Data Research: Compliance with Cross-Border Personal Data Transfer Limitations
On May 25th, 2018, the General Data Protection Regulation (“GDPR”) termed the “strictest in history” and “offering the highest protection levels” in the EU officially took effect. Due to the robust extraterritorial effects of this regulation, the data security protection it offers is not limited to within the EU borders; outside of the EU, any processing of personal data belonging to the EU is also subject to regulation from under the GDPR. Therefore, any EU corporation that has set up branches in China and processes EU personal data or any Chinese corporation that has set up branches in the EU and processes EU personal data, must check their compliance with the GDPR in a timely manner, thereby avoiding business compliance risks.
However, for foreign corporations in China and local Chinese corporations, the processing of Chinese citizens’ personal data is restricted not only by extraterritorial regulations such as the GDPR, but also by local Chinese data protection laws. Under the current legislation in China, legal regulation of cross-border personal data transfer is a key point for data protection. This article will start with the definition of cross-border personal data transfer, and then give an analysis of current legal regulations related to personal data transfer. For some foreign corporations in China and Chinese corporations with international operations or connections, this article will aim to provide compliance tips on cross-border personal data transfer issues that are encountered in practice.
I. How is cross-border personal data transfer defined?
(1) How is personal data defined and distinguished?
The national standard formulated and managed by the National Information Security Standardization Technical Committee (hereinafter the “TC260”), the GB/T 35273-2017 Information Technology – Personal Information Security Specification1 (hereinafter the “Specification”) officially went into effect on May 1st, 2018. In Article 3.1, the Specification defines personal data as: “Any information recorded electronically or by other means, which, on its own or combined with other information, can identify specific natural persons or reflect the activity of specific natural persons. Examples include names, birth dates, national identification card numbers, personal biometric information, addresses, contact numbers, communication records, login credentials, property information, credit information, location history, accommodation information, health information and transaction information, etc.”2
Article 3.2 followed with a definition for sensitive personal data: “Any personal data which, if lost or misused, is capable of endangering persons or property, easily harming personal reputation and mental and physical health, or leading to discriminatory treatment. Typically, personal data of minors 14 years and under, as well as private information of all natural persons, is included in sensitive personal data.”3 However, throughout the Standard, there are no differences regarding processing of sensitive personal data, other than stricter requirements for explicit consent from the information subject4 and encryption when transferring5. Therefore, any regulations that apply generally to personal data in our following discussion also apply to sensitive personal data.
In addition, the “Information Technology – Safety Assessment Guideline for Data Exiting the Country (Draft for Comments),” (hereinafter the “Draft”) released by the TC260 on August 25th, 2017, specifies in section B.2.1 the concept of important data: “Any data that, if leaked, damaged, tampered with or misused after exiting the country, is capable of harming national security, economic development, or social welfare.” Furthermore, the Draft provides stricter assessment criteria for data exiting the country, regarding issues such as security capability of the transferring party, the political and legal environment of the country or area where the receiving party is located, and classification of security incidents. However, unlike the overlapping definitions of personal data and sensitive personal data, the concept of important data has escalated to concern matters of national security and social welfare. In fact, on the legislative level, personal data and important data are strictly distinguished; for example, they were separately addressed in the Provisions for Personal Data and Important Data Safety Assessment when Exiting the Country (Draft) released by the State Internet Information Office. Therefore, regulations on cross-border transfer of important data will not be discussed as personal data in this article.
Regarding data on the national and political level, it is also important to note that according to the Law on Guarding State Secrets6, Anti-Terrorism Law7, Provisions on Implementation of the Archives Law8, and Guidelines for Strengthening Internet Security Management of Cloud Computing Services for Party and Government Departments9, China prohibits information containing state secrets, terrorism information, National First Grade Archives, sensitive information of the Party and government, etc. from exiting the country. Regarding this, scholars have suggested that government data which involves national secrets or even security concerns require greater confidentiality by nature, so prohibition of their transfer across borders should be reasonably expected. For government data that does not involve national secrets, if it is of a public nature, then it should fall within the scope of opening and adjustment of government data, and no cross-border data management issue will be involved10. Therefore, all aforementioned data should not be included in the discussion over personal data.
As a summary, the author believes that personal data should include sensitive personal data, and should be different from important data, as well as ordinary information that only involves identities and activities of natural persons, such as data involving the state, Party and government. In fact, from a business standpoint, an expanded definition of personal data will undoubtedly cause greater compliance burdens.
