New America
Cybersecurity Initiative

Translation: New Draft Rules on Cross-Border Transfer of Personal Information Out of China

'Personal Information Outbound Transfer Security Assessment Measures (Draft for Comment)," June 2019
Blog Post
Anton Balazh / Shutterstock
By 

Cindy L

Qiheng Chen

Mingli Shi

, and 

Kevin Neville

June 13, 2019

These draft measures on "personal information outbound transfer security assessment" are come more than two years after another draft that addressed similar issues. DigiChina analyzes the significance of this new release in a separate post here. –Ed.

[Chinese-language original]

TRANSLATION

Notice of the Cyberspace Administration of China on publicly soliciting opinions on the “Personal Information Outbound Transfer Security Assessment Measures (Draft for Comment)”

In order to ensure the security of personal information, safeguard cyberspace sovereignty, national security, and social public interests, and protect the legitimate rights and interests of citizens and legal persons, the Cyberspace Administration of China and relevant departments jointly drafted the “Personal Information Outbound Transfer Security Assessment Measures (Draft for Comment)” in accordance with the Cybersecurity Law of the People’s Republic of China and other laws and regulations. It is now open to society for comments. Relevant units and individuals from all walks of life can submit their opinions by July 13, 2019, via the following methods:

  1. Log on to the Government of China Legal Information Website (URL: http://www.chinalaw.gov.cn) and access “Legislative Comments Collection” on the homepage to submit comments.
  2. Email to: security@cac.gov.cn
  3. Send comments by mail to: Cybersecurity Coordination Bureau, Cyberspace Administration of China, No.11 Chegongzhuang Main Street, Xicheng District, Beijing, Postal Code 100044. Indicate the following on the envelope: “soliciting opinions on ‘Personal Information Outbound Transfer Security Assessment Measures’”

Attachment: Personal Information Outbound Transfer Security Assessment Measures (Draft for Comment) [See below.]

Cyberspace Administration of China
June 13, 2019

Personal Information Outbound Transfer Security Assessment Measures (Draft for Comment)

Article 1: In order to ensure the security of personal information during cross-border data flows, in accordance with the Cybersecurity Law of the People’s Republic of China and other relevant laws and regulations, these Measures are formulated.

Article 2: Network operators who provide personal information collected in the course of operations within the mainland territory of the People’s Republic of China (hereinafter referred to as personal information outbound transfer), shall conduct security assessments in accordance with these Measures. If it is determined by the security assessment that the outbound transfer of personal information may affect national security or harm the public interest, or that the security of personal information is difficult to effectively protect, such information shall not leave the country.

Where the state has other provisions on the outbound transfer of personal information, those provisions apply.

Article 3: Prior to the outbound transfer of personal information, network operators shall declare personal information outbound transfer security assessments to the provincial-level cybersecurity and informatization department.

The provision of personal information to different recipients shall entail separate security assessment declarations. The provision of personal information to the same recipient multiple times or continuously does not necessitate multiple assessments.

A new security assessment is required every 2 years or when there are changes to the purpose, type, or overseas retention period related to the outbound transfer of personal information.

Article 4: Network operators shall provide the following materials for personal information outbound security assessment, and bear responsibility for the authenticity and accuracy of the materials:

  1. Declaration form;
  2. The contract signed between the network operator and the recipient;
  3. Analysis report on the security risks and security measures associated with the outbound transfer of personal information;
  4. Other materials required by national cybersecurity and informatization departments.

Article 5: After receiving the declaration material for personal information outbound transfer and verifying its completeness, province-level cybersecurity and informatization departments shall organize experts or technical capabilities to conduct security assessment. The security assessment should be completed within 15 working days; complicated cases may receive extensions.

Article 6: Personal information outbound transfer security assessments shall focus on the following:

  1. Whether the outbound transfer complies with relevant national laws, regulations, and policies.
  2. Whether the terms of the contract can fully safeguard the legitimate rights and interests of personal information subjects.
  3. Whether the contract can be effectively carried out.
  4. Whether the network operator or recipient has a history of harming the legitimate rights and interests of personal information subjects, and whether relatively serious cybersecurity incidents have occurred.
  5. Whether the network operator obtained the personal information legally and appropriately.
  6. Other matters to be assessed.

Article 7: Provincial-level cybersecurity and informatization departments shall simultaneously notify the network operators and national cybersecurity and informatization departments of the results of the personal information outbound transfer security assessment.

Network operators may file an appeal with national cybersecurity and informatization departments if there are objections to the conclusion of the personal information outbound transfer security assessment made by the cybersecurity and informatization departments at the provincial level.

Article 8: Network operators shall keep records of personal information outbound transfers and retain those records for at least 5 years. The records should include:

  1. The date and time of the outbound transfer of personal information;
  2. The identity of the recipient, including but not limited to the recipient’s name, address, contact information, etc.;
  3. The type, quantity, and degree of sensitivity of the personal information undergoing outbound transfer;
  4. Other contents as stipulated by national cybersecurity and informatization departments.

Article 9: Network operators shall report the current year’s personal information outbound transfers, contract performance, and other information to their local provincial cybersecurity and informatization departments before December 31st of each year.

Relatively serious data security incidents should be promptly reported to the province-level cybersecurity and informatization departments.

