With China’s new cybersecurity law only five weeks away, businesses should be preparing and understanding the new rules. According to DLA Piper, the new draft regulations mean more businesses are likely to be caught by new offshore data transfer rules in the new PRC Cybersecurity law.
The company says China has been moving into the data protection space through court decisions, regulations and laws. However, those rules have not been enforced.
That will now change, particularly as a new ‘whistleblower’ system comes into effect. DLA Piper says companies can now no longer ignore the offshore data requirements.
DLA Piper has provided a series of requirements and actions:
1. The new draft regulations apply to both “personal data” (as defined in the PRC Cybersecurity Law) and “important data”, which is widely defined to include information that relates to national security, economic development, or social or public interest.
Required action: Assessment of data flows to determine what is being sent offshore and whether it falls within these definitions.
2. Consent must be obtained from all individuals before their personal data is sent out of China
Required action: Consents need to be obtained at all data collection points including for employees, customers and individuals within your supply chain or distribution networks. Existing datasets should be identified and consents obtained where none are currently in place.
3. A security assessment needs to be carried out before offshore transfer occurs. The security assessment needs to be redone annually.
Your security assessment includes the need to establish:-
- the legitimate business necessity of transferring the data offshore;
- the amount, scope, type and sensitivity of the “personal data”, and whether consent has been obtained;
- the amount, scope, type and sensitivity of “important data”;
- the safety precautions established by the offshore data recipients (including group companies);
- the risk of the transferred data being retransferred, leaked or misused; and
- whether the transfer may create national security concerns, public or individual risks.
4. The offshore transfer needs to be notified to relevant regulators if any of the following transfer thresholds are met:-
- data sets of 500,000+ individuals;
- data files in excess of 1000GB;
- data related to nuclear facilities, chemical biology, national defence or military, large engineering activities, ocean environmental protection or sensitive geographical information;
- network information of "key information infrastructure", including system loopholes or security measures; or
- you are a “key information infrastructure operator”.
Required action: Your security assessment should specifically identify if any of these thresholds are met and if so relevant regulators must be identified and notified. Notification will trigger an independent assessment by the relevant regulator(s) and/or the CAC and should be carefully constructed to minimize the risk of the transfer being blocked. Regulators are required to make an assessment within 60 days of receiving notification.
5. There is an absolute prohibition on offshore transfer if:-
- consent has not been obtained from data subject for transferring their Personal Data;
- it may result in risks for state politics, the economy, technology, national defence, national security, social or public interests; or
- any relevant regulators issue specific prohibitions.
Required action: Data must not be transferred offshore in any of these circumstances. For businesses caught by and unable to circumvent these prohibitions, China based infrastructure and onshore processing is likely to be the practical solution.
6. Any individual or organisation has a right to report an offshore transfer that violates the law to the relevant regulators.
Required action: Complaints by individuals are one of the most common ways in which privacy and data security issues are brought to the attention of regulators in other countries. Disgruntled employees and competitors represent obvious threats and this practical risk needs to be considered as part of your data handling policies and practices. The “nobody will find out” argument has suddenly become less compelling.
7. Sanctions will be imposed in the event of a violation of the provisions of the regulations in accordance with relevant laws and regulations.
Required action: While specific sanctions are not called out in the draft regulations, sanctions mentioned in existing privacy laws are wide ranging and include the possibility of cancellation of your China business license.