China: Cybersecurity-law provides for further restricitions

published on June 19, 2019 | reading time approx. 3 minutes

On June 13th 2019, the Cyberspace Administration of China (short: "CAC") published a new draft of measures concerning Cybersecurity law. Among other things, the draft provides for a comprehensive tightening of security assessment regarding the export of personal data. Companies that are dependent on cross-border data transfers may in the future have to expect noticeably more bureaucratic obstacles. The draft is open for comment until July 13th 2019.

Expanded scope for security assessment obligations

Under the new rules, all network operators that transfer personal data from China to a third country (and thus de facto all companies doing business in China) are now required to carry out a security assessment. Under previous legislation, only so-called critical infrastructure operators were required to carry out such an assessment.

Additionally, Article 20 of the draft now requires foreign companies that don't operate an own business entity in China but collect personal data from users there – for example because they have Chinese customers - to also carry out a security assessment. And as part of the security assessment, the companies will be required to present a domestic representative in China. For foreign companies that are only occasionally active in China, this could mean more bureaucracy and a noticeable worsening of the legal situation.

Stricter supervision by authorities and date transfer contract

The implementation of the rules and requirements by enterprises, in particular foreign invested enterprises means a great deal of paper work, lengthy assessment process, uncertainty of authority discretion, extra administrative burdens for regular reporting and recording etc. Before the effectiveness of the draft, foreign invested enterprises may already begin to consider the following:

Recommodations

Die Umsetzung der neuen Vorgaben durch (ausländische) Unternehmen wird in der Praxis wohl zu mehr Bürokratie, langwierigen Bewertungsverfahren, Unsicherheiten bei der Einschätzung des Ermessensspielraums der Behörden und zusätzlichem Zeitaufwand hinsichtlich Berichts- und Aufzeichnungspflichten führen. Bereits vor der Wirksamkeit der neuen Regelungen können Unternehmen aber folgende Punkte in Angriff nehmen:

Whether such personal information transfer could possibly be reduced by data localization in China and to consider exploring the possibility to adjust the strategy of oversea data processing or centralized data storage in the company headquarter;
Whether or what kind of personal information must be transferred to the parent company or affiliated companies abroad during the daily business operation of the company;
Starting to communicate with data recipients for terms and conditions for cross-border data transfer, e.g. based on the standard contractual clauses under GDPR.
Start to keep records of the cross-border transfer of personal information. Based on the purposes and necessity of such cross-border transfer, it could also make sense to start to prepare an assessment report for personal information export security risk and safety guarantee measures etc.

In view of the fact that the implementation of the safety assessment is practically for many companies a previously unknown task, the first steps may prove difficult.