At the end of October, the Cyberspace Administration of China (CAC) released draft rules that provide long awaited details about a government security assessment process to be completed before transferring a wide variety of data out of China. The draft "Outbound Data Transfer Security Assessment Measures" (the 2021 draft Measures) are open for public comment until November 28. Since further revisions are likely before the final version, this analysis focuses on policy implications and legislative trends.
What led up to these draft cross-border data rules?
Security assessments for outbound data transfer have been coming, and evolving, for years. The 2021 draft Measures are the latest update to a key piece of China's data governance and cybersecurity regime, a matrix of laws, regulations, and standards developing in public view for half a decade. They come at a time when several long-awaited elements are falling into place, including the Data Security Law (DSL, effective Sept. 1, 2021) and the Personal Information Protection Law (PIPL, effective Nov. 1, 2021). These laws add to the longstanding architecture of the Cybersecurity Law (CSL, effective June 1, 2017), which first mandated security assessments for transferring data out of China.
When the final text of the CSL was published in 2016, one of its most discussed provisions was Article 37, which among other things calls for a security assessment for outbound data transfers by “critical information infrastructure” (CII) operators that gather or produce “personal information” or “important data” during operations within the mainland. Details about those assessments—or about the definitions of CII, personal information, or important data—were not included. This is normal practice in China, where laws provide broad strokes and the government publishes practical details separately.
Thus in April 2017, before the CSL took effect, the CAC released its first draft Measures on Security Assessment for Outbound Data Transfer of Personal Information and Important Data 《个人信息和重要数据出境安全评估办法（征求意见稿）》. This first draft, however, created more confusion than clarity. CSL Article 37 requires data localization only for CII operators, but the 2017 draft Measures expanded that scope to all "network operators"—a separate concept under the CSL. It is unclear whether that shift was intentional, but regardless, this version was never finalized and put into effect.
Two years later, in June 2019, the CAC made another attempt, releasing draft Personal Information Outbound Transfer Security Assessment Measures 《个人信息出境安全评估办法（征求意见稿）》. This second draft only addressed personal information, omitting the other category addressed under the CSL, important data. This 2019 version, too, was never finalized and implemented.
Yet another two years later, the present draft Measures were released at a time when many pending details have been finalized in the data regulatory regime, embodied in the now-effective texts of the DSL and the PIPL. Both of these laws build on the CSL with clauses containing requirements for data handlers to conduct security reviews before certain types of cross-border data transfers. They contain different (but overlapping) rules applying to CII operators’ data, important data, and personal data. The 2021 draft Measures, citing all three of these laws, appear designed to integrate their requirements and provide details regarding the process, scope, triggers, and criteria involved in security assessments for outbound data transfer.
Are these cross-border data rules part of a crackdown on Chinese tech?
Not entirely, though they would give authorities more opportunities for enforcement. The 2021 draft Measures and the two recently implemented laws came at a time when government authorities were pursuing a spate of actions against Chinese internet platforms. The new draft and the two finalized laws each have a much longer history and a broader significance beyond targeted actions on market competition, online finance, and foreign listings. The Measures do, however, give authorities new powers and responsibilities that could be used in different ways. Their relationship to broader trends in government-business relations might best be judged by how they are enforced.
Who would the new draft Measures apply to?
Most ‘data handlers,’ a broader category than earlier drafts. According to Article 4 of the 2021 draft Measures, data handlers would need to submit to security assessment for cross-border data transfer if they: (1) wish to transfer personal information or important data collected or produced by CII operators; (2) wish to transfer important data; (3) wish to transfer personal data and if, overall, they handle the personal information of over 1 million people; (4) if they cumulatively wish to provide abroad more than 100,000 people’s personal information, or more than 10,000 people’s sensitive personal information; or (5) are covered by other circumstances to be specified by the regulator.
The use of the term “data handlers” in the new draft allows a unified approach addressing the three primary laws at issue. The PIPL and DSL regulate data handlers, while the reference to CII operators transferring personal information or important data integrates with the CSL. “Data handlers” were also introduced in a proposed amendment to the Cybersecurity Review Measures in July after the Chinese government took broad action against ride-hailing company Didi Chuxing after its IPO, similarly enlarging the scope from CII operators to include the broader category regulated in the two new laws.
