The Primerus Paradigm - Fall 2017 Page 29

F A L L 2 0 1 7 | C e l e b r a t i n g 2 5 y e a r s w i t h t h e w o r l d ' s f i n e s t l a w f i r m s

NOs must provide internal security
management systems that include:

appointment of dedicated
cybersecurity personnel

retention of network logs

reporting risks on network services
and products to users and authorities

having contingency plans for network
security incidents and reporting such
incidents to the authorities

providing assistance and cooperation
to public security bodies and state
security bodies to safeguard national
security and investigate crimes.

The third category of operators covered
by the new law is IT Product Suppliers
and they are required to:

provide security maintenance for all
services and products for the full term
of the contract--security maintenance
cannot be terminated within the
contract term.

prior to being sold or produced in the
PRC market, cybersecurity products
and services will be required to obtain
a government certification and/or
meet prescribed safety inspection
requirements and national standards.

Proposed Security Assessment
for Cross-Border Transfer of
Local Data under the Draft

The Draft seems to extend the
applicability of the data localization
rule from CII operators to all NOs. The
implication is that virtually all entities
established in China that access and
use Internet in the course of business
operation might be caught and could
be required to keep a copy of personal
data and other important data collected
and generated in the course of the NO's
operation in China (Local Data).
If an NO seeks to transfer the Local
Data overseas for business needs, it
must undergo a security assessment. The
Draft provides for two types of security
assessments: (i) self-assessment; and
(ii) government-administered assessment
(GAA).

NOs must conduct a security self-
assessment before transmitting Local
Data overseas (unless a GAA is triggered)
and be responsible for the results of the
assessment.
A GAA is triggered if the intended
outbound cross-border data transmission
involves any of the following
circumstances:

contains or accumulatively contains
personal information of more than
500,000 individuals

the amount of data exceeds 1,000 GB

contains, among others, data regarding
sectors such as nuclear facilities,
chemical biology, national defense
and military and population health,
as well as data related to large-
scale engineering activities, marine
environment and sensitive geographic
information

contains cybersecurity information
such as system vulnerabilities or
security protection in respect of CII

provision of personal data and other
important data to overseas recipients
by operators of CII

other circumstances that may affect
national security or public interests.

NOs must, based on its business
development and network operation
status, conduct a security assessment on
outbound data transmission at least once
a year and report the assessment results to
the relevant industry regulator.
In addition to the annual security
assessment, NOs are required to conduct
a new security assessment each time:

There is a change in the data recipient
or significant change in the purpose,
scope, volume or type of the outbound
data transmission; or

There is a major security incident
involving the data recipient or the data
transmission abroad.

Industry regulators shall be
responsible for organizing and
administering GAA. If a GAA is triggered
but the competent industry regulator
cannot be identified, CAC shall take
charge of the GAA.

The Draft provides a definition of
what is "Important Data." It refers to
data that is closely related to national
security, economic development and
public interest.
In terms of privacy protection, in
general, NOs shall inform data subjects
of the purpose, method and scope of
collection and use of personal data and
obtain data subjects' consent.
The Draft provides that, in order
to transmit personal information out of
China, NOs must inform data subjects of
the purpose and scope of the outbound
data transmission, the content and the
recipient(s) (countries or regions) of the
information transmitted and need to
obtain consent.
Under the Draft, outbound
transmission of Local Data is prohibited:

if data subject has not consented or the
transmission could infringe the data
subject's interests

the intended transmission would
create a security risk in terms of
national politics, the economy, science
and technology, or national defense,
etc. and could affect national security
or harm public interest.

Conclusion

Organizations that conduct business in
China should start to review their data
privacy and cybersecurity policies to
ensure compliance with the incoming
law and measures. NOs with a need to
transmit personal data collected within
China and abroad should review and
amend their existing privacy policies or
statements in order to ensure compliance.
It is not known whether a transmission
of Local Data from mainland China to
Hong Kong would be construed as "cross-
border" transfer and we may need to wait
for further measures or Court explanation
before this will be clear. But given that the
new cybersecurity law does not apply to
Hong Kong under the "One Country, Two
Systems" principle, it would defeat the
purpose of the data localization rule and
privacy protection if Local Data can be
transferred from mainland China to Hong
Kong without any security assessment.