The Cyberspace Administration of China (CAC) recently issued draft “Security Assessment Measures for the Cross-Border Transfer of Personal Information and Important Data.” The draft comes in the context of the Chinese Cybersecurity Law, which is scheduled to be implemented on June 1, 2017. The National Security Law of China likely also influenced this draft.
SIIA with other trade associations are considering commenting on the draft measures, which are due to CAC on May 11, 2017. We will likely also sign on to another multi-trade association letter on the Cybersecurity Law. Our sense is that the Cybersecurity Law implementation deadline is driving the proposed security assessment measures, which we think are unnecessarily restrictive and challenging for China to enforce as well. This a good Hogan & Lovells analysis of the draft measures.
“Business as usual” will not work for the foreign technology sector in China. We therefore request that the Trump Administration’s 100 day trade plan with China provide for a minimum two year transition period for companies subject to the Cybersecurity Law and the proposed security assessment measures so that stakeholders can work with Government of China to satisfy its concerns, as well as develop rules that work for globally active Chinese and foreign firms. As the Trump Administration conducts the Comprehensive Economic Dialogue with China, we recommend that one of the key elements of the dialogue be that the United States and China work together to ensure that cross-border data flows become the default norm for commerce between the two countries and globally.
The APEC Cross-Border Privacy Rules (CBPR) system provides the seed of a region-wide default norm for cross-border data flows. China is a member of APEC but not of the CBPR system. We encourage the Trump Administration to engage with China diplomatically with the goal of getting China to join the CBPR system. Korea has already submitted its intent to participate in the CBPR system. In addition, Singapore, Taiwan, and the Philippines have communicated their intent to join the CBPR system. So there are good regional options for China. Moreover, the APEC Privacy Framework is robust with respect to privacy protection and provides for internationally recognized principles on preventing harm; notice; collection limitations; use of personal information; choice; integrity of personal information; security safeguards; access and correction; and, accountability. With respect to trade, Australia and Singapore are updating their trade agreements to include cross-border data flow provisions, further underscoring the development of an emerging regional and global default norm for cross-border data flows.
We have many questions with respect to the draft security measures. Our perspective is informed by the reality that Internet-based commerce works best if cross-border data flows are permitted. For example, the nature of the Internet is such that even one e-mail can be split into different parts and stored around the world. This actually enhances cybersecurity. Having said that, it is legitimate for countries to want to ensure that their citizens’ personal identifiable information (PII) data is respected. And countries have legitimate national security and other interests. This is why SIIA has long argued for interoperability mechanisms that allow companies to engage in cross-border data flows, while at the same time complying with national privacy rules and regulations. Again, the APEC Cross-Border Privacy Rules (CBPRs) system is one such mechanism.
Joining the APEC CBPR system does not mean that companies are not subject to national regulators. For instance, the Federal Trade Commission (FTC) recently approved final orders resolving allegations that three companies misrepresented their participation in the APEC CBPR system. The three companies in question are henceforth obligated not to misrepresent their participation.
We have five general non-exhaustive comments/questions on the draft Chinese security assessment measures.
First, the premise behind the measures is that personal information and important data should be stored in China. This is a default data localization rule that is very broad in scope and not in keeping with international trends. It is not consistent with the consensus that cross-border data flows promote commerce and the exchange of ideas. And although it is possible to discern notions of EU views in the draft, the EU does not have a similar rule. Yes, the EU has the General Data Protection Regulation (GDPR), but the GDPR does not establish as a default that data should be stored in the EU. Instead, the EU has made available interoperability mechanisms such as the EU-US Privacy Shield, Standard Contractual Clauses, and Binding Corporate Rules that allow companies to transfer data and at the same time protect data per EU rules. Legislation and regulation should promote the concept of cross-border data flows as the default.
Second, what do companies have to do to show the need for data to exit the country? Is a network efficiency and/or economic justification sufficient?
Third, instead of establishing as a baseline for how PII and other important data should be protected in China, the draft rules mandate that the State Network Information Department will conduct “data outbound safety assessments.” This is concerning because this could lead to intrusive investigations into company business confidential practices. We also question whether there is enough capacity to carry out such assessments. How can “inspections” of the exit of data be conducted “regularly” when vast quantities of data are being transferred every second? Again, the EU does not inspect the technical means through which cross-border data flows are conducted. The EU does, however, require companies to have, for instance, privacy policies per the EU-US Privacy Shield. But this is not an inspection into a company’s IT processing practices, which the Chinese proposal appears to require. It would be helpful if the Chinese authorities could clarify what they mean by an “inspection of the exit of data.”
Fourth, there are many questions surrounding what is meant by different elements of the proposal. How should, for example, “social public interests” be defined? Important data are said to include data emanating from “large-scale engineering activities.” This appears to SIIA as overly broad.
Fifth, Article 15 seems to presage the development of agreements between the Chinese government and other countries and regions on how data exit shall be carried out. This could in principle be a workable thing, although we would caution against the development of an EU-style “adequacy” regime. Again, we encourage China to join the APEC CBPR system. It would be most helpful for China to have all the domestic regulation in place with respect to data protection and to then offer interoperability mechanisms so that companies can comply with that domestic regulation but still engage in cross-border data flows.
So to reiterate once more, SIIA supports the right, indeed even the duty, of national regulators to protect PII data and other important data (as long as important data are defined clearly and are truly limited to data of national security interest). We made this clear in 2015 in an event for Trade in Services Agreement (TISA) negotiators and most recently in March this year in another event at the World Trade Organization on Data Flows and Development. But we consider that cross-border data flows should be default norm and that the technical means that firms use to transfer data are proprietary. This is why we strongly urge the Chinese government to provide more time for Cybersecurity Law implementation and for the draft assessment measures to be delayed as well so that stakeholders have the opportunity to address the Chinese government’s concerns in a manner that is consistent with an international default norm for cross-border data flows. This “ask” complements traditional and still relevant requests for China to respect international best practices and comply with WTO obligations. More time and deep consultation with stakeholders is essential to address those requests.