Who's responsible for what here? Questions surround updates made to China's Cybersecurity Law

By Sascha Matuszak

Table of Contents

In the two years since China’s Cybersecurity Law (CSL) has officially been in force, companies doing business in China have adopted a “wait and see” attitude toward a number of provisions in the law. Chinese authorities have made tweaks and changes to the law over the past 18 months, including arguably the most anticipated draft measure, Second Draft Measures on Security Assessment for Export of Personal Information, released on June 13. The Second Draft Measures are open for public consultation until 13 July 2019. An unofficial translation of the draft can be read here.

These measures address the data localization and data transfer provisions of China’s Cybersecurity Law, provisions that foreign companies active in China feared could lead to the loss of business secrets to competitors or to the Chinese authorities themselves. The article in question, Article 37, reads as follows:

Critical information infrastructure operators that gather or produce personal information or important data during operations within the mainland territory of the People’s Republic of China, shall store it within mainland China. Where due to business requirements it is truly necessary to provide it outside the mainland, they shall follow the measures jointly formulated by the State cybersecurity and informatization departments and the relevant departments of the State Council to conduct a security assessment; where laws and administrative regulations provide otherwise, follow those provisions.

There have been a few key changes to the language that companies should be aware of.

Key amendments

The draft covers only personal information and does not yet address important or critical data (i.e., business data). The draft also applies the data export requirement to “network operators,” which is an expansion of the scope of the original article that applied the requirements to “critical information infrastructure operators.” The new draft language of the requirements laid out in Article 37 can be translated as follows:

Network operators providing those outside the mainland territory with personal information collected by operators inside the mainland territory of the People's Republic of China (hereinafter ‘personal information leaving the country’) shall conduct security assessments in accordance with these Measures. Where through security assessments it is determined that personal information leaving the country might impact national security or harm the public interest, or that it would be difficult to ensure personal information security, it must not leave the country. Where the state has other provisions on personal information leaving the country, follow those provisions.

An assessment by Michelle Chan and Clarice Yue of Bird & Bird clarifies further:

The Second Draft Measures however do not appear to expressly impose any data localisation requirement on network operators. It is important to note that businesses operating outside of China (thus not just a ‘network operator’ in China) will also be caught by the Second Draft Measures. Article 20 of the Second Draft Measures provides that entities operating outside of China but collecting personal information of individuals in China through the Internet (or other means) are required to [go] though their legal representatives in China to comply with the obligations applicable to network operators in China.

Additionally, changes have been made to the security filings that companies must submit before transferring or exporting personal data; the particular questions that a security review must answer; and obligations regarding storing data, as well as annual reports detailing the data being stored, exported or transferred, and the reasons for doing so.

Of particular interest are the requirements for contracts between network operators, data subjects and data recipients. These requirements appear onerous, but are in effect not very different from the same burdens imposed by GDPR regulations governing the interactions between network operators and data subjects. Indeed, previous drafts amending and clarifying aspects of the CSL have discussed consent and the problem of “bundled consent” — China has come to similar conclusions as European regulators: network operators are forbidden from obtaining bundled consent. Some of the contractual requirements are:

  • “the contracts must set out the purposes of the export, the types of personal information involved, and the period for which the data will be retained abroad,

  • “network operators must notify the data subjects of the export;

  • “the data subjects will be named as a third party beneficiary in the relevant contracts and be given the right of recourse against the data recipients and the network operators;

  • “the data recipient is not permitted to further transfer the personal information to a third party unless certain conditions are satisfied, including that a consent has been obtained from the data subjects concerned.”

This document is only available to subscribers. Please log in or purchase access.
Purchase Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings