Notice of the Cyberspace Administration of China on Seeking Public Comments on the Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Exposure Draft)

Promulgation Authorities: Cyberspace Administration of China

Release Date: 2017-04-11

Source: http://www.cac.gov.cn/2017-04/11/c_1120785691.htm

Original Title: 国家互联网信息办公室关于《个人信息和重要数据出境安全评估办法（征求意见稿）》公开征求意见的通知

Notice of the Cyberspace Administration of China on Seeking Public Comments on the Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Exposure Draft)

To protect the security of personal information and important data, safeguard cyberspace sovereignty, national security, and social and public interests, as well as promote the orderly and free flow of network information, in accordance with the State Security Law of the People’s Republic of China, the Cybersecurity Law of the People’s Republic of China, and other laws and regulations, we, in concert with the relevant authorities, have drafted the Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Exposure Draft), and are hereby seeking public comments thereon. The parties concerned and people from all walks of life may give their opinions in either of the following ways by 11 May 2017.

I. Correspondence: Cybersecurity Coordination Bureau of the Cyberspace Administration of China, 225 Chao Yang Men Nei Street, Dongcheng District, Beijing, 100010 (please specify “public comments” on the envelop).

II. Email: security@cac.gov.cn.

Annex: Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Exposure Draft)

Cyberspace Administration of China

11 April 2017

Appendix:

Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Exposure Draft)

Article 1 These Measures are enacted in accordance with the State Security Law of the People’s Republic of China, the Cybersecurity Law of the People’s Republic of China, and other laws and regulations to protect the security of personal information and important data, safeguard cyberspace sovereignty, national security, and social and public interests, as well as promote the orderly and free flow of network information.

Article 2 The personal information and important data generated or collected by a network operator during its operation within the territory of the People’s Republic of China shall be stored within China. If it is necessary to transmit data abroad due to business needs, security assessment shall be conducted according to these Measures.

Article 3 Security assessment for the data to be transmitted abroad shall be conducted under the principles of fairness, objectivity and validity to protect the security of personal information and important data, and promote the orderly and free flow of network information.

Article 4 For the transmission of personal information abroad, an explanation on the purpose, scope, content and receiver of the data to be transmitted abroad, and the country or region where the receiver is located shall be given to the owner of the personal information, and the transmission shall be consented by such owners. Outbound transmission of personal information of a minor shall be agreed by the guardian thereof.

Article 5 The state cyberspace administration shall conduct overall coordination for security assessment for the data to be transmitted abroad, and guide industrial authorities or regulators to conduct security assessment for the data to be transmitted abroad.

Article 6 An industrial authority or regulator shall take charge of the security assessment for the data to be transmitted abroad in respect of the industry, and shall organize regular security inspections for the data to be transmitted abroad in respect of the industry.

Article 7 Prior to transmitting data abroad, a network operator shall organize on its own the security assessment for the data to be transmitted abroad, and be liable for the assessment results.

Article 8 During security assessment for the data to be transmitted abroad, highlighted assessment shall be made in the following aspects:

(1) Necessity of transmitting the data abroad;

(2) Personal information involved, including the quantity, scope, type and sensitivity of personal information, as well as whether the owner of personal information agrees to transmit his personal information abroad;

(3) Important data involved, including the quantity, scope, type and sensitivity of important data;

(4) Security protection measures, ability and proficiency of the data receiver, as well as the network security environment of the country or region where the date receiver is located;

(5) Risks of leakage, damage, alteration and abuse of data after being transmitted abroad and further transferred;

(6) Risks to national security, social and public interests, and personal legitimate interests arising from transmitting the data abroad and gathering the data to be transmitted abroad; and

(7) Other important matters to be assessed.

Article 9 In any of the following circumstances, a network operator shall apply to its industrial authority or regulator to organize security assessment:

(1) The data to be transmitted abroad contains or contains in aggregate the personal information of more than 500,000 users;

(2) The quantity of the data to be transmitted abroad is more than 1,000 gigabytes;

(3) The data to be transmitted abroad contains data in the areas of nuclear facilities, chemical biology, defense industry, population and health, as well as the data of large-scale project activities, marine environment and sensitive geographic information;

(4) The data to be transmitted abroad contains system vulnerabilities, security protection and other network security information of critical information infrastructures;

(5) A critical information infrastructure operator provides personal information and important data abroad; or

(6) Other data which may affect national security, and social and public interests, and are necessary for assessment as determined by the industrial authority or regulator.If there is no definite industrial authority or regulator, the Cyberspace Administration of China shall organize the assessment.

Article 10 The security assessment organized by an industrial authority or regulator shall be completed within 60 working days. The security assessment information shall be made known to the network operator, and reported to relevant departments of the Cyberspace Administration of China.

Article 11 Data shall not be transmitted abroad in any of the following circumstances:

(1) The outbound transmission fails to be approved by the owner of personal information, or may jeopardize personal interests;

(2) The outbound transmission causes security risks to the nation’s politics, economy, technology and defense, which may affect national security and jeopardize social and public interests; or

(3) Other data which are forbidden to be transmitted abroad as determined by the state cyberspace administration , public security authority, security authority and other relevant authorities.

Article 12 A network operator shall, in light of its business development and network operation, conduct security assessment for the data to be transmitted abroad at least once a year, and shall report the assessment information to the industrial authority or regulator concerned without delay.In case of any changes to the data receiver, any major changes to the purpose, scope, quantity and type of the data transmitted abroad, or any major security events of the data receiver or the data to be transmitted abroad, another security assessment shall be conducted without delay.

Article 13 In the event of a transmission of data abroad in violation of relevant laws and regulations, or these Measures, any individual or organization may report to the state cyberspace administration, public security authority or other relevant authorities.

Article 14 Violations to these Measures shall be penalized in accordance with relevant laws and regulations.

Article 15 If the Chinese government has entered into any agreement on the data to be transmitted abroad with other nations or regions, such agreement shall be followed.The information involving state secrets are subject to relevant regulations.

Article 16 These Measures are applicable mutatis mutandis to the security assessment for the abroad transmission of the personal information and important data generated or collected by other individuals and organizations within the territory of the People’s Republic of China.

Article 17 Definitions of the following terms in these Measures:”Network operators” refers to owners, managers and network service providers of network.

“Transmitting data abroad” means providing overseas institutions, organizations and individuals with the personal information and important data generated or collected by network operators during their operation within the territory of the People’s Republic of China.

“Personal information” refers to all the information recorded in electronic form or otherwise, which can be used, solely or together with other information, to determine the identity of a natural person, including but not limited to the name, date of birth, ID card number, personal biometric information, address and phone number of the natural person.

“Important data” refers to the data closely related to national security, economic development, and social and public interests. Refer to relevant national standards and important data identification guidelines for its specific scope.

Article 18 These Measures shall take effect as of xxx 2017.