(2) How is cross-border transfer defined?
The Network Security Law11 went into effect on June 1st, 2017, and Article 3712 therein officially imposed restrictions on cross-border data transfer. Collection and use of personal data within and outside of China are treated separately. In one case, when the Shanghai Representative Office of a foreign corporation was transferring a Chinese employee’s personal data to its Hong Kong branch, it mistook Hong Kong as domestic. Hence, it believed national regulations on cross-border personal data transfer did not apply, and did not implement any risk prevention clauses.
In fact, even though the Network Security Law13 did not give additional definitions or explanations, according to the National Security Law, “foreign” refers to areas outside the territory of the People’s Republic of China, or areas inside the territory but where the government of the People’s Republic of China does not yet have administrative jurisdiction. Due to special historical circumstances, Taiwan, Hong Kong, and Macao are all “areas inside the territory but where the government of the People’s Republic of China does not yet have administrative jurisdiction”, and should therefore be considered “foreign”. Therefore, personal data transfer of Chinese citizens to Taiwan, Hong Kong, and Macao are still subject to state regulation of cross-border data transfers.
II. An analysis of regulations on cross-border data transfer in the current legislation
On the whole, China has not yet formed a comprehensive system of cross-border data transfer regulations; current existing rules are scattered across different levels of laws and regulations. In the following section, each of the major regulations are sorted out and analyzed according to the legal hierarchy.
A. Network Security Law
In the Network Security Law, there are actually no provisions specified to regulate data “transfer”. However, there are a series of provisions regarding data collection, usage, security management, and other process related to transfer. The main subjects of regulation include “critical information infrastructure operators” and “network operators”. Therefore first and foremost, we must perform a conceptual analysis of these subjects, in order to learn whether or not the regulations for these subjects apply to corporations which are the main subjects of transfer in data transfers.
The main provision that applies to “critical information infrastructure operators” is Article 37 of the Network Security Law, which provides as follows: Personal data and important data collected and produced by critical information infrastructure operators during their activities within the territory of the People’s Republic of China, shall be stored within the territory; where due to business requirements it is truly necessary provide it outside the mainland, a security assessment shall be conducted according to the measures jointly formulated by the National Cyberspace Administration and the relevant departments of the State Council. Where laws or administrative regulations provide otherwise, those provisions apply. This provision mainly involves localization of personal data and security assessment procedures. If it applies to a corporation, then the corporation will face strict requirements for local storage of any personal data collected. The data can only be provided across borders if there is a real business need, and must undergo a security assessment. This will undoubtedly result in greater costs and burdens in business operation.
In fact, the definition and scope of “critical information infrastructure” has always been quite vague throughout the versions of the Network Security Law. In the first draft for review, the concept was defined by industry, purpose, number of users, etc14. In the second draft for review, the criteria of industry and purpose were removed, and the special importance of security was instead emphasized15. The third draft for review and the official version then chose to combine the two areas of industry traits and security importance, defining simultaneously from both angles16. As stated previously, the particular scope of industry was not specified in legislation, resulting in that many corporations are unsure whether they fall under the regulatory scope of “critical information infrastructure operators”. In addition, the author believes that the main concern of regulation remains the risk of serious harm to national security, people’s livelihoods, and public benefit, and it is inappropriate to address personal data transfer with measures meant for government or national security data, which require higher levels of confidentiality. Before the State Council and related departments promulgate further regulations, corporations that do not fall within the currently defined range do not need to consider this clause as part of their data compliance requirements.
For the other subject of regulation, “network operators”, the main clauses related to data transfer are Articles 41 and 43. They are listed in grid format below:
Network operators collecting and using personal information shall abide by principles of legality, propriety and necessity, disclosing their rules for its collection and use, explicitly stating the purposes, means and scope for collecting or using information, and obtaining the consent of the person whose data is gathered.
Network operators must not gather personal information unrelated to the services they provide; must not violate the provisions of laws, administrative regulations or bilateral agreements to gather or use personal information; and shall follow the provisions of laws, administrative regulations or agreements with users to process personal information they have saved.
Applies to rules of collection before transfer; “use” can be interpreted as containing transfer
Where an individual discovers network operators have violated the provisions of laws, administrative regulations or bilateral agreements in collecting or using their personal information, they have the right to request the network operators to delete their personal information; where discovering that personal information gathered or stored by network operators contains errors, they have the right to request the network operators to make corrections. Network operators shall adopt measures for deletion or correction.
