China’s Cybersecurity Law (the “Cybersecurity Law”) took effect on June 1, 2017. The Cybersecurity Law consists of 79 articles in total. According to Article 2 thereof, the Cybersecurity Law would apply to the construction, operation, maintenance and use of cyberspace within the territory of China, as well as to the supervision and administration of cybersecurity within the territory of China. This blog post will discuss those provisions of the Cybersecurity Law that would be most relevant to the protection of personal information. Any company which collects, stores, or processes personal information within the territory of China may find it useful to get familiar with such provisions.

Data Localization

Under Article 37 of the Cybersecurity Law, personal information and important data collected and generated in the operation of critical information infrastructure operators within the territory of China shall be stored within China.

While the Cybersecurity Law does not provide the detailed definition and scope of critical information infrastructure operators, Article 31 thereof does state that China will focus on protecting certain important industries including, without limitation, public communications and information services, energy, transportation, finance, public service, to which, if any destruction, loss of function or data leakage happens, would endanger national security or public interest. Therefore operators of business in such industries should proactively consult legal counsel and competent government authorities to assess whether they would be considered critical information infrastructure operators. If so, they are required to store personal information and important data collected and generated in their operations locally.

Security Assessment

Article 37 of the Cybersecurity Law further provides that, if cross-border transfer of the aforesaid personal information and important data is necessary due to business needs, security assessment shall be carried out according to the measures formulated by the relevant cyberspace affairs department of the government and the relevant department(s) of the State Council (the “Security Assessment”); provided, if such measures are in conflict with any laws or regulations, such laws or regulations shall prevail. The Cybersecurity Law itself does not include the measures and procedures of the Security Assessment, but we will review two draft measures that were released in recent years to illustrate the potential scenarios under which a business may need to apply for Security Assessment in connection with cross-border transfer of personal information.

Measures on Security Assessment for Cross-Border Transfer of Personal Information (Draft)

In June 2019, Cyberspace Administration of China released, for public comments, a draft version of the Measures on Security Assessment for Cross-Border Transfer of Personal Information (the “Draft PI Measures”). Article 1 of the Draft PI Measures states that the Draft PI Measures were formulated in accordance with the Cybersecurity Law. Articles 2 and 3 thereof provide that network operators shall apply to the competent provincial cyberspace affairs governmental department to conduct Security Assessment, prior to cross-border transfer of personal information collected in their operations within the territory of China. The Cybersecurity Law has defined “network operators” as the owners of network, the managers of network and network service providers.

It is noteworthy that in the Cybersecurity Law, it is the “critical information infrastructure operators” that are subject to the obligation to apply for Security Assessment, while in the Draft PI Measures,  it is the “network operators” that are subject to such obligation. Arguably, the latter term is broader in its scope.

Measures on Security Assessment for Cross-Border Data Transfer (Draft)

In October 2021, Cyberspace Administration of China released, for public comments, a draft version of the Measures on Security Assessment for Cross-Border Data Transfer (the “Draft Data Measures”) (which we previously discussed here: Overview on China’s New Draft Measures for Data Cross-border Transfer (chinalawupdate.cn)). Article 1 of the Draft Data Measures states that the Draft Data Measures were formulated in accordance with the Cybersecurity Law, China’s Data Security Law and China’s Personal Information Protection Law. Articles 2 thereof provides that data processors shall apply to the competent provincial cyberspace affairs governmental department to conduct Security Assessment, prior to cross-border transfer of important data and personal information that is legally required to undergo the Security Assessment, which are collected and generated in their operations within the territory of China.

The Draft Data Measures, different from the Draft PI Measures and the Cybersecurity Law, has imposed on “data processors” (instead of “critical information infrastructure operators” or “network operators”) the obligation to apply for Security Assessment. Although the Draft Data Measures does not include a definition of “data processors”, the term is likely much broader in its scope than the definition of “critical information infrastructure operators” and “network operators”.

Article 4 of the Draft Data Measures lists out, among others, the following factors which would require a data processor to apply for the Security Assessment: (1) the cross-border transfer involves personal information and important data collected and generated by critical information infrastructure operators (this is substantially similar to the requirements set forth in Article 37 of the Cybersecurity Law); (2) the cross-border transfer involves important data; (3) the data processor processes the personal information of more than 1 million individuals; (4) the cross-border transfer involves the transfer of the personal information of more than 100,000 individuals or the sensitive personal information of more than 10,000 individuals. The Draft PI Measures does not include such a list.

Liabilities

Article 66 of the Cybersecurity Law states that, if an operator of critical information infrastructure stores cyber data overseas or provide cyber data overseas in violation of Article 37 thereof, relevant competent authority may order the operator to take remedial action, issue warnings to the operator, confiscate the operator’s illegal gains, impose penalties on the operator in an amount between RMB 50,000 and RMB 500,000, suspend the operator’s relevant business, shut down the operator’s website or revoke relevant business permit or business license of the operator, and may impose penalties in an amount between RMB 10,000 and RMB 100,000 on the person(s) directly responsible for the violation.