简体中文

  • Home
  • About Us
      • Overview
      • Clients
      • Honour
  • Professionals
  • Practice Areas
      • Banking and Finance
      • Investment Fund
      • Family Law and Fortune Management
      • Private Equity/Venture Capital, Mergers & Acquisitions
      • Real Estate and Infrastructure
      • Securities Capital Markets
      • Dispute Resolution
      • Intellectual Property
      • Special Assets and Bankruptcy Restructuring
      • Regulatory and Compliance
      • Antitrust/Competition
      • Human Resources and Labor Relations
      • Tax
  • Industry Fields
      • Life Sciences and Healthcare
      • Culture Entertainment and Media
      • Technology, Telecommunication and Internet
      • Advanced Manufacturing
      • Education and Training
      • Consumer Goods and Retail
      • Real Estate and Infrastructure
      • Energy, Chemical Industry and Environmental Protection
      • Emerging Industries
      • Marine Economy
  • News Center
      • Thematics
      • Achievements
      • Honour
      • Personage
  • Careers
  • Contact Us
- Articles

CAC Solicits Opinions on Measures for Security Assessment of Cross-Border Transfer of Personal Information

 

作者:曾雯雯 朱宣烨 王伟 王丹阳 董芊

 

On June 13, 2019, the Cyberspace Administration of China (“CAC”) issued the Circular on seeking public comment on the Measures for Security Assessment of Cross-border Transfer of Personal Information (Draft for Comment)(“Measures”). The long-awaited Measures has become a huge hit since its first release.

 

China’s legal framework of data security and personal information protection consists of only a general application of Cybersecurity Law and a patchwork of fragmented rules in sector-specific regulations. But the regulatory landscape is continuously evolving with more administration being explored. The release of a series of rules governing data security and personal information protection by CAC in recent days has aroused wide concern from both industry and academia. So far, the laws and regulations (including draft) governing cross-border data transfer at large are organized chronologically as follows (organized based on the enactment date of draft or implementation date of regulations).


April 11, 2017, Measures on Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft for Comment)

June 1, 2017,Cybersecurity Law of the People's Republic of China

August 30, 2017, Information Security Technology-Guidelines for Data Cross-Border Transfer Security Assessment (Draft for Comment)

February 1, 2019, Information security technology-Personal information security specification (Draft)

June 13, 2019, Measures for Security Assessment of Cross-border Transfer of Personal Information (Draft for Comment)


In addition, relevant sectoral government authorities also supervise the cross-border data transfer within the scope of their respective functions. Sectoral rules shall prevail over general rules. This rule is provided in Article 2 of the Draft for Comment. Take financial industry as an example, specific rules regulating cross-border transfer of personal information include:

 

August 1, 2007, Administrative Measures for the Identification of Financial Institution Clients and the Preservation of Clients' Identities and Transaction Records

May 1, 2011, Circular of the People's Bank of China on Doing a Good Job by Banking Financial Institutions in Protecting Personal Financial Information

February 16, 2013, Guidelines for the Regulation of Information Technology Outsourcing Risks of Banking Financial Institutions

May 21, 2018, Guidelines for the Data Governance of Banking Financial Institutions  

 

In general, the Measures differ greatly from the earlier versions of rules on cross-border data transfer, the key requirements are summarized as follows:


1. Focusing on personal information and carving out important data


Different from the previously released Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft for Comment), the newly released Draft Measures only apply to “cross-border transfer of personal information”. With respect to the “cross-border transfer of important data”,  it is very likely that the cyberspace administrations may stipulate specific rules governing important data based on its different characteristics, according to the draft Measures for Data Security Management (Draft for Comment) released by CAC on May 28, which provides that “Important data usually doesn’t include information related to the production and operation of enterprises, internal management information or personal information” (Article 38).


2. All cross-border transfer of personal information shall be subject to security assessment


Based on literally understanding of the Measures, all cross-border transfer of personal information conducted by network operators (refers to “owners and managers of networks, as well as network service providers”) shall be submitted to CAC branch at the provincial level for security assessment. Different from the Measures on Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft for Comment), the Measures do not provide self-assessment procedures of cross-border data transfer. If this is the original intention of the Measures, the future compliance with the Measures can lead to cost escalation, given the obligations imposed under this Measures.


3. Introducing “Standard Contract Clauses”


The Measures introduce provisions that are similar in certain respects to the Standard Contract Clauses (“SCCs”) under the European Union’s General Data Protection Regulations, which provide the protection of personal information transfer on an international scale. The contract shall include specific rights and obligations between personal information exporter and recipient, for example, what shall be specified in the contract (Article 13), the responsibilities and duties of network operator and recipient (Article 14 and Article 15), as well as the exceptions when the recipient can transfer personal information to a third party (Article 16). Moreover, network operator shall submit the contract between the network operator and the recipient to the CAC branch at the provincial level when applying for the security assessment of the cross-border transfer of personal information (Article 4). The security assessment shall focus on whether the contract terms can adequately protect the legal rights and interests of the subject of personal information, and whether the contract can be effectively enforced (Article 6).


4. Newly added civil liability clauses


The Measures essentially set out civil liability clauses through mandatory provisions on the content of the SCCs. To be more specific, according to Article 13, when the legitimate rights and interests of the personal information subject are abused, the personal information subject may, on its own behalf or through a authorized agent, claim compensation from either the network operator or recipient separately, or from both parties jointly. The network operator or recipient shall then compensate the personal information subject unless they are proved to be not liable for the damages. This reverse onus provision shifts the burden of proof onto the network operator and/or recipient. And according to Article 16, one of the preconditions for the recipient to transfer the received information to a third party is “the network operator agrees to assume the liability for compensation to be paid to the personal information subject where the transfer of personal information to a third party causes damages to the legitimate rights and interests of the personal information subject”. That is to say, the network operator needs to take responsibility for the onward transfer of personal information to the personal information subject.


Copyright Merits&Tree

Contact us Wechat