Insights & Analyses

Proposed Chinese cyber law mandates security assessment for companies exporting personal data

April 19, 2017

China has released a new draft law aimed at tightening cyber security and protecting personal information during international data transfers.

The Cyberspace Administration of China (CAC) released its Measures for the Security Assessment of Personal Information and Critical Data Leaving the Country for comment on April 11. If adopted, the new guidelines will require that Chinese network operators looking to transfer data abroad submit to a security assessment to determine whether the transaction carries a risk of “leakage, loss, falsification or misuse.” The rules will apply to any business seeking to transfer over one terabyte of data or information on 500,000 or more individuals.

The measures also explicitly prohibit any transfer of personal information without prior consent of the user. For the purposes of this new CAC draft, “personal information” is defined as any data that can, independently or when aggregated with other information, be used to determine the identity of a natural person, including name, national ID number, biometric data or telephone number.

This draft is the latest in a series of increasingly targeted cyber regulations enacted in the wake of China’s sweeping and controversial Cybersecurity Law, which was adopted late last year and is slated to take effect on June 1, 2017.

CAC cites two primary objectives for creating these new security assessment rules. The first is to protect personal information and other critical data from cyber threats – an increasingly prominent issue as more Chinese citizens get online. According to a recent ThreatMetrix report, the Asia-Pacific region has experienced a 40% increase in cyber attacks last year, with China as the most frequent target.

Upholding what the CAC calls “internet sovereignty” and national security is the second stated goal. Data localization has become a central component of the country’s emerging national cybersecurity architecture, and Chinese authorities have equated the ability to exert control over online activity to territorial sovereignty. Opponents contend that this approach could stifle the free flow of information and make it more difficult for multinational companies to operate in China.

The proposed CAC measures will be open for public comment until May 11.