Global menu

Our global pages


Update on China’s new Cybersecurity Law: more clarity on the restrictions in relation to data transfer outside of China

  • China
  • Hong Kong
  • Privacy, data protection and cybersecurity


Our last article (which can be accessed here) explored the implications of China’s new Cybersecurity Law which will come into force on 1 June 2017. One of the key requirements which we explored in that article was the obligation on Critical Information Infrastructure Operators (“CIIOs”) to retain “personal information” and “important data” within China except where they can show that it is “truly necessary” due to business requirements to transfer it out of China and have conducted a security assessment.

On 11 April 2017, the Cyberspace Administration of China published further guidance in the form of draft measures on the security assessment in relation to overseas transfer of “personal information” and “important data” (the “Draft Measures”). The draft has been published for public consultation until 11 May 2017 and may be subject to further revision and amendment following consultation.

The Draft Measures aim to provide more clarity on the scope and applicability of security assessments stipulated under the Cybersecurity Law.

1. Applicability of the rules around “personal information” and “important data” leaving the country

While the Cybersecurity Law refers to CIIOs retaining information within mainland China, the Draft Measures seem to indicate that these requirements will extend to all “network operators”. Article 2 of the Draft Measures states that network operators should store in-country all "personal information" and "important data" collected within China except where there is a “genuine need to transfer it overseas for reasons of operational necessity”. Where such need has been determined, a security assessment should be conducted in accordance with the Draft Measures. We have discussed the requirements of the security assessment below.

The Draft Measures further expands on the meaning of “network operator” to include any owner, operator, administrator or service provider of computer networks. It also specifies that the requirement to keep data within China does not only apply to transfer of “personal information” but also “important” or "critical" data. The definition of “important data” has been drafted very broadly, referring to any data which is closely related to national security or economic developments, as well as social and public interests.

In short, the Draft Measures indicate that the restrictions on transfer of data out of China will be even more broadly interpreted than was originally contemplated and may apply to almost any business operating in China, as opposed to those deemed as CIIOs only. However, much of how the law will be enforced in practice will depend on how easy it will be to satisfy the requirement of an “operational necessity” for transfer overseas and this remains to be seen.

2. Required security assessment

Prior to any data transfer outside of China, a network operator must conduct an internal security self-assessment which should consider, among others, the necessity for the transfer of data, the type and sensitivity of the data to be transferred, the security protection measures and capabilities of the data recipient, the risk of loss or unauthorized access to the data and any national security risks. Network operators must carry out security self-assessments on an annual basis and report the results to the relevant regulatory authority. There should also be a re-assessment if there is any material change in the details of the transfer, including a change of recipient or any security incident.

As mentioned in our last article, the state network information department may conduct spot checks and require certain data transfers to go through an additional level of security assessment carried out by the department. While it was unclear in the Cybersecurity Law when such additional level of security assessment would be required, the Draft Measures expressly require that a network operator must submit a report to the relevant regulatory authority to require such authority to either approve the self-assessment or conduct its own security assessment in certain specific circumstances, including each of the following: (i) the transfer involves personal information of more than 500,000 individuals; (ii) the volume of the data exceeds 1000 gigabytes; (iii) the data relates to nuclear facilities, biochemistry, national defence and military, the health index of the population, large scale engineering projects, marine life and sensitive geographical information; (iv) the data relates to system failure, security measures or other aspects of cybersecurity of critical information infrastructure; or (v) the transfer of personal information and important data is conducted by a CIIO.

As can be seen from this last sub-section, if an organization is deemed to be a CIIO then it will need to seek approval of its security assessment by a regulatory authority in respect of all transfers of data overseas and will not have the option of conducting self-assessment only.

3. Prohibition of Overseas Transfer

In addition to the above, the Draft Measures also set out specific circumstances where the transfer of personal information or important data outside of China will be prohibited, regardless of where there is a genuine business need. These include the following:

• the data subject has not consented to the transfer of their data overseas or the data transfer will infringe a data subject’s personal rights;

• the cross-border transfer would risk “the security of the national political system, economy, science and technology or national defence”; or

• a regulatory authority has expressly ruled that no cross-border transfer should take place.

There is some ambiguity as to how broadly these restrictions would be interpreted, particularly in respect of the potential risk to national security or the economy. However, it does seem to be clear from the Draft Measures that consent of the data subject will be very much a pre-condition to any overseas transfer of data.

We will continue to monitor developments under the new Cybersecurity Law including the outcome of the consultation of these latest draft measures. In the meantime, the consultation period remains open to the public and organizations conducting business in China may want to take this opportunity to feedback their concerns.