18 June 2019

China sets cross-border data flow rules

By Liu Caiyu 

China's cybersecurity regulator on Thursday released a draft guideline on cross-border data transfers, which will prevent the flow of personal information overseas if it risks undermining national security and public interests, in the latest move to safeguard personal data security and the country's national cyberspace sovereignty.

Personal information, including ID, address and phone number collected in China by network operators, should be assessed before being sent overseas, according to the draft rule released by the Cyberspace Administration of China (CAC) on Thursday.

Information that potentially undermines national security, public interests or the security of personal information should be prevented from being sent overseas, the draft rule said.

The purpose to draft the guideline is to protect personal information security, safeguard the country's cyberspace sovereignty, national security, public interest as well as the legitimate interest of citizens, the CAC said in a statement on its website.

The draft could prevent network operators which commercially use personal information from threatening personal rights and national security amid the ongoing escalated tension with the US on trade and cyberspace security, Chinese experts said.


Network operators need to report to the provincial-level cyberspace administrative department and apply for a security assessment before providing personal information collected in China to overseas receivers, it said. 

Security assessment should be applied separately if the personal information will be provided to different receivers. 

The draft covers Chinese network operators and foreign entities that collect online personal information in China for business purpose. 

It means that domestic and foreign internet companies, such as Apple, Microsoft and Amazon, cannot share information gathered in China to other countries for commercial purposes or manipulate data for the sake of sabotaging China's cyberspace security, Xie Yongjiang, deputy director of the Institute of Internet Governance and Law at the Beijing University of Posts and Telecommunications, said. 

It has become an international norm to protect personal data in cross-border data flows. For example, the EU's General Data Protection Regulation (GDPR) restricts EU institutes' data and information from being transferred to a non-EU country for security reasons, which requires the European Commission to decide if the third country has adequate protection. The CAC draft said that the security assessment will focus on whether the data being sent overseas is legitimate, whether the data transfer protects the legal rights of the person who possesses the information and whether the network operators or overseas receivers have any history of internet security incidents. 

Internet operators need to set up a file on the cross-border data transfer and keep it for at least five years, including identity of overseas receivers and the sensitivity of the personal information. They need to report annually to provincial-level cyberspace departments. 

The draft is soliciting public opinions until July 13.

As early as 2017, the CAC mulled measures on security assessments for cross-border transfers of personal or important data. The draft, which was later delayed, stresses the importance of cross-border data flow and the security evaluation on sensitive data related to nuclear technology, biology and national defense. 

If the data creates potential risks to national politics, economy and defense, it will be prevented from being sent overseas, the former draft said.

No comments: