The “Data Security Law” increases the security of data going abroad. How should multinational companies respond?

foreword

In 1980, the Organisation for Economic Co-operation and Development (OECD) proposed the concept of “Trans-border Data Flow”, which is defined as the cross-border flow of personal information. However, with the development of technology, the international understanding of cross-border data flow has completely gone beyond the scope of personal information. The huge amount of data resources not only involve personal information, especially the cross-border data involved in the operation of multinational enterprises, which includes not only personal information, but also non-personal information such as commodity data, payment data, logistics data, geographic location, etc. Part of the data involves national security and public safety. In the past, my country’s regulatory focus mostly focused on the regulation of “personal information” exiting the country (“Personal Information Exit Security Assessment Measures (Draft for Comment)”). “There is a legislative gap in the exit regulation.

On June 10, 2021, my country’s “Data Security Law” was officially promulgated, and on the basis of Article 37 of the “Cyber ​​Security Law”, a data export security management framework was further constructed. On the basis of encouraging cross-border data flow (Article 10), the “Data Security Law” provides for the security management of data exit (Article 31), approval by competent authorities (Article 36), and legal responsibility (Article 46), etc. The regulations provide a direction reference for multinational enterprises to carry out data export compliance work as soon as possible.

This article will be based on the “Data Security Law”, combined with the “Cyber ​​Security Law”, “Information Security Technology Data Exit Security Assessment Guidelines (Draft for Comment)” (hereinafter referred to as the “Assessment Guidelines”) and other regulations, the existence of data transmission in multinational enterprises Answers to frequently asked questions in order to provide legal assistance for multinational companies’ data export compliance.

1. The Data Security Law’s regulatory requirements for data export

Article 31 of the “Data Security Law” stipulates that the security management of the exit of important data collected and generated by operators of critical information infrastructure in the operation within the territory of the People’s Republic of China shall be governed by the provisions of the “Network Security Law of the People’s Republic of China”; other Measures for the security management of the exit of important data collected and generated by data processors during their operations within the territory of the People’s Republic of China shall be formulated by the national cybersecurity and informatization department in conjunction with the relevant departments of the State Council.

(1) Subjects of data export: operators of critical information infrastructure & other data processors

1. Operators of critical information infrastructure

The operator of critical information infrastructure is not a new subject created by the Data Security Law. The definition of critical information infrastructure has been carried out as early as in the Cybersecurity Law and the Cybersecurity Review Measures.

Article 31 of the “Cyber ​​Security Law” stipulates that the state will impose restrictions on public communication and information services, energy, transportation, water conservancy, finance, public services, e-government and other important industries and fields, as well as other important industries and fields once destroyed, lost functions or data. The leakage of key information infrastructure that may seriously endanger national security, national economy and people’s livelihood, and public interests shall be subject to key protection on the basis of the network security level protection system. The specific scope and security protection measures for critical information infrastructure shall be formulated by the State Council.

According to this article, the Cyberspace Administration of China (hereinafter referred to as the “Cyber ​​Information Office”) has formulated the Regulations on the Security Protection of Critical Information Infrastructure (Draft for Comment), of which Article 18 stipulates that it should be included in the scope of protection of critical information infrastructure. include:

1. Government agencies and units in the fields of energy, finance, transportation, water conservancy, health care, education, social security, environmental protection, public utilities and other industries;

2. Information networks such as telecommunication networks, radio and television networks, and the Internet, as well as units that provide cloud computing, big data and other large-scale public information network services;

3. Scientific research and production units in the fields of national defense science and industry, large-scale equipment, chemical industry, food and medicine, etc.;

4. News units such as radio stations, television stations, news agencies, etc.;

5. Other key units.

According to Article 2 of the Regulations on the Security Protection of Critical Information Infrastructure (Draft for Comment), planning, building, operating, maintaining, and using the above-mentioned critical information infrastructure within the territory of the People’s Republic of China, as well as carrying out the security protection of critical information infrastructure, These regulations apply.

2. Other data processors

my country has previously adopted the concept of “network operator/network operator” for the subjects of personal information and data collection and processing activities.

Article 2 of the Measures for the Security Assessment of Personal Information Exiting the Country (Draft for Comment) defines “exiting personal information” as the act of network operators providing overseas personal information collected during operations within the territory of the People’s Republic of China; Security Assessment Guidelines (Draft for Comment)” defines “data outbound” as the personal information and important data collected and generated by network operators in their operations within the territory of the People’s Republic of China through the Internet and other means, through direct provision or business operations and One-time or continuous activities that provide services, products, etc. to overseas institutions, organizations or individuals.

The latest “Data Security Law” clearly defines data collection, storage, use, processing, transmission, provision, disclosure and other activities as “data processing”, and the subjects who implement the above activities are “data processors”. However, this “data processor” is different from the “data processor” under the GDPR in terms of its connotation and legal meaning.

To sum up, multinational companies that collect, store, use, process, transmit, provide, and disclose data, regardless of whether they build, operate, maintain, or use the above-mentioned key information infrastructure, fall into the category of data processing behaviors. The scope of the subject of regulation in Article 31 of the Data Security Law.

(2) The object of data export: important data

The “Data Security Law” does not require that all data going out of the country should be subject to review, but instead conducts data export security management for important data collected and generated by enterprises in their operations within the territory of the People’s Republic of China. Regarding the category of “important data”, Article 21 of the “Data Security Law” proposes the “important data catalogue” on the basis of conceptual definition, and the catalogue is formulated by the national data security work coordination mechanism in coordination with relevant departments.

Article 21 of the “Data Security Law” stipulates that the state establishes a data classification and grading protection system. According to the importance of data in economic and social development, and once it is tampered with, destroyed, leaked, or illegally obtained or used illegally, the national security will be affected. The degree of harm caused by the public interest or the legitimate rights and interests of individuals and organizations shall be classified and graded to protect the data. The National Data Security Work Coordination Mechanism shall coordinate relevant departments to formulate catalogues of important data and strengthen the protection of important data.

Data related to national security, the lifeline of the national economy, important people’s livelihood, and major public interests are core national data, and a stricter management system is implemented.

All regions and departments shall, in accordance with the data classification and grading protection system, determine the specific catalogues of important data in their own regions, departments, and related industries and fields, and provide key protection for the data included in the catalogues.

At present, the relevant supporting laws and regulations of the “Data Security Law” have not been promulgated, especially the most core “important data catalog”, but the data export demand of multinational companies will not stop because the policy has not been finalized. During this period, we suggest that multinational companies can carry out work on the definition of “important data” with reference to the existing classification and grading norms. Some norms and industry standards are still in the stage of soliciting opinions, but this does not mean that their contents are of no reference value.

Important data of 27 key industries, such as oil, electricity, finance, etc., are briefly described in Appendix A “Guidelines for Identification of Important Data” of the Guidelines for Security Assessment of Information Security Technology Data Exports (Draft for Comments).

“Several Provisions on Automotive Data Security Management (Draft for Comment)” clearly defines the scope of important data in the automotive industry for the first time, including:

1. Data on the flow of people and vehicles in important sensitive areas such as military administrative areas, national defense science and industry units, and party and government organs at or above the county level that involve state secrets;

2. Surveying and mapping data with higher accuracy than the state’s publicly released maps;

3. Operation data of car charging network;

4. Data such as vehicle type and vehicle flow on the road;

5. Out-of-vehicle audio and video data including faces, voices, license plates, etc.;

6. Other data that may affect national security and public interests as specified by the national cybersecurity and informatization department and relevant departments of the State Council.

(3) Content of data going abroad: “exit”

The “Guidelines for Security Assessment of Information Security Technology Data Transshipment (Draft for Comment)” defines “data cross-boder transfer” as personal information and important data in Electronic form that network operators will collect and generate within the territory of the People’s Republic of China , one-time or continuous activities provided to overseas institutions, organizations and individuals. It should also be noted that the transfer of data without any changes or processing does not belong to the export of data.

“Provide” is defined as the behavior of network operators to actively provide data to overseas institutions, organizations or individuals, or to release data through other channels, including the function of its users using the products or services provided by network operators to provide data to overseas institutions, organizations or individuals. The act of providing data by an institution, organization or individual. However, network operators are excluded from providing data that has been publicly disclosed in accordance with the law.

Judging from the original intent of the legislation, the reason why network operators are required to conduct security assessments on the provision of important data overseas is to prevent national data security risks, maintain national security, and protect public interests. Therefore, the “Assessment Guidelines” excludes simple data transfer behaviors. , but emphasizes the initiative of network operators to provide behavior. This is also in line with the legislative intent of Article 10 of the Data Security Law.

2. Data export self-assessment work

Image source “Guidelines for Information Security Technology Data Exit Security Assessment (Draft for Comment)”

(1) When is data export self-assessment required?

According to Article 4.2.2 of the “Guidelines for Security Assessment of Information Security Technology Data Exports (Draft for Comment)”, data export self-assessment is required when the following situations exist:

involving data export;

Before the critical information infrastructure operator conducts data export;

The personal information and important data involved in the product or business that has completed the self-assessment of data export security have undergone major changes in the purpose, scope, type, quantity, etc., the recipient of the data has changed, or a major security incident has occurred;

Started in accordance with the requirements of industry supervisors or regulatory authorities.

