June 13, 2019
The Cyberspace Administration of China today released a draft regulation governing the transfer of personal information out of China. DigiChina has translated the draft in full. At first glance, it appears to have fairly simple goals—to ensure that data protection objectives are upheld and people whose data is transferred abroad have their interests protected. As the scholar and government advisor Dr. Hong Yanqing writes in a WeChat post, the intent of the regulation is to protect the “legitimate rights and interests of individuals if [their] data is separated from the original data controller and travels outside of the country.”
But a closer look raises several questions that may have implications for how the Chinese government is responding to long-standing industry concerns and lobbying. Two years after China’s Cybersecurity Law went into effect—on June 1, 2017—the Chinese government has recently released a string of new draft regulations (see list at bottom) providing details for how major aspects of the Cybersecurity Law regime is to operate. The policy area covered by today’s draft—cross-border data transfer—had already been addressed in long-languishing draft measures that never took effect.
Today’s draft “Personal Information Outbound Transfer Security Assessment Measures,” which have been released for a month-long public comment period, raise several questions that have broad implications for the evolution of China’s digital economy regulatory regime. Here are a few.
Question 1: Have these draft rules quietly replaced a long-languishing draft on security assessments for cross-border data transfer, as well as the controversy around it?
In April 2017, Chinese authorities released draft measures on “personal information and important data outbound transfer security assessment” that were designed to implement a requirement in the Cybersecurity Law. Article 37 of the law requires that “personal information and important data” gathered or produced in China by “critical information infrastructure [CII] operators” be stored in China, amounting to a sweeping but vague requirement for data localization.
The law also says, however, that if it is “truly necessary” for CII operators to provide this data outside China, they may do so in accordance with measures formulated by cyberspace and other authorities. In the Chinese legal system, authoritative laws often consign the specifics of a given regulatory area to documents issued by government authorities that are more detailed and easier to revise.
So it made sense that, weeks before the Cybersecurity Law was to go into effect, authorities issued draft measures on security assessments that would be required before outbound transfer of personal information or important data was allowed.
The April 2017 draft, however, was never finalized, despite significant controversy and word that two later drafts, in May and August 2017, were quietly circulated among stakeholders. This week’s measures overlap with their contents, and it seems likely that the old draft is dead—though the release of the new draft did not specify that is the case.
This creates uncertainty about the relationship between the two documents. If these draft rules do indeed replace the 2017 rules, then we would expect a separate directive to come out soon focused on transferring “important data” out of China, since this was included before and not now (see Question 4 below). But if these draft rules do not replace the 2017 ones, then there now exist two overlapping sets of rules that, in some areas, are not totally consistent (see Question 2).
Question 2: Why do these rules apply to “network operators,” when the Cybersecurity Law’s rules on data localization apply to the presumably more narrow category of “critical information infrastructure operators”?
Both the new draft measures and the April 2017 draft explicitly draw their legal authority from the Cybersecurity Law (though the 2017 version also cited the National Security Law). The Cybersecurity Law specifies two categories of regulated entities—network operators, and CII operators. When the law addresses data localization requirements and calls for rules governing transfer of data outside of China, it prescribes responsibilities for CII operators and does not mention network operators. Why, then, do both drafts address security assessments for network operators rather than the CII operators named in the law?
This discrepancy between the text of the law and the scope of the measures supposedly designed to implement it caused controversy from the beginning. The shift from regulating CII operators to network operators mattered to businesses, because network operators is a much broader category. “Network operator” is defined as “network owners and managers, and network service providers,” a definition that can be read so broadly as to include any person or company with a network of any kind. (It is worth noting that to this day, neither category is rigorously defined in an authoritative way, leaving significant room for discretion in enforcement.)
Question 3: Did Chinese authorities hear foreign concerns and then dismiss them?
Feedback from foreign and domestic interests was swift in 2017. Industry groups expressed concern that obligations were too broad. The U.S. government officially raised concerns about China’s proposed cross-border data transfer rules at the World Trade Organization, arguing that “the impact of the measures would fall disproportionately on foreign service suppliers operating in China, as these suppliers must routinely transfer data back to headquarters and other affiliates.” The WTO filing specifically requested that the Chinese government delay finalization and implementation of the April 2017 draft. Whether or not in response to the U.S. request, that delay seems to have taken place.
It appears likely, however, the same concerns will be revived with this new draft. In October 2017, we assessed prospects based on conversations with people knowledgeable about contacts between Chinese officials and various interest groups and a public WeChat post by a Ministry of Public Security research institute noting that a draft of a related document “underwent revision, adjustment, and improvement…responding in part to the main concerns of domestic and foreign enterprises” and that “the controversy and compromise has not yet been resolved.” With co-author Paul Triolo, we wrote that “the eventual regulatory environment may not be as bleak as worst-case assessments would suggest.”
At that time, it appeared that the CAC had been receptive to industry feedback and may have walked back the scope of security assessment requirements to cover CII operators only, rather than the broader network operator category. But now under the latest draft Measures, network operators remains the scope, and there is no mention of CII operators. If this replaces the 2017 draft Measures, then the scope of what kind of data will be subject to review is now more far-reaching than that in the Cybersecurity Law—and a core lobbying point has not been incorporated.
Question 4: What happened to ‘important data’?
The two categories “personal information” and “important data” appeared together in the Cybersecurity Law and in the 2017 draft measures. But, as Hong points out in his analysis, “One of the biggest changes in the [new] ‘Measures’ compared with the previous ‘Outbound Transfer Security Assessment Measures’ is to treat security assessment of personal information and important data separately,” an approach Hong writes that he favored from the beginning at the working level.
Separating the two makes sense, given that “important data” has gradually been clarified to refer to national security concerns. A definition of in May 2019 draft Data Security Management Measures (in Article 28) defines the category broadly as:
“data that, if divulged, may directly affect national security, economic security, social stability, or public health and safety, such as undisclosed government information or large-scale data on the population, genetic health, geography, mineral resources, etc. Important data generally does not include enterprises’ production, operations, and internal management information, personal information, etc.”
Thus it would be reasonable to expect separate rules governing the outbound transfer of “important data” as defined here, versus personal information as understood in China’s broader data governance regime.
This split will culminate when the two distinct laws (the Personal Information Protection Law and Data Security Law—now in “mature” drafting stage) are finalized.
Question 5: Will these regulations, and the others rapidly emerging, be finalized and implemented quickly, or are we in for another prolonged waiting game?
After long waits in several cases, China’s government has recently published several draft regulatory documents, including these translated by DigiChina:
- “Cybersecurity Review Measures (Draft for Comment),” May 2019
- “Data Security Management Measures (Draft for Comment),” May 2019
- “Critical Network Equipment Security Testing Implementing Measures (Draft for Comment),” June 2019
- “Personal Information Outbound Transfer Security Assessment Measures (Draft for Comment),” June 2019
More regulatory documents and draft laws are expected this year.
It appears possible that these rules may finally be ready for implementation, though they each raise points of concern and lobbying from various interests. How quickly Chinese authorities move to finalize and implement these rules that undergird supposedly already-effective provisions of the Cybersecurity Law will affect regulatory uncertainty in China’s digital economy.
[This post has been updated to replace a broken link with a now-active one in the first paragraph. –Ed. 2019.06.15]