China employment briefing – June 2017
12 June 2017
China’s new Cybersecurity Law affects employee data transfer outside of China
On 1 June 2017, China’s new Cybersecurity Law came into effect. Further guidance in the form of the Draft Measures on the Security Assessment in Relation to Overseas Transfer of Personal Information and Important Data (the “Draft Measures”) was released on 11 April 2017 for public consultation, the final version of which is expected to be shared in the near future.
Cross-border data transfer
One of the most significant restrictions under the new Cybersecurity Law is against transferring data out of China.
“Network operators”, defined as any owner, operator, administrator or service provider of computer networks, will now have to ensure all “personal information” and “important data” remains within China. This may include data closely related to national security, economic developments or social or public interests. Only in cases with a “genuine need to transfer it overseas for reasons of operational necessity” may such information or data be allowed to leave the country.
As it stands, the broadly interpreted cross-border data transfer restrictions may apply to almost any business operating in China, as many businesses operate their own computer networks. It is not uncommon for businesses to often implement means to transfer employee data from their Chinese entities to offshore entities for processing purposes.
Required security assessment
Under the Draft Measures, prior to any data transfer outside of China, a network operator must conduct an internal security self-assessment which should consider, among others,
- necessity of the transfer
- type and sensitivity of the data to be transferred
- security protection measures and capabilities of the data recipient
- risk of loss or unauthorized access to the data
- any national security risks
This self-assessment must be conducted annually and the results must be reported to the relevant regulatory authority. The Draft Measures also set forth a specific list of circumstances in which an additional level of security assessment may be required, making the process all the more stringent for certain businesses. For example, Chinese citizens’ data collected and processed by Critical Information Infrastructure Operators (“CIIO”) must remain in China unless there are genuine business needs and having successfully completed the security assessment conducted by the relevant regulatory authorities. CIIOs will include those operating in the sectors of healthcare, scientific research social security and ‘important Internet application systems’. However, the definition of CIIOs and what the security assessment involves remain ambiguous.
In some cases under the Draft Measures, regardless of genuine business needs, the transfer of data outside of China will be prohibited, including where there is no consent from the data subject or where it concerns national policy, among others.
Employers must obtain prior consent of all individuals before handling their personal information, especially before transferring such data outside of China. This is already a requirement under the existing regulatory framework. However, under the Cybersecurity Law and Draft Measures, additional limitations will apply on such transfers.
There remains uncertainty surrounding how the regulatory authorities will interpret and enforce the new law in practice especially given the vagueness in some of the key provisions. We recommend businesses who have operations in China to keep a close eye on any developments in this area. It would also be prudent to start reviewing strategies and policies in light of the new laws.