Applies to data collection before transfer, and saved data that remains after transfer.
Returning to the concept itself, we find that the Network Security Law defines network operators in Article 76 as “the owners and administrators of networks, as well as network service providers”, but does not further specify the types of corporations that this definition does or does not apply to. In fact, based on Article 2 of the Administrative Measures for Internet Content Providers17, internet content providers are split into operational and non-operational types. The state carries out a licensing system for operational internet content providers (known as the ICP License), and a registration system for non-operational internet content providers (known as the ICP Registration Record). Typically, e-commerce sites and search engines are internet corporations that receive the ICP License, while traditional corporations that merely use the internet as a form of marketing or product promotion do not usually have an ICP license. It is yet unclear whether corporations that do not have an ICP license are considered network operators or not. The law does not provide a clear answer to this question. However, scholars have argued that based on the Network Security Law and the Administrative Measures for Internet Content Providers, operational internet content providers like Taobao and JD, traditional corporations that create websites for marketing that are non-operational in nature, as well as network owners and managers like China Mobile and China Telecom, should all be considered network operators18. Hence, we must wait for the state to establish further specifications clarifying whether the regulations with network operators as a subject apply to corporations. The author finds that pertinent regulations are also reflected in later drafts that do not address network operators; therefore, legislators likely consider it a given that corporations are bound by these rules. In this uncertain phase, corporations should strictly follow these rules to formulate compliance measures.
(2) Administrative regulations
A. Regulations on the Administration of the Credit Investigation Industry19
Based on Article 24 of the Regulations on the Administration of the Credit Investigation Industry issued by the People’s Bank of China, “The organization, storage and processing of data collected by credit investigation agencies within the territory of China should be carried out within the territory of China. Provision of data to foreign organizations or individuals by credit investigation agencies should follow laws, administrative regulations, and provisions made by the Department of Credit Investigation Supervision and Administration under the State Council.” Because this clause primarily addresses credit investigation agencies within China, it does not concern regular corporations.
B. Provisions for Personal Information and Important Data Safety Assessment upon Exiting the Country (Draft for Comments)
Although these Provisions have already passed the stage of public consultation in 2017, they have not yet been officially released. Compared with the previously shown legislation, these Provisions provide more detailed rules for data security when exiting the country. Below, the regulars are organized in grid form.
Personal information and important data collected and produced by network operators during their activities within the territory of the People’s Republic of China, shall be stored within the territory; where due to business requirements it is truly necessary provide it outside the mainland, a security assessment shall be conducted according to the measures provided in these Provisions.
Clearly specifies the need for localized processing and safety assessment procedure
Before personal information exits the mainland, the purpose of sending data abroad, its scope, content, receiving party and country or area where the receiving party is located, shall be explained to the personal information subjects, and their consent shall be obtained. Parent or guardian consent must be obtained to send minors’ personal information abroad.
Consent of personal information subjects
The security assessment for data exiting the country emphasizes the areas below:
One, the necessity for data to exit the country; Two, the situation of personal information involved, including its quantity, scope, type, level of sensitivity, and whether personal information subjects have consented to their personal information exiting the country; Three, the situation of important data involved, including its quantity, scope, type, level of sensitivity, etc.; Four, the receiving party’s implemented safety measures and security capability, as well as the network security of the country or area where it is located; Five, risks of the data being leaked, damaged, tampered with or misused after exiting the country or re-transferred; Six, risks involved to national security, social welfare, and personal rights and interests upon data exiting the country or convergence of data outside the country; Seven, other important matters to be assessed.
Applies to cases where the corporation carries out the security assessment for data exiting the country on their own
When the data exiting the country matches any of the following situations, network operators must report to industry directors or supervision departments to conduct the security assessment:
One, contains or cumulatively contains personal data of over 500 thousand people; Two, size of the data exceeds 1000GB; Three, contains data related to nuclear facilities, biochemistry, national defense, or population health, or data related to large-scale engineering projects, ocean environments, sensitive geographical data, etc.; Four, contains network security information such as system vulnerabilities or security protection of critical information infrastructure; Five, transfer of data outside of China by critical information infrastructure operators; Six, other cases which may affect national security and social welfare, where industry directors or supervision departments believe they should assess.
