Circular of the State Internet Information Office on the Public Consultation on the Measures for the Assessment of Personal Information and Important Data Exit Security (Draft for Soliciting Opinions)
This translation was kindly provided by Paul Triolo
To safeguard personal information and important data security, to safeguard cyberspace sovereignty and national security, and social and public interests, and promote the orderly free flow of network information according to the law, according to the People’s Republic of China National Security Law, the People’s Republic of China Cybersecurity Law, and other laws and regulations , our office has worked with relevant departments and drafted the “Personal Information and Important Data Outbound Security Assessment Measures (draft)”, is now open to the public for comments.
Relevant units and people of all walks of life may submit their views by May 11, 2017, in the following manner:
First, through a letter to the views sent to: Beijing Dongcheng District Chaoyang Gate Street 225, the State Internet Information Office Cybersecurity Coordination Bureau, Zip code: 100010, and in the envelope marked “comments”.
Second, by e-mail to: email@example.com.
Personal Information and Important Data Outbound Security Assessment Measures (draft)
State Internet Information Office
April 11, 2017
Personal Information and Important Data Outbound Security Assessment Measures (draft)
Article 1 These Measures have been drafted in order to protect the security of personal information and important data, safeguard cyberspace sovereignty and national security, and social and public interests, while protecting the legitimate interests of citizens, legal persons and other organizations, in accordance with the People’s Republic of China National Security Law, the People’s Republic of China Cybersecurity Law, and other laws and regulations.
Article 2 The personal information and important data collected and generated by network operators within the People’s Republic of China during operations shall be stored within the [national] territory. If the business requirements make it necessary to provide data outside of China, a security assessment shall be carried out in accordance with these Measures.
Article 3 The security assessment for outbound data shall follow the principle of impartiality, objectivity and validity, protect the security of personal information and important data, and promote the orderly and free flow of network information according to law.
Article 4 Where personal information leaves China’s borders, the purpose, scope, content, recipient and destination country of the data shall be explained to the subject of the personal information and agreed upon. Minors’ personal information is subject to the consent of their guardian.
Article 5 State cybersecurity and informatization departments shall coordinate the outbound data outbound security assessment work and guide the industry regulatory or supervisory departments in organizing the outbound data security assessment.
Article 6 Industry regulatory or supervisory departments shall be responsible for the security assessment of the industry outbound data and shall regularly organize the inspection of the specific industry outbound data.
Article 7 Network operators shall, before data leaves China’s borders, on their own initiative organize the conduct of a security assessment for outbound data and be responsible for the evaluation results.
Article 8 The outbound data security assessment shall focus on assessing the following:
(A) the necessity of outbound data;
(B) the conditions touching on personal information, including the amount, scope, type, and sensitivity, and whether or not the subject of the personal information agrees that his/her personal information can leave China’s borders;
(C) the conditions touching on important data, including the amount, scope, type and sensitivity level of important data;
(D) the security protection measures and capability level of the data receiving party, and the cybersecurity environment in the country and region;
(E) risks such as disclosure, damage, tampering and abuse after the data leaves China’s borders and after re-transfer;
(F) the risks that may be brought to national security, social and public interests, and personal legitimate interests arising from the data leaving China’s borders and outbound data collection;
(G) other important matters that need to be assessed.
Article 9 If outbound data is stored in one of the following circumstances, network operators should report to the industry regulators or supervisory authorities and organize a security assessment:
(A) the [data set] contains or has accumulated personal information of more than 500,000 people;
(B) the amount of data is over 1000 GB;
(C) the data includes sector data on nuclear facilities, chemical and biological facilities, the national defense industry, or population health, large-scale engineering activities, the marine environment, and sensitive geographic information data;
(D) the data includes cybersecurity information including system vulnerabilities and security protection for critical information infrastructure;
(E) personal information and important data provided by critical information infrastructure operators to [parties] outside China;
(F) other data that could affect national security and social and public interests that industry regulators or supervisory departments consider should be assessed.
For areas where the is no clear industry regulator or supervisory department, an assessment shall be organized by national cybersecurity and informatization departments.
Article 10 The security assessment organized by industry regulatory or supervisory departments shall be completed within 60 working days, and feedback on the security assessment shall be provided to the network operator in a timely manner and reported to the national cybersecurity and informatization departments.
Article 11 In any of the following circumstances, data shall not be allowed to leave the country:
(A) personal information leaving China’s borders without the consent of the subject of the personal information, or that may be against the interests of the individual;
(B) The risks of the data leaving China’s borders to national politics, the economy, S&T, and national defense, and which could affect national security and harm social and public interests;
(C) other data that national cybersecurity and informatization departments, public security departments, state security departments, and other relevant departments deem cannot leave China.
Article 12 Network operators should, according to business development and the network operation situation, annually conduct at least once a security assessment of outbound data, ad in a timely manner assess the situation and report to industry regulatory and supervisory departments.
When the data receiver changes, or there is a relatively large change in the destination, scope, quantity, type of data, etc., or a major security incident occurs with the data receiver or outbound data, a new security assessment should be conducted.
Article 13 Any individual or organization shall have the right to report to the relevant cybersecurity and informatization departments, public security department, and other relevant departments any violations of relevant laws and regulations and these Measures in terms of providing data outside of China’s borders.
Article 14 Whoever violates the provisions of these Measures shall be punished in accordance with the relevant laws and regulations.
Article 15 Agreements between the Chinese government and other countries and regions on outbound data shall be carried out in accordance with the provisions of the agreement.
Data involving state secret information shall be handled in accordance with the relevant provisions.
Article 16 Security assessment work for the personal information and important data sent outside China’s borders that was collected and produced by other individuals and organizations within the territory of the People’s Republic of China shall be carried out in accordance with the present Measures.
Article 17 The definitions for the following terms used in the present Measures:
A network operator is the owner of a network, a manager, and a network service provider.
Outbound data refers to personal and important information co9llection and generated by network operators during operations within the territory of the People’s Republic of China, and provided to overseas institutions, organizations, or individuals.
Personal information refers to various types of information recorded by electronic or other means capable of identifying a person’s personal identity alone or in combination with other information, including but not limited to the name of the natural person, date of birth, identity document number, personal biometric information, telephone number and so on. Important data refers to data that is closely related to national security, economic development, and social and public interests, with specific reference to national relevant standards and important data identification guidelines.
Article 18 These Measures shall come into force on the day X of 2017.
Office of the Central Cybersecurity and Informatization Leading Small Group
(Cyberspace Administration of China)
Cybersecurity Coordination Bureau
第十八条 本办法自2017年 月 日起实施。