Beijing has published a bevy of laws, regulations, and policy statements over the past six months on cyber governance (here, here, and here). Together, they flesh out China’s concern for protecting its “cyberspace sovereignty” (网络空间主权) against foreign interference. Last Tuesday the Cyberspace Administration (a division of the State Council – China’s central executive body) added to this list. It released a draft guidance document detailing safety assessments to be conducted for certain personal information and important data originally created or stored in mainland China that a company wants to transfer to another jurisdiction.
These developments put some important flesh on the bones of China’s new Cybersecurity Law, which I wrote about when it was promulgated last November. That law presaged coming restrictions on the transfer of digital information. For example, Article 37 of the Cybersecurity Law requires that personal information or important data saved or produced in mainland China (i.e., not Hong Kong) by users of critical information infrastructure must be saved on servers in mainland China. The law did little to define “critical information infrastructure,” but indicated the term might have broad sweep: Article 31 suggests that it could include services needed for public communication or information, power, transportation, water works, finance, public service, or digital governance, as well as any infrastructure that would endanger national security, national welfare, popular livelihood, or the public interest if destroyed or hacked. Small wonder that over forty global business groups criticized the law when it was published.
Last week’s draft guidance goes further. Article 2 states that personal information or important data saved or produced in mainland China by internet users must be saved on servers in mainland China. The Cybersecurity Law’s “critical information infrastructure” restriction is gone, increasing the scope of data that must remain in mainland China. One could imagine a number of potential explanations for this discrepancy. Cynically, it could be an attempt by the Cybersecurity Administration to increase its jurisdiction over digital information. More generously, it may be an effort to afford broader privacy protections guaranteed in Articles 41 through 43 of the Cybersecurity Law. Pragmatically, it could be an admission that the term “critical information infrastructure” is so broad as to not have any real meaning. More prosaically, it might just be a case of poor drafting that will be corrected for purposes of the final guidance. Whatever the reason, this discrepancy substantially diminishes any clarity the guidance was originally designed to provide.
Scope of Data Subject to Review
The Cyberspace Administration oversees safety assessments of personal information or important data that a company wants to move outside of mainland China (Art. 2). Personal information is defined as information that, independently or together with other data, can identify a natural person (e.g., names, dates of birth, national ID numbers) (Art. 17). Important data is more capaciously defined as information closely related to national security, economic development, or the public interest (Id.).
These definitions, however, do not coexist comfortably with certain minimum requirements for security review established in Article 9. Namely, Article 9 dictates that a company must apply for security review when it wishes to transfer: (1) information on 500,000 or more people, (2) data exceeding 1 terabyte, (3) information relating to nuclear facilities, chemical biology, members of the military, information relating to the population’s health, large engineering projects, the marine environment, and sensitive geographic information, (4) information relating to systemic flaws in “critical information infrastructure” and cybersecurity more broadly, (5) information relating to those using critical information infrastructure, and (6) other information that might effect national security or the public interest.
Article 9 is problematic for at least two reasons. First, it raises the idea of critical information infrastructure without explaining how it relates to the broader concern with personal information and important data outlined in Article 2. Is data related to users of critical information infrastructure only a subset of personal information and important data as defined in Article 17? If so, how do we square that with the Cybersecurity Law? Second, it is unclear whether personal information and important data falling below minimum thresholds in Article 9 are exempt from security review or simply have no recourse for transfer abroad. This confusion will have real consequences for internet companies, which must rely on this guidance to avoid substantial regulatory and financial penalties established in the Cybersecurity Law.
Less ambiguously, there are certain categories of information that cannot be transferred outside mainland China (Art. 11). This includes information that (1) could harm an individual’s interests or that the individual has not consented to be moved, (2) could place national policies, economy, technology, or national defense at risk or negatively effect national security or public interest, and (3) the Cyberspace Administration, Public Security Bureau, or other security offices determine should not be transferred.
What the Company Must Show
Article 4 provides that the company must explain (1) why the information is being moved, (2) the scope of information to be moved, (3) the content of information being moved, and (4) where the information will be stored. For data relating to minors, the company must also show that the child’s guardian has granted permission for the move. Article 8 requires additional reporting, including (1) a summary of safety measures undertaken to protect the information once it is outside mainland China, (2) an assessment of the risk that data will be leaked, damaged, tampered with, or abused, (3) an analysis of whether the information could endanger national security, the public interest, or an individual’s rights, and (4) any other information required by a security agency. The government must complete its review within 60 business days of receiving a transfer application.
Caveat for International Agreements
Article 15, interestingly, provides that any agreement signed between the mainland government and any other government on the transfer of data can displace these restrictions. This could provide Beijing an important workaround for addressing the charge that its domestic cyber regulations impede free trade. This is very much a live issue—the U.S. Trade Representative listed Chinese Internet censorship as a trade barrier just last year. While not resolving the dispute, it could signal willingness to begin a discussion on how to manage the intersection of trade law and domestic internet regulation.
Multinational corporations have already begun to line up in opposition to last week’s proposed guidance. And while it is not uncommon for draft regulations to be revised before promulgation, it would be naïve to expect significant changes. The regulations’ sweep and ambiguity will pose a serious problem both for corporations trying to comply and countries, like the United States, that reject Beijing’s understanding of cyberspace sovereignty.