A wide-ranging draft cybersecurity law recently released by China's top legislative body could provide for better overall protection of corporate and consumer data privacy, practitioners who have reviewed the law told Bloomberg BNA. The most significant progress, they said, involve provisions—appearing in a law for the first time in China—on the cross-border transfer of citizen information and the rights of consumers to access and correct or delete personal information.

The draft law, however, raises potential challenges for companies by expanding the types of data that must be stored within the country beyond rules that are already in place for certain sectors, such as banking and health-care, practitioners said.
Article 31 of the draft Network Security Law on Data Privacy states that providers of “critical information infrastructure” would be required to store data within mainland China and would be subjected to a “security assessment” of their information technology before approval of any transfers outside of that territory.

“Clients who have IT operations across multiple countries would potentially run into new challenges triggered by the new law,” Gabriela Kennedy, a partner at Mayer Brown in Hong Kong, and Xiaoyan Zhang, counsel, told Bloomberg BNA July 14.

“For example, some business functions such as customer service are typically served across borders which inevitably involve data transfers,” they said in a joint statement. “After the new law they will need to pass a ‘security assessment' first, the standard and content of which is undefined. Further, international businesses currently hosting Chinese citizens' data outside China would need to reconsider their data infrastructure.” The draft law initially released July 6 is available for public comment until Aug. 5. It is uncertain when the final law would be put into place.

Two Potential Loopholes
Manuel E. Maisog, partner at Hunton & Williams LLP in Beijing, told Bloomberg BNA July 13 that Article 31 “has obvious implications for operational efficiency of any business that is reliant on information and analysis. In some cases it could even affect an enterprise's ability to operate at all within China, as cross-border transfers of information are essential to the operation of many businesses.”

Maisog pointed out two potential loopholes in the article. First, the rule appears only to cover “critical information infrastructure,” which may limit the impact to licensed telecommunications firms, and second, the “security assessment” that would allow cross-border transfers may not be as intrusive as it appears if it ends up to be self-regulating.

“It is not clear if the governmental agencies would be directly involved in the security assessment itself, or only in the establishment of the rules and procedures which govern the security assessment but with the data transferor then being responsible to conduct these security assessments in a self-executing, self-regulatory basis,” Maisog said. “The text is not clear.” If government agencies are directly involved in security assessments, then there is a “prospect of delay and potential cost arising in what formerly had been a routine and even reflexive act,” Maisog said. “Even if governmental agencies will not be directly involved and do not need to give a ‘green light’ to each and every proposed cross-border transfer of information, the requirement to conduct an internal ‘security assessment’ could be burdensome and costly, if done in a conscientious and dutiful manner.”

Data Privacy Provisions
While the data privacy provisions in the draft law may not break new ground, they do “provide a focused framework for cyber security and data protection” beyond sector-specific rules that are already in place, according to Kennedy and Zhang of Mayer Brown.

The addition of rules on cross-border transfer of data under Article 31 and consumer access to and correction of data under Article 37 “are an important step to bring China's privacy regulation in line with the rest of the world,” Kennedy and Zhang said. Article 39 may also protect the use, sale and transfer of personal data gathered by government departments, but that provision needs to be further clarified, according to the practitioners. Maisog said this article may be backed by Article 253 of China's Criminal Law, which already imposes criminal liability on government officials who misuse personal information they access in governmental duties and functions. Given that the government is largely self-policing, however, concerns remain. “In some jurisdictions governmental access to private data is policed by way of independent judicial review, which is lacking in China,” Kennedy and Zhang said.

Reproduced with permission from Privacy Law Watch (Jul. 15, 2015). Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)