Measures on Security Assessment of the Cross-border Transfer of Personal Information

25 July 2019

A long-awaited technical granularity for network operators

PRC regulators display a recurring habit in their legal creative process: pointing a direction first, defining technical measures later.

The same habit is again observed with the evolving regulatory framework on cybersecurity. Regarding cross-border data transfer, the regulator has published by decreasing level of authoritativeness:

  • the Cyber Security Law of the People’s Republic of China (“Cyber Security Law”, “CSL”), effective on 1 June 2017;
  • the Measures on Security Assessments for the Export of Personal Information and Important Data (draft for comments) (the “Measures”), released on 11 April 2017;
  • Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessments the “Guidelines”), released on 27 May 2017.

This trend continues with the Cyberspace Administration of China (CAC) releasing on 13 June 2019 the Measures on Security Assessment of the Cross-border Transfer of Personal Information (draft for comments) (the “New Measures”).

The New Measures offer an increased level of granularity regarding personal information security assessment prior any cross-border data transfer, namely regarding cross-border data transfer activities reporting, contractual requirements between network operator and recipients, and security risks and measures reporting.

The New Measures specify the required supportive documentation, including:

  • A declaration form,
  • he contract between the network operator and the recipient,
  • A report including the security risks and security measures of the cross-border transfer of personal information.

The New Measures indicate that the transfer records shall include:

  • The date and time of the cross-border transfer of personal information;
  • The identity of the recipient, including but not limited to the name, address, and contact information of the recipient;
  • The type, volume and level of sensitivity of the personal information transferred abroad.

The New Measures state network operator to report their data transfer activities to the relevant local and national authorities every year before 31 December 2019.

The New Measures specify the content of contractual documentation between the network operator and the personal information recipient to include the following key provisions:

  • The purpose, types and retention period of the cross-border transfer of personal information,
  • That the personal information subject is the beneficiary of the contractual terms that involve the rights and interests of the personal information subject;
  • When the legal rights and interests of the personal information subject are abused, the personal information subject may claim compensation from either the network operator or recipient separately, or from both parties jointly. The personal information subject may seek such compensation on its own behalf or through a designated agent. The network operator or recipient shall compensate the personal information subject unless it is proved that they are not liable;
  • If it is difficult to perform the contract due to changes in the legal environment of the recipient’s country, the contract shall be terminated, or the security assessment shall be conducted again;
  • The termination of the contract cannot exempt the network operator and the recipient from the responsibilities and obligations stipulated in the relevant terms concerning the legal rights and interests of the personal information subject in the contract, unless the recipient has destroyed or anonymized the personal information received; and
  • Other aspects as agreed by both parties.

Furthermore, on contractual requirements, the New Measures state that the contract between the network operator and the personal information recipient shall specify that:

  • the network operator shall assume the following responsibilities and obligations:
  1. Inform the personal information subject of the basic information of the network operator and the receiver, as well as the purpose, type and retention period of the cross-border transfer of personal information by means of e-mail, instant messaging, letters, faxes, etc.;
  2. Provide a copy of this contract at the request of personal information subject;
  3. Convey any claims of the personal information subject to the recipient upon request, including claims to the recipient; If the personal information subject cannot obtain compensation from the recipient, the network operator shall pay the compensation;
  • the recipient shall assume the following responsibilities and obligations:
  1. Provide access to the personal information for the personal information subject. When the personal information subject requests to correct or delete its personal information, the recipient shall respond, correct or delete their personal information within a reasonable time and at reasonable cost.
  2. Use personal information in accordance with the contractual purpose, and the retention of personal information shall not exceed the retention period provided in the contract.
  3. Confirm that signing the contract and performing the contract obligations will not be in violation of the legal requirements of the recipient’s country.

The contract between network operator and recipient shall also define conditions for personal information transfer to a third party, such as:

  • The network operator has notified the personal information subject of the purpose of transmitting the personal information to the third party, the identity and nationality of the third party, as well as the type of personal information transmitted and the retention period of the third party through e-mail, instant messaging, letter, fax, etc.;
  • The recipient is required, upon the request of the personal information subject, to stop the transmission and require the third party to destroy the received personal information;
  • The consent of personal information subject has been obtained where sensitive personal information is involved;
  • The network operator agrees to assume the liability for compensation to be paid to the personal information subject where the transmission of personal information to a third party causes abuse to the legal rights and interests of the personal information subject.

Finally, the network operator shall include security risks and measures to its data transfer activities reporting, such as:

  • The background, scale, business, financial details, reputation, and network security capabilities of network operator and recipient;
  • The plan for the cross-border transfer of personal information, including the duration, the volume of personal information subjects involved, the scale of the cross-border transfer of personal information, and whether the personal information will be transmitted to a third party after the cross-border transfer.

Regulations published as drafts for comments being usually close to their effective version, it is safe for PRC entities transferring data abroad to start assessing their current process, analyze their compliance gap and draft a corrective plan.

To know more, please contact Gregory Louvel g.louvel@leaf-legal.com

The TL Group is a team providing tech and legal services.

The alliance between Leaf, a law firm, and TekID, a Data intelligence firm, is providing a comprehensive cyber security and data management offering which will help you enhance your security with a holistic approach. This team of cyber / data experts and lawyers can offer services to companies and managers such as compliance audits and programs in cybersecurity, structuring deals involving data assets, understanding and managing the life cycle of data and the associated risks, forensic investigations, among others.