Chinese rules on cross-border data transfers delayed by lack of consensus over reach

China Keyboard

By Xu Yuan. 5 December 2017.

Chinese rules to govern cross-border data transfers have been in stasis for eight months, mired in disagreements over issues such as how widely they should be applied, MLex has learned.

On April 11, the Cyberspace Administration of China, the country's Internet regulator, published a draft of "Measures for Conducting Security Reviews for Cross-Border Transfers of Personal Information and Important Data" for public consultation even before the Cybersecurity Law took effect on June 1. An official version of the measures has yet to be released.

But it is understood that a tug of war has ensued among competing interest groups, largely over the scope of the rules' application.

Although the Cybersecurity Law requires only operators of networks that the regulator classifies as critical information infrastructure to store data generated in everyday business operations within China, the draft measures require all network operators to store it.

Critical information infrastructure comprises networks and information systems that could, if they suffer damage, outages or data leaks, pose serious risks to national security, the national economy and people's livelihoods, as well as to the overall public interest.

Foreign businesses are strongly opposed to the rules being applied in such a broad fashion. Some have questioned whether there is a valid legal basis for the regulator expand the reach of the rules beyond the provisions of the Cybersecurity Law, but others have argued that the rules can be based on laws other than the Cybersecurity Law, citing the National Security Law as one possible basis.

The Cyberspace Administration previously said in an interview that the rules targeted only critical information infrastructure, but it remains to be seen whether the authorities will make concessions to address the concerns that have arisen.

It is said that the official version of the measures will differ significantly from the consultation draft. It can also be expected that the formal rules will be more specific. For instance, the regulator is likely to provide more detailed instructions on what will trigger a security assessment.

In an earlier internal draft, the regulator granted a grace period until the end of 2018 for the full implementation of the rules. It is said that the regulator has since developed several more internal drafts as it has worked on the rules.

The government is also in the process of formulating supporting guidelines for conducting security assessments related to exports of data.

The National Information Security Standardization Technical Committee, a standards-setting body established under the Cyberspace Administration, earlier published the latest draft of “Guidelines for Data Cross-Border Transfer Security Assessment” for public consultation in September.

The US, in particular, has voiced concerns at the World Trade Organization over China’s cross-border data transfer rules. It said the rules were burdensome, broad and vague, and that they would create obstacles to businesses’ routine cross-border information flows.

Countdown to the GDPR