Where industry directors or supervision departments are uncertain, the assessment will be carried out by the National Cyberspace Administration.
Cases where the corporation must not conduct the security assessment for data exiting the country on their own, and must instead report to industry directors
In any of the below circumstances, data is prohibited from exiting the country:
One, personal information exiting the country was not consented to by the personal information subjects, or may harm their personal interests;
Two, data exiting the country may bring security risks to national politics, economy, science & technology, national defense, etc., and may affect national security or harm social welfare;
Three, other cases where the National Cyberspace Administration, police department, security department, etc. decide data may not exit the country.
Three situations in which data is prohibited from exiting the country. If personal information contains risks on the national or societal level, or if it harms personal interests, exiting the country is prohibited.
Network operators shall conduct a security assessment at least once every year pertaining to data exiting the country, based on business development and network operation condition, and report the results of the assessment to industry directors or supervision departments promptly.
When the data receiving party changes; when the purpose, scope, quantity, or type of data exiting the country undergoes relatively large changes; or when a major security incident involving the receiving party or transferred data occurs, a security re-assessment should be carried out without delay.
Requirements for frequency of security assessments
Data exiting the country refers to personal information and important data collected and produced by network operators during their activities within the territory of the People’s Republic of China, being provided to agencies, organizations, or individuals located outside the territory.
All aforesaid regulations related to data exiting the country, also apply to personal information and important data.
(3) Departmental rules
A. Notice of the People’s Bank of China on Proper Protection of Personal Financial Information by Banks and Financial Institutions20
According to Article 6 of this Notice issued by the People’s Bank of China, “The storage, processing and analysis of any personal financial data gathered within the territory of China should be carried out within the territory of China. Other than as otherwise stated by laws and regulations or the People’s Bank of China, banks and financial institutions may not provide domestic personal financial data to parties outside China.” The Notice also provided a clear definition for “personal financial data”: “Information collected, processed and stored through the operation of banks and financial institutions or through connecting to the People’s Bank of China’s credit investigation system, payment system or other systems; containing personal identity, property, account, credit, and financial transaction information, and other derivative information.” The regulatory subjects mentioned here are banks and financial institutions, which cannot transfer the above types of information outside the country. In practice, it is perfectly fine for corporations to provide employees’ personal data to cooperative banks, but after the cooperative banks gather the data, there are a series of limitations imposed by the state on cross-border transfer of the data.
(4) National standards
Most of the related national standards provide specific and detailed rules regarding consent before data transfer, data protection and security assessment procedures, etc. However, because national standards have no mandatory legal effect, they merely provide guidelines for corporations’ data compliance work. Therefore, the author will give a brief summary as follows.
A. Information Technology – Guideline to Personal Data Protection in Public and Commercial Service Information Systems issued by TC260
With four phases of the process—data collection, processing, transfer, and deletion—as a basis, basic principles and duties of personal data managers during each phase of data processing were specified. Emphasis is placed on protection of personal data. Further requirements were proposed with regards to “explicit consent” in the personal data collection phase.
B. Information Technology – Safety Assessment Guideline for Data Exiting the Country (Draft for Comments) issued by the AQSIQ and SAC
This guideline has not yet been officially issued. It mainly concerns security assessments for personal data and important data exiting the country, and the procedures, key points, and methods involved. It provides detailed regulations for corporation self-assessment and administrative department assessment. In addition, industrial categories were provided for important data; because this does not involve personal data, no further discussion will be made here.
C. Information Technology – Personal Data Safety Standard issued by the AQSIQ and SAC21
This guideline primarily established standards for principles that should be followed when using information systems to process personal data, and the safety measures that should be put in place. Detailed and specific rules were given for principles of personal data collection, protective storage, and timely deletion after the purpose has been met. However, on the whole, there are no new highlights, and the document mainly serves a reiterative purpose. Regarding the cross-border transfer of personal data, it was simply stated to use other countries’ rules as guidelines.
III. Advice for corporation data compliance
For corporations, the current policies for personal data transfer on a national level have not yet formed a comprehensive system, and most documents providing detailed regulations for cross-border data transfer are either national standards without mandatory legal effect, or draft regulations that have not yet taken effect. Corporations should respond to the current situation with the methods below:
(1) Categorize all data processed by the corporation and accurately discern between information types, in order to respond to different rules and regulations. For data that must be locally processed, corresponding technical preparations should be made; for corporations that may fall under “critical information infrastructure operator”, pre-judgments should be carried out before the specific range is announced, and compliance preparations should be made accordingly.
