • Does the transfer include Important Data? Including the amount, scope, type and sensitivity of Important Data
  • Have you taken security measures? Including capabilities and levels of protection of the data receiver, and the network security environment in the receiver's country and region
  • Are there any risks such as disclosure, damage, tampering and abuse after data exit and re-transfer?
  • Are there any risks that may be brought to the national security, social and public interests and personal legitimate interests?
  • Are there other important matters that need to be assessed?

After the transfer

After the transfer, the network operator's security assessment should include the following: 
  • At least once a year, network operators should conduct a safety assessment and timely report to industry regulatory authorities.
  • When the data receiver changes, or if significant changes regarding destination, scope, quantity, type of data, etc. occur, or in the event of a major security incident regarding transferred data or the data receiver, the network operator should conduct a safety assessment in a timely manner.

The assessment and supervision by the competent supervisor

The supervisory department of an industry shall be responsible for the safety assessment of outbound data transfer within the industry and shall examine the data transfer. The industry competent supervisor should periodically review cross-border data transfer for security reasons.
When outbound data is under one of the following circumstances, the network operators should report to the industry regulatory authorities to organize safety assessment:
  • The data contains or accumulates personal information of more than 500,000 persons
  • The amount of data is over 1000 GB
  • The data is related to nuclear facilities, chemical biology, national defence industry, public health and other fields; or the data is related to large-scale project activities, marine environment and sensitive geographic information
  • The data includes network security information (including system vulnerabilities, security protection and others) of CII
  • The data may affect the national security and social public interests. 

Transfer of personal information or important information by CII

Article 37 of the Cyber Security Law provides that personal information and important data collected by CII operators in China shall be stored within China. CII mainly refers to the important industries and fields, such as public communication and information services, energy, communications, water conservation, finance, public services and e-government affairs, and other information infrastructures that, in case of damage, function loss or data leakage, may threaten national security, harm people’s livelihood and public interests. Such data can only be transferred out of China if necessary due to business needs, provided that a security assessment is carried out according to the measures formulated by the national internet information department. 
The Assessment Method further stipulates that the CII operators shall report to the competent supervisors to organize safety assessments, when transferring personal information and Important Data abroad.


How to transfer data out of China

China is establishing a data transfer regulation mechanism, which to some extent is comparable to the GDPR in Europe. Non-Chinese companies doing business in China, and who need to transfer data out of China, have to pay attention to the following:
  • Review your business in regard to personal data, and have a good understanding of your data collection and flows in and out of China.
  • Ascertain the personal information that you plan to transfer out of China.
  • Make sure that the information that needs to be transferred does not fall within the negative list (see above) of data that should not leave China. If the data is on the negative list, establishing access to a local server may be the only solution. 
  • Before transferring any data, ensure to obtain explicit consent from data subjects, or for data that needs evaluation from the competent authority, apply to the competent authority in its respective industry for assessment.
  • Prepare and implement data security safeguards and data protection policies to ensure that transferring data out of China complies with relevant Chinese data protection rules.
  • In a global context, it is also advisable to take the Chinese data law and its upcoming requirements into account so that you can timely update your global data management policy in compliance with regulation both in China and other jurisdictions.