management systems that include: cybersecurity personnel and products to users and authorities security incidents and reporting such incidents to the authorities to public security bodies and state security bodies to safeguard national security and investigate crimes. by the new law is IT Product Suppliers and they are required to: services and products for the full term of the contract--security maintenance cannot be terminated within the contract term. PRC market, cybersecurity products and services will be required to obtain a government certification and/or meet prescribed safety inspection requirements and national standards. for Cross-Border Transfer of Local Data under the Draft applicability of the data localization rule from CII operators to all NOs. The implication is that virtually all entities established in China that access and use Internet in the course of business operation might be caught and could be required to keep a copy of personal data and other important data collected and generated in the course of the NO's operation in China (Local Data). If an NO seeks to transfer the Local Data overseas for business needs, it must undergo a security assessment. The Draft provides for two types of security assessments: (i) self-assessment; and (ii) government-administered assessment (GAA). assessment before transmitting Local Data overseas (unless a GAA is triggered) and be responsible for the results of the assessment. A GAA is triggered if the intended outbound cross-border data transmission involves any of the following circumstances: personal information of more than 500,000 individuals sectors such as nuclear facilities, chemical biology, national defense and military and population health, as well as data related to large- scale engineering activities, marine environment and sensitive geographic information such as system vulnerabilities or security protection in respect of CII important data to overseas recipients by operators of CII national security or public interests. development and network operation status, conduct a security assessment on outbound data transmission at least once a year and report the assessment results to the relevant industry regulator. In addition to the annual security assessment, NOs are required to conduct a new security assessment each time: or significant change in the purpose, scope, volume or type of the outbound data transmission; or involving the data recipient or the data transmission abroad. responsible for organizing and administering GAA. If a GAA is triggered but the competent industry regulator cannot be identified, CAC shall take charge of the GAA. what is "Important Data." It refers to data that is closely related to national security, economic development and public interest. In terms of privacy protection, in general, NOs shall inform data subjects of the purpose, method and scope of collection and use of personal data and obtain data subjects' consent. The Draft provides that, in order to transmit personal information out of China, NOs must inform data subjects of the purpose and scope of the outbound data transmission, the content and the recipient(s) (countries or regions) of the information transmitted and need to obtain consent. Under the Draft, outbound transmission of Local Data is prohibited: transmission could infringe the data subject's interests create a security risk in terms of national politics, the economy, science and technology, or national defense, etc. and could affect national security or harm public interest. China should start to review their data privacy and cybersecurity policies to ensure compliance with the incoming law and measures. NOs with a need to transmit personal data collected within China and abroad should review and amend their existing privacy policies or statements in order to ensure compliance. It is not known whether a transmission of Local Data from mainland China to Hong Kong would be construed as "cross- border" transfer and we may need to wait for further measures or Court explanation before this will be clear. But given that the new cybersecurity law does not apply to Hong Kong under the "One Country, Two Systems" principle, it would defeat the purpose of the data localization rule and privacy protection if Local Data can be transferred from mainland China to Hong Kong without any security assessment. |