(2) Close attention should be paid to changes in policies, especially laws and regulations that have passed the public consultation period but have not yet been officially issued. For example, once the Provisions for Personal Data and Important Data Safety Assessment upon Exiting the Country (Draft for Comments) are officially promulgated, its requirements for local storage of personal information and important data as well as safety assessments before sending data abroad will immediately hold mandatory legal effect. Close attention should also be paid to industry changes in terms of national standards without mandatory legal effect. Both in internal policy and external transaction, with regards to localized processing and security assessments, corporations should make efforts to add policies to be issued in the future, or add a standby clause indicating future possible policies will be followed, thereby avoiding later compliance risks.
(3) For transnational corporations, different regulations related to cross-border data transfer in the countries where data is located, processed, and used should all be carefully followed and addressed.
 The People’s Republic of China Standard Announcement 2017 No. 32
2 The People’s Republic of China Standard GB/T 35273—2017 ”Information Technology – Personal Information Security Specification” Appendix A
3 The People’s Republic of China Standard GB/T 35273—2017 ”Information Technology – Personal Information Security Specification” Appendix B
4 The People’s Republic of China Standard GB/T 35273—2017 ”Information Technology – Personal Information Security Specification” 5.5
5 The People’s Republic of China Standard GB/T 35273—2017 ”Information Technology – Personal Information Security Specification” 6.3
6 The People’s Republic of China Presidential Decree No. 28
7 The People’s Republic of China Presidential Decree No. 6
8 The People’s Republic of China State Council Decree No. 676
9 CAC issuance  No. 14
10 Rong, Wang: Cross-Border Data Flow Policy Understanding and Advice, Tencent Research, 2018.1.29
11 The People’s Republic of China Presidential Decree No. 53
12 According to the Network Security Law of the People’s Republic of China, Article 37: “Personal information and important business data collected and produced by critical information infrastructure operators during their activities within the territory of the People’s Republic of China, shall be stored within the territory; where due to business requirements it is truly necessary provide it outside the mainland, a security assessment shall be conducted according to the measures jointly formulated by the national cyberspace administration and the relevant departments of the State Council . Where laws or administrative regulations provide otherwise, those provisions apply.”
13 The People’s Republic of China Presidential Decree No. 29
14 See the first draft for review, Article 25: “The State implements focus protection for critical information infrastructure in important sectors and areas such as basic informational network that provides services including public telecommunications and radio and television transmission, energy, transportation, irrigation, finance, etc., as well as information systems of public service sectors such as power supply, water supply, gas supply, health care, social security, etc., military networks, political networks for government agencies municipal level or above, and networks and systems owned or managed by network service providers with massive amounts of users (below, ‘critical information infrastructures’).”
15 See the second draft for review, Article 29: “The State implements focus protection for critical information infrastructure that, whenever it is destroyed, loses its ability to function or encounters data leaks, may gravely harm national security, the people’s livelihood and the public interest, on the basis of the tiered cyber security protection structure.
16 See the third draft for review and the official version, Article 31: “The State implements focus protection for critical information infrastructure in important sectors and areas such as public telecommunications and information services, energy, transportation, irrigation, finance, public services, e-government, etc., as well as other critical information infrastructure that, whenever it is destroyed, loses its ability to function or encounters data leaks, may gravely harm national security, the national economy, the people’s livelihood and the public interest, on the basis of the tiered cyber security protection structure.”
17 The People’s Republic of China State Council Decree No. 588
18 Network Security Law Interpretation Series (1): Big Data Companies, Are You a “Network Operator”?, Chief Data Officers Alliance
19 The People’s Republic of China State Council Decree No. 631
20 The People’s Bank of China issuance  No. 17
21 The People’s Republic of China Standard Announcement 2017 No. 32
The Watson & Band website is intended for informational purposes only. Nothing in this site is to be construed as creating an attorney-client relationship between the reader and Watson & Band or as offering legal advice on any specific matter. Since we are not providing legal advice through this website, you should not act upon any information that you might receive here without first seeking professional counsel. No client or other reader should act or refrain from acting on the basis of any information contained in the Watson & Band website without seeking appropriate legal or other professional advice based on the particular facts and circumstances at issue.