(2) How to carry out data export self-assessment work

1. Establish a security self-assessment working group and formulate a data export plan

To carry out the data export self-assessment work, a data export security self-assessment working group shall be established, and the working group mainly includes relevant professionals in legal affairs, policy, security, technology, and management. The data export security self-assessment working group shall be responsible for reviewing the data export plan submitted by the business department, and regularly conduct inspections and spot checks on the data export situation. Business departments that have data export needs should formulate a data export plan, which is an important basis for evaluation work.

The contents of the data export plan include but are not limited to:

Involvement of personal information, including the type, quantity, scope and sensitivity of personal information;

Situations involving important data, including the type, quantity and scope of important data;

the information systems involved;

Data sender security protection capability;

The security protection capability of the data recipient and the basic information of the country or region where it is located.

2. Assess the legitimacy and legitimacy of the data export plan

The data export security self-assessment should first consider the legality and legitimacy of this data export plan. If the data export activity is not legal and legitimate, it is prohibited to exit the country. On this basis, re-evaluate whether the risks of the data export plan are controllable, and effectively avoid the risks of data leakage, damage, tampering, and abuse after data export and re-transfer.

For self-assessment, please refer to Chapter 5 of the “Assessment Guide” for the main points of the assessment, and refer to Appendix B of the “Assessment Guide” for the assessment method. Security assessment but the result is that the exit security risk is extremely high or high, then exit is prohibited.

The picture is produced according to the “Guidelines for Information Security Technology Data Exit Security Assessment (Draft for Comment)”

3. Form an evaluation report and make corresponding adjustments

After the data export security self-assessment working group completes the assessment of the data export plan, it shall form a security self-assessment report. The content of the safety self-assessment report shall include but not be limited to:

The basic situation of the safety self-assessment object;

Security self-assessment organization implementation;

Safety self-assessment results;

Data exit security risk points;

Check for correction suggestions.

The security self-assessment report shall be kept for at least 2 years, and the security self-assessment report shall be submitted to the industry competent authority under the following circumstances.

Security self-assessments conducted by critical information infrastructure operators;

The amount of personal information that has been exported within one year meets the reporting requirements of the national cybersecurity and informatization department and the competent industry department;

Contains data in the fields of nuclear facilities, biochemistry, national defense and military industry, population health, etc., large-scale engineering activities, sensitive geographic information data on the marine environment, and other important data;

Network security information involving security deficiencies of critical information infrastructure, specific security protection measures, etc.;

Others that may affect national security, economic development and social and public interests.

If the result of the security self-assessment is that the export is prohibited, the network operator should take relevant measures to reduce the security risk of data export, revise the data export plan, and conduct a new security self-assessment.

Measures that can be used to reduce the security risk of data going abroad include, but are not limited to:

Streamlining the content of outbound data;

Use technical measures to process data to reduce sensitivity;

Improve the security capability of the data sender;

restrict the processing activities of the recipient of the data;

Replacement of recipients with a higher level of data protection;

Select data recipients in areas with high political and legal environment protection capabilities.

After the enterprise makes corresponding adjustments, it can re-assess the security risk of data export.

3. Frequently Asked Questions

(1) Do multinational companies have to set up servers in China for data storage?

The Data Security Law does not directly regulate the localized storage of data. For this issue, please refer to Article 37 of the Cybersecurity Law that has been implemented before.

Article 37 of the Cybersecurity Law stipulates that the personal information and important data collected and generated by operators of critical information infrastructure during their operations within the territory of the People’s Republic of China shall be stored within the territory. If it is really necessary to provide overseas due to business needs, a security assessment shall be carried out in accordance with the measures formulated by the national network information department in conjunction with the relevant departments of the State Council; where laws and administrative regulations provide otherwise, such provisions shall be followed.

In short, if the “operator of critical information infrastructure” directly stores important domestic data on overseas servers, it will violate the relevant regulations on localized storage, and cause the enterprise and relevant directly responsible personnel to face the risk of administrative punishment.

The Cybersecurity Law only sets data localization requirements for “critical information infrastructure operators”, but since only the industry and degree of “critical information infrastructure operators” were previously defined, in practice, multinational enterprises’ Implementation is not ideal. The “Data Security Law” has expanded the regulated subjects of data export – from “critical information infrastructure operators” to “other data processors” are all included in the scope of supervision. At the same time, in light of recent regulatory trends, regulatory authorities have successively issued regulations and policies for industries related to national security, such as the “Several Provisions on Automotive Data Security Management (Draft for Comment)” for the field of smart cars, which clearly defines for the first time the importance of important data in the automotive industry. Scope.

It can be seen that for multinational enterprises engaged in the 27 key industries listed in Appendix A “Guidelines for Identification of Important Data” of the “Guidelines for Security Assessment of Information Security Technology Data Exports (Draft for Comment)”, if the data collected and used in The potential of security, then the answer to the question “Do multinational companies have to set up servers for data storage in China?” is that yes, in response to regulatory trends, it is necessary to set up servers for data storage.

(2) Does overseas remote access belong to data export?

The connotation of “data going abroad” has been explained above. On this basis, we can discuss the issue of “whether remote access overseas is data going abroad”.

First of all, how to understand “overseas remote access”, that is, “overseas remote access” generally includes those situations.

In a narrow sense, “remote access” generally refers to the behavior of remote users accessing the computer and its storage resources through other devices. It is more common to install remote access software on the computer to achieve remote control. purpose of the computer.

The “data outbound” behavior regulated by law requires network operators to be proactive in their “providing” behavior. The author believes that the initiative is reflected in the “remote access” whether the access behavior is controlled by permissions. If an overseas subject obtains permission to access a domestic database, the behavior should fall within the scope of the “Assessment Guidelines”, which is a “data export” behavior.

If the important data collected and generated by the network operator within the territory of the People’s Republic of China is stolen by malicious attackers and the important data is transferred abroad, it is not considered data export.

From the point of view of the access object, the computer or its resources accessed by foreign subjects does not have permission requirements, that is, any subject can access it at any time and place, which is the same as the legislative intent of excluding “public disclosure in accordance with the law”, nor does it belong to “data” outbound” behavior.

(3) Does the parent company receiving important data overseas also have compliance requirements?

–Yes

In the business of multinational companies, the main body of data collection and transmission is mostly the domestic company (foreign-invested enterprise) of the multinational company, which bears the main compliance obligations, and the overseas parent company also has certain regulatory requirements as the recipient. The “Measures for Security Assessment of Personal Information Exiting the Country (Draft for Comment)” issued by the Cyberspace Administration of China in 2019 stipulates corresponding legal obligations for “personal information recipients”. It is practical and normative. Therefore, we suggest that before the supporting regulations of the “Data Security Law” are promulgated, multinational enterprises that need to go abroad can refer to the regulations to carry out data transmission compliance work, and strive to avoid regulatory risks as much as possible.

Article 13 of the Measures stipulates that network operators (domestic companies of multinational companies) and personal information recipients (overseas parent companies) shall sign contracts or other legally binding documents, and stipulate the contents of the contracts.

Articles 15 and 16 of the Measures clearly stipulate the responsibilities and obligations of the recipient (overseas parent company), including:

Provide personal information subjects with access to their personal information. When personal information subjects request to correct or delete their personal information, they should respond, correct or delete them within a reasonable cost and time limit.

Use personal information in accordance with the purpose agreed in the contract, and the overseas storage period of personal information shall not exceed the time limit agreed in the contract.

Confirm that signing the contract and fulfilling contractual obligations will not violate the legal requirements of the recipient’s country. When the legal environment of the recipient’s country and region changes that may affect the execution of the contract, the network operator should be notified in a timely manner, and the network operator should report the network operation through the network operator. The provincial network information department where the person is located.

Unless certain conditions are met, the recipient shall not transfer the personal information received to a third party.

For “important data”, the requirement for “informed consent” is not as strong as that for “personal information” (a manifestation of the right to self-determination of personal information), so the first point is less relevant for “important data”. However, the formulation logic of points 2, 3 and 4 is applicable to “personal information” and “important data”, and multinational enterprises can refer to them.

Summarize

Previously, the official website of the Cyberspace Administration of China released the “Measures for Cybersecurity Review (Revised Draft for Comments)” and solicited opinions from the public. The Measures have made special provisions for companies going abroad to list, requiring operators with more than 1 million users’ personal information to go public abroad, they must apply to the Cybersecurity Review Office for cybersecurity review, and the IPO materials to be submitted should be provided in the application materials. . In addition, in terms of national security risks that are of concern to the review, new regulatory measures have been proposed for listing behavior abroad. It can be seen that in the next period of time, the cross-border flow of data related to national security will face further regulatory requirements. In particular, the daily business involves the cross-border flow of high-frequency data. For multinational companies, this problem should be dealt with.

The Links:   NL160120BC27-10 PM75CLA120

Related Posts