Joint Comments on Draft Measures for the Security Assessment of Cross-Border Personal Information Transfers

The American Chamber of Commerce in China (AmCham China), the American Chamber of Commerce in Shanghai (AmCham Shanghai), the American Chamber of Commerce in South China (AmCham South China), the U.S. Chamber of Commerce (U.S. Chamber), and the US-China Business Council (USCBC) appreciate the opportunity to submit comments to the Cyberspace Administration of China (CAC) on the Draft Measures for the Security Assessment of Cross-Border Personal Information Transfers. We commend the CAC for ensuring regulatory transparency—including opportunities for public comment—during the drafting process.  

Our joint submission has two sections: 1) General comments and questions on the draft measures as a whole, and 2) Specific comments on an article-by-article basis.  

General Comments 

On one hand, China is home to one of the world’s most dynamic digital economies, with a world-class research and development (R&D) ecosystem that is capable of producing some of the world’s leading technologies. It constitutes a significant market opportunity for American technologies, products, and services. On the other hand, China’s digital economy has become increasingly restrictive and difficult to navigate for our member companies. Data localization requirements, prescriptive security requirements, preferences for domestic technology, and restrictions on data security and cross-border movement of data and information continue to pose immediate and far-reaching challenges for many American companies. Our organizations continue to urge China to promote policies that foster openness,  clarity, and conform with international standards in China’s digital economy. 

The Draft Measures for the Security Assessment of Cross-Border Personal Information Transfers (Draft Measures) aim to safeguard “Personal Information security, cyberspace sovereignty, national security, and social public interests.” We recognize China’s need and sovereign right to continue to develop its data privacy framework and to protect the legitimate rights and interests of its citizens and legal persons. We also believe that it is important to affirm that data collection, processing, and cross-border transfers of information and data are an essential element of normal business operations. Consequently, we urge the government to strike a more business-oriented balance between the two. With respect to the Draft Measures, however, we have the following general comments, questions, and concerns: 

Comment: Requirements for security assessments prior to cross-border transfers of Personal Information may dis-incentivize foreign investment in China.

The procedural costs for complying with CAC’s requirement for pre-transfer security assessments and provincial CAC approval of cross-border transfers in the Draft Measures promise to be onerous, time-consuming, unnecessarily high, and inconsistent with international standards and best practices, such as the APEC CBPRS and the OECD Privacy Guidelines. The overall objective should be to encourage and support the adoption of information security safeguard mechanisms, but the Draft Measures as written would instead promote the drafting and filing of complex and expensive contracts and analysis to complete cross-border Personal Information transfers. If enacted in their current form, the Draft Measures would have a serious adverse effect on the development of electronic commerce both across borders and in China. Many Articles are characterized by overly broad definitions, vague requirements, and unclear operational guidelines, and present regulatory authorities with excessive discretion with respect to implementation and enforcement. 

In order to comply with the Draft Measures, companies will likely be faced with the difficult decision of localizing data processing operations in China or limiting investment in the market due to burdensome compliance obligations and costs. Moreover, we anticipate the Draft Measures will also create a filing and review system so extensive that it could overwhelm the government and make it nearly impossible to complete the assessment procedure in time to meet business needs. We instead strongly recommend establishing a presumption that all outbound Personal Information transfers are pre-approved, and only after an audit by Chinese authorities—given reasonable advance notice—that determines the existence of excessive risk should government approval be required for a specific entity. Alternatively, the draft measures could allow companies to conduct their own security self-assessments that, in conjunction with Personal Information subject’s own consent, would suffice for securing cross-border transfers. This would reduce compliance burdens on companies and ensure the long-term, healthy development of China’s innovative digital economy. 

Along these lines,  a system of pre-clearance of those destination jurisdictions that offer sufficient data protections could be adopted. Cross-border transfers that use pre-approved security technology should not be required to undergo a security assessment. Akin to the Adequacy Concept adopted by the European Union, this system could also involve countries that have an adequate legal framework and advanced technological infrastructure. Network operators and recipients whose security practices and profile have been “pre-approved” by an accreditation agency should also not have to undergo a further security assessment and could also be subject to pre-clearance. . Qualified information security consultants should be allowed to conduct the security assessments rather than a government agency to conserve governmental resources, and a certification of approval by such an information security consultant should be accepted as though a security assessment had been conducted and approved by the government itself. 

