China’s new cybersecurity law and how that impacts Data Transfers?
Our friends at JSCAPE have written an article about the new cybersecurity law in China, which came into effect in June this year. Utilising JSCAPE’s article (with their kind permission), we thought the overview would be useful to many of you who have business operations in China or transact with organisations based there. The chances that it affects you are very high.
Businesses whose data transfers might be impacted by the law
The provisions in the cybersecurity law that impact data transfers govern two sets of businesses: a large set known as network operators and a small subset known as critical information infrastructure operators (CII operators). The definitions however turn out to imply a much wider scope.
For instance, while the term ‘network operators’ might initially be interpreted to mean telecommunications companies, ISPs or cloud service providers, the law actually defines network operators as network owners, managers, and network service providers. That could mean any company who operates any type of network – even a small office LAN. It therefore has the scope to affect many businesses.
Critical information infrastructure refers to data, which if destroyed, damaged, or data leaked “might seriously endanger national security, national welfare and people’s livelihood, or the public interest”. Any infrastructure providing public communication and information services, power, traffic, water, finance, public service, or electronic governance is considered CII. Because it’s not clear what exactly qualifies as “seriously endangering national security” and the like, other organisations not mentioned here might just be considered CII operators as well.
These broad definitions make it hard for companies to determine whether or not they fall under these categories, so it’s best to seek guidance from regulators or legal experts. If you think your business might be affected, it probably is.
How does the law impact data transfers?
The first thing that jumps out in relation to data transfers is the data localisation provisions. Multinational companies and foreign organisations operating in China often transfer certain information to their headquarters or other offices located in other parts of the world. Businesses may also have to transfer files to customers, suppliers, and other trading partners based overseas. Unfortunately, the data localisation provisions of the Cybersecurity Law will now make these outbound file transfers extremely difficult.
Article 37, in particular, requires certain operators to store personal information and other critical data (that were collected or generated during the course of business operations) within mainland China. This provision, which originally only covered CII operators, has lately been expanded to include network operators, casting a much wider net that now impacts most businesses.
The expanded provision is stipulated in the draft regulations entitled “Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data Overseas”.
Personal information is normally part of various business processes, often incorporated in HR (Human Resource), sales, and marketing data, among others. Because some of these processes involve the transfer of data overseas, e.g. for further processing or data aggregation purposes, the onset of the data localisation provisions can seriously disrupt current practices.
In cases where it’s absolutely necessary to export personal information and other important data, the Cybersecurity Law may allow it, provided several conditions are met. One of these conditions is to first conduct security assessments in accordance with the measures mentioned earlier.
The security assessments
There are basically two types of these assessments. There are self-assessments and there are regulator assessments. These assessments must focus on certain elements such as:
- the necessity of carrying out the cross-border data transfer;
- circumstances surrounding the presence of personal information and/or critical data;
- the security measures and security environment of both the recipient and the country in which the recipient operates;
- the risk of leakage, loss, falsification or misuse of the transferred data.
Regulator assessments are required when certain circumstances arise. For example,
- the number of individuals whose personal information are included in the transfer is at least 500,000;
- the amount of data exceeds 1000 GB;
- it involves data relating to information about the security of certain CII.
How secure file transfers can help you pass the security assessments
Secure file transfer systems can help you pass some of these assessments by addressing the technical issues involved. For example, they can greatly enhance the security measures of the recipient and substantially reduce the risk of leakage, loss, falsification, or misuse of the transferred data. Although there are certainly other factors involved, being able to strengthen your recipient’s security measures and reduce critical risks can greatly improve your chances of passing the security assessments.
If you feel that Managed File Transfer solutions may be beneficial to your business, we would be happy to discuss your needs and infrastructure.
Check out our “Do you need MFT” analysis document if you would like to get a better idea of your current processes. This comprehensive expert guide of your data transfer processes will highlight areas which you may need addressing.