The Law of the People’s Republic of China on Data Security (the “Data Security Law”) was adopted at the 29th meeting of the Standing Committee of the 13th National People’s Congress on 10 June 2021 and will come into force on 1 September 2021. The Law provides for framework regulations in relation to cross-border data transfer, or to be more precise, transferring data from China to abroad, an issue of ongoing concern to multinational enterprises.
I- Cross-border transfer of data in normal circumstances – transfer possible after necessary security assessment
It is first necessary to clarify that the Data Security Law follows the approach of the Law of the People’s Republic of China on Cyber Security (the “Cyber Security Law”), which sets up a system of classification and grading of data. In short, in the context of cross-border data transfer, data can be graded into important data and other data, and the grading will be mainly reflected by way of data catalogues. According to the Data Security Law, the “national data security coordination mechanism” will coordinate the development of catalogues of important data, and each region and department shall, in accordance with the data classification and grading protection system, determine specific catalogues of important data for the region, department and relevant industries and fields, and provide special protection for the data included in the catalogues (Article 21 of the Data Security Law).
Data, once falling into the important data catalogues, will be administrated mainly in the following two ways.
(i). Important data collected and generated by CIIOs in their operations
A CIIO is a critical information infrastructure operator as defined in the Cyber Security Law. Important data collected and generated by such operators in the course of their operations in the People’s Republic of China should be stored within the territory, and if it is necessary to provide it outside the country due to business needs it should be subject to security assessment in accordance with the measures formulated by the State Internet Information Department in conjunction with the relevant departments of the State Council (Article 37 of the Cyber Security Law). As far as the assessment is concerned, the specific assessment measures are still under development. The Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft for Comments) (the “Draft Measures”) and the Information Security Technology – Guidelines for Cross-border Transfer of Data (Draft for Comments) (the “Draft Guidelines”) are still the specifications that can be referred to for the time being. The system designed therein includes the operator’s self-assessment, assessment by the competent authority, annual assessment and re-assessment, transfer purpose assessment and security assessment.
The assessment focuses on the purpose and necessity of data transfer, the quantity, scope, type and sensitivity of the data, the security measures, capability and level of protection of the data recipient, the risk of leakage, destruction, alteration and misuse of the data after transfer and re-transfer, as well as the risk to national security, public interest and legitimate interests of individuals arising from data transfer and data aggregation.
(ii). Important data collected and generated by other data processors in the course of their operations
The transfer of important data collected and generated by other data processors in the course of their operations in China is also subject to assessment and review, as stipulated in Article 31 of the Data Security Law. The detailed rules of such assessment are still to be enacted.
With reference to the Draft Measures, the situations that require data transfer assessment and review accordingly may include (subject to future revision of the Draft Measures): (i) data containing or accumulating personal information of more than 500,000 people; (ii) data volume exceeding 1,000 GB; (iii) data in areas such as nuclear facilities, chemical and biological, national defense and military industry, population health, large engineering activities, the marine environment, and sensitive geographic information data; (iv) data containing information on system vulnerabilities, security protection and other network security information of critical information infrastructures; (v) CIIOs providing personal information to foreign countries; and (vi) other information that may affect national security and social public interest, and which the competent industry or regulatory authorities consider should be assessed.
(iii). Important data collected by offshore network operators in the course of their operations
The Draft Guidelines state that a network operator that is not registered in China but conducts business in China or provides products or services to China is considered as operating PRC domestic business. This means that such foreign enterprises that collect personal information and important data originating from within China and transmit them outside the country in the course of the aforementioned business will also be required to conduct a cross-border data transfer security assessment.
To be further noted is that under the Data Security Law if the data is not graded as important data, there is no requirement for a cross-border data transfer security assessment. However, other laws and regulations may still restrict the cross-border transfer of the data. For instance, if personal information is involved, a review and assessment may be required under the legal regime for the review and assessment of personal information exiting the country. Accounting firms may be restricted from offering data abroad based on their legal duty of confidentiality.
II. Cross-border transfer of data in extraordinary circumstances – prohibitions and restrictions on cross-border transfer
In the context of the continued deterioration of political and economic relations between China and the United States, laws and regulations of countermeasure nature such as the Export Control Law of the People’s Republic of China, the Law of the People’s Republic of China on Anti-Foreign Sanctions and the Measures for Blocking the Improper Extraterritorial Application of Foreign Laws have been intensively introduced. This has resulted in a number of unconventional situations in which cross-border data transfer will be restricted.
(i). Prohibitions and restrictions on the export of data and technology in accordance with export control laws
In accordance with the Export Control Law of the People’s Republic of China, the Catalogue of China’s Prohibited and Restricted Technologies for Export was revised again in August 2020. Among them, the mapping data that autonomous driving would involve, including geodetic, satellite, gravity and elevation databases, are listed as prohibited export technologies. Drone technology, speech recognition, speech synthesis, intelligent marking, personalised information push service technology based on data analysis, basic software security enhancement technology and database system security technology are included in the restricted export catalogue. Data related to the aforementioned technologies will be subject to exit bans and restrictions to a certain extent accordingly.
(ii). Prohibitions and restrictions of data transfer based on countermeasure laws and regulations
Article 36 of the Data Security Law provides that organisations and individuals in the territory shall not provide data stored in the territory of China to foreign judicial or law enforcement agencies without the approval of competent Chinese authorities. This is in line with the logic behind the PRC Measures for Blocking the Improper Extraterritorial Application of Foreign Laws.
In recent years, the long-arm jurisdiction used by the US in many pieces of legislation has imposed many obligations on companies operating outside the US, such as data provision obligations under the Cloud Act. Article 36 of the Data Security Law provides a legal basis for companies operating in China to refuse to provide relevant data, but it also clearly places such companies in a difficult position to some extent. In particular, according to Article 48 of the Data Security Law, enterprises that provide data to foreign judicial or law enforcement agencies without the approval of the competent authorities may face a fine of up to RMB 5 million, and may be ordered to suspend the relevant business or be revoked the relevant business license, and the person directly responsible and other directly responsible persons may face a fine of up to RMB 500,000. In the long run, therefore, it will be a matter of concern how to establish an effective mechanism with countries such as the US and the EU regarding the provision of data in judicial proceedings.
(iii). Implementation of data exit restrictions based on reciprocal treatment
Finally, it should be noted that Article 26 of the Data Security Law provides that if any country or region adopts discriminatory prohibitions, restrictions or other similar measures against China in respect of investment, trade and other aspects related to data and data exploitation technologies, China may take reciprocal measures against that country or region in accordance with the actual situation. It is difficult to predict what practical effect this principle will have. For example, under the EU’s recently revised export control regulations on dual-use items, the EU will likely significantly restrict the export of facial recognition technology to China, especially as China is explicitly targeted in the exhibits to the regulations. Whether China would make use of this Article 26 to retaliate is unlcear.