Article 10: The cybersecurity and informatization department at the provincial level shall regularly organize inspection of the outbound transfer of personal information by [network] operators, including the outbound transfer records of personal information, with an emphasis on the fulfillment of contractual obligations, whether there are any violations of national rules or harm to the legitimate rights and interests of data subjects, and other behaviors.

Where any harm to data subjects’ legitimate rights and interests or security incidents of data breach, etc., occur, [the cybersecurity and informatization department at the provincial level] shall promptly require the network operators to rectify, or supervise and urge—through network operators—the recipients to rectify.

Article 11: Where any of the following situations occurs, the cyberspace and informatization departments can require network operators to suspend or terminate the outbound transfer of the personal information:

  1. Network operators or recipients experience incidents of relatively serious data breach or abuse;
  2. It is impossible or difficult for the data subjects of the personal information to defend their legitimate rights and interests;
  3. The network operators or recipients are incapable of safeguarding the security of personal information.

Article 12: Any individual or organization has the right to report any violations of provisions of these Measures in providing personal information abroad to cybersecurity and informatization departments at or above the provincial level, or relevant departments.

Article 13: The contracts or other legally-binding instruments (“Contracts”) signed by network operators and recipients of personal information shall specify:

  1. The purposes, types, and retention period of the outbound transfer of the personal information;
  2. The data subjects of the personal information are the beneficiary of the contractual provisions related to data subjects’ rights and interests;
  3. Where data subjects’ legitimate rights and interests are harmed, they can, by themselves or through an authorized proxy, claim for damages against network operators, recipients, or both, who shall then compensate for the damages, unless they prove they were not responsible;
  4. If the contract cannot be implemented due to changes to the legal environment of the country where the recipient is located, the contract shall be terminated or go through a new security assessment;
  5. The termination of contracts cannot exempt contractual duties and obligations of network operators or recipients related to the legitimate rights and interests of data subjects, unless the recipients have already destroyed received personal information or carried out anonymization processing;
  6. Any other content specified by the parties.

Article 14: Contracts shall specify that network operators bear the following responsibilities and obligations:

  1. By means such as email, instant messaging, letter, or fax, notify personal information subjects of basic information about network operators and data recipients, and about the purpose of outbound personal information transfer, types of personal information, and storage duration.
  2. Upon request of the personal information subject, provide a copy of the contract.
  3. Upon request, relay the personal information subject’s appeal to data recipients, including demanding compensation from recipients; when personal information subject cannot receive compensation from data recipients, [network operators] should make compensation first.

Article 15: Contracts shall specify that recipients bear the following responsibilities and obligations:

  1. Provide personal information subjects with a way to access their personal information. When personal information subjects request to correct or delete their personal information, give a response, make a correction or delete at reasonable cost and within a reasonable timeframe.
  2. Use personal information according to the purpose specified in the contract. Storage duration of personal information at overseas location may not exceed the time limit agreed in the contract.
  3. Affirm that signing the contracts and fulfilling contractual obligations will not violate legal requirements in the recipient’s country. When changes in the legal environment of the recipient’s country and region may affect carrying out the contract, the recipient should promptly notify the network operator and report through the network operator to province-level cybersecurity administration.

Article 16: Contracts shall specify that recipients should not transfer received data to third parties, unless the following requirements are satisfied:

  1. The network operator already notified personal information subjects through email, instant messaging, letter, or fax, about the purpose of onward transfer to third parties, the identity and nationality of third parties, the types of personal information being transferred, and storage duration by third parties, etc.
  2. Recipients commit that when personal information subjects request stopping onward transfer to third parties, recipients should stop onward transfer and ask third parties to destroy previously received personal information.
  3. When personal sensitive information is involved, consent from personal information subjects has been obtained.
  4. When a personal information subject’s legitimate rights and interests are harmed due to onward transfer to third parties, the network operator agrees to first assume responsibility for compensation.

Article 17: The analysis report by network operators regarding security risks in personal information outbound transfer and security safeguard measures should at least include:

  1. Background, size, industry, financials, reputation and cybersecurity capabilities of the network operator and recipient.
  2. A plan for personal information outbound transfer, including duration, the number of involved personal information subjects, the scope of outbound information, and whether personal information will be transferred to third parties after outbound transfer.
  3. A risk analysis of personal information outbound transfer and measures that ensure personal information security and protect the legitimate rights and interests of personal information subjects.

Article 18: Network operators that have provided personal information abroad in violation of the provisions of these Measures, shall be dealt with in accordance with relevant laws and regulations.

Article 19: Where there are clear provisions regarding outbound transfer of personal information in treaties, agreements, etc., reached between China and other countries, regions, or international organizations, those provisions shall apply, except where China has declared reservations.

Article 20: Overseas organizations, in conducting business activities and when collecting the personal information of domestic users through the Internet and other means, shall fulfill the responsibilities and obligations of network operators in these measures through domestic legal representatives or organizations.

Article 21: The meanings of the following terms found in these measures:

  1. “Network operators” refers to network owners, managers, and network service providers.
  2. “Personal information” refers to various information recorded by electronic or other means that, alone or in combination with other information, can identify a natural person's personal identity, including but not limited to the name of the natural person, date of birth, ID number, personal biometric information, address, phone number, etc.
  3. “Personal sensitive information” refers to personal information that, if leaked, stolen, tampered with, or illegally used, may endanger personal and property safety, or cause damage to a person’s reputation and physical and/or mental health.

Article 22: These measures shall enter into effect beginning (day) of (month), (year).