Alternatively, to reduce unnecessary administrative burdens, the draft measures could require only use of a CAC-approved standard contract between the sender and recipient that covers transfers of Personal Information. An existing model for reference is the EU’s approach to personal data protection. Under this approach, which does not mandate specific information security provisions, the recipient either agrees to abide by a set of general data protection principles (if the recipient will be processing the data for its own, independent purposes), or the sender and recipient agree in the contract on a set of “reasonable and appropriate” security measures (if the recipient will be processing the data solely on behalf of the sender). 

Question: Do the draft measures replace the April 2017 “Measures for the Assessment of Personal Information and Important Data Exit Security”?
In April 2017, Chinese authorities released draft Measures for the Assessment of Personal Information and Important Data Exit Security (April 2017 Draft Measures). The April 2017 Draft Measures cover “Personal Information and important data outbound transfer security assessments” that were designed to implement Article 37 of the Cybersecurity Law, which requires that “Personal Information and important data” gathered or produced in China by “critical information infrastructure operators” be stored in China. 

The contents of these June 2019 Draft Measures seem to overlap with contents from the separate April 2017 Draft Measures without explicitly nullifying, overriding, or replacing them. This creates uncertainty for businesses seeking to comply with China’s data privacy regime. We recommend that CAC clarify the status of the various draft measures regulating data privacy and provides a roadmap for publication and finalization of all contents.  

We also present several questions of a general nature for which we request that CAC provide responses: 

Question 1: Why do the draft measures apply to “Network Operators,” when the Cybersecurity Law’s rules on data localization apply to the more narrow category of “critical information infrastructure operators”? 

The Draft Measures draw their legal authority from the Cybersecurity Law, which specifies two categories of regulated entities: Network Operators and critical information infrastructure (CII) operators. With respect to outbound transfers of data, the Cybersecurity Law only prescribes responsibilities to CII operators—not Network Operators. 

In the Draft Measures, “Network Operator” is defined as “network owners and managers, and network service providers,” a definition that is much broader than a CII operator. If a security assessment is required, we recommend narrowing the scope of entities required to undergo the security assessments for outbound transfers of personal data from Network Operators to a narrowly defined set of CII operators. 

Question 2: Do CAC and its provincial cyberspace administration possess adequate resources to sufficiently monitor and implement the draft measures? 

The draft measures delegate significant authority to provincial cyberspace administration in China to approve outbound transfers of Personal Information. Given the number of companies in China and amounts of data likely collected in the normal course of business operations, the burden for CAC and its authorities to approve each outbound transfer of personal data seems to be significant. The delegation to provincial cyberspace administration also significantly increases the risk of inconsistency in practice between these authorities. We recommend establishing a presumption that all outbound Personal Information transfers are pre-approved, and only after an audit by Chinese authorities—given reasonable advance notice—that determines the existence of excessive risk should government approval be required, thus reducing the administrative burden placed on Chinese authorities to review and approve information transfers. 

Question 3: Do these regulations apply to both “data controllers” and “data processors?” There is no clear distinction regarding these roles provided in the Draft Measures. 

The Draft Measures frequently refer to “recipients” of Personal Information transfers without distinguishing between the roles of “Personal Information controllers” and “Personal Information processors.” Consequently, it would seem as if Personal Information processors are required to assume obligations of Personal Information controllers under the Draft Measures, which could create a number of onerous administrative and compliance burdens. Furthermore, the requirement to provide third-party beneficiary rights to individual Personal Information subjects (Article 13(3)), which enables them to bring direct claims against the Personal Information recipient renders Personal Information processors legally liable to their Personal Information subjects, a stance which exceeds most international standards, even those in the European Union’s General Data Protection Regulations (GDPR). The lack of a clear distinction between Personal Information “controllers” and “processers” also appears to be inconsistent with Article 8(1) of the Information Security Technology - Personal Information Security Specification (GB/T 35273—2017) which distinguishes between “data controllers” and “delegated persons”, and defines their respective roles and responsibilities. We recommend that the Draft Measures clearly define and distinguish the obligations of Personal Information controllers and data processors.  

 

See attached PDF for article-specific comments