What kinds of data would require security review before cross-border transfer?
It’s still hard to say for sure. Several key terms still lack thorough definitions, though there are recent indications about how clarity might finally come about. Here are three of the most crucial outstanding definitions:
- Critical information infrastructure (关键信息设施). One factor that determines which data would be subject to review before transfer is whether it is collected or produced by operators of CII. This key concept in the CSL has lacked clarity for five years. On Sept. 1, CII Security Protection Regulations finally went into effect. They do not provide a final and complete answer, but they do describe an overlapping set of central government, local government, and industry regulators’ authorities in defining what is and is not CII.
- Important data (重要数据). Another key concept that has lacked thorough definition is important data. Also a source of uncertainty since its inclusion in CSL Article 37, “important data” is currently most authoritatively defined in a draft guideline (archived link) published in September that is sweeping in scope. Adding uncertainty, in the context of “categorized and graded” data governance, it remains unclear whether “important” is a fixed category of data itself (分类) or a grade of sensitivity (分级) in terms of risk and impact that would apply to all types data, or both. A recent draft data classification standard by the government IT security standards-setting authority TC260 lays out five different grades of data according to levels of risk: grade 1, “open” (公开); grade 2, “internal” (内部); grade 3, “sensitive” (敏感); grade 4, “important” (重要), corresponding to “important data”; and grade 5, “core” (核心), corresponding to the DSL’s “core national data” concept (see diagram below). In practice, all of these different types of data identified by policymakers often overlap, particularly when it comes to how the data is used in company systems. A separate draft recommended standard seeks to define “important data” by laying out characteristics and identification procedures, but remains extremely broad, despite multiple attempts and debate to create a more narrow and usable definition. In theory, data classification could be key to determining what kind of data could be allowed to circulate outside of China and what should be localized, but the emerging system remains a messy tangle.
- Providing abroad (向境外提供) or outbound transfer (出境). The specific meaning of these terms is crucial, as they are the activity that requires prior review. Neither the new Measures nor existing Chinese law provides a clear answer. A related draft guideline issued by TC260 in August 2017, the draft Security Assessment Guidelines for Outbound Data Transfer《数据出境安全评估指南（征求意见稿）》, may shed some light—or cast a shadow—on the issue. It defines outbound data transfer in a sweeping manner, covering scenarios where the data physically stays within China but is accessed by organizations or individuals abroad, or where the data flows to entities located in China but not subject to China’s jurisdiction or not registered with Chinese authorities. However, unlike an earlier version, these August 2017 draft guidelines do not appear to be readily available online.
Depending on how these definitions are specified or effectively enforced, the scope of regulated data could be different, but there is no indication the scope will be narrow. Indeed, the lack of clarity—in some cases now five years after drafting—could itself have a chilling effect as those making decisions about data systems weigh risks going forward.
Read together, the 2021 draft Measures, the CSL, the DSL, and the PIPL produce a daunting compliance burden for covered organizations that seek to transfer data abroad. Taking personal data transfer for example, they would need to provide detailed disclosure to data subjects, obtain separate consent, sign contracts with the foreign data recipients, conduct a privacy impact assessment and a transfer self-assessment on several required items, obtain regulatory approval based on additional factors, and last but not least, go through this outbound data transfer security review process again at least every two years. Not one of these steps is necessarily simple in practice.
Between what’s known and what’s uncertain, would these new measures effectively shut down data transfers out of China for multinationals?
It depends. Many assume that broad data localization mandates are already in place in China, but the reality (for now) is much more messy: many multinational companies continue to transfer some kinds of data outside of China that are necessary for global operations. The question is how long this can last and to what extent this may change. The 2021 draft Measures themselves do not contain the answers but do give more details on the likely process and criteria involved in making these determinations.
Recent standards (referenced above) spelling out categories of "important data" remain too broad to be more helpful. The Data Security Law and an accompanying standard also introduce the category of “core national data.” What this means for companies in practice is likely going to be for different industry regulators and specific companies to navigate. There will also be compliance complications around the categories of data identified by the state and how that data is used in company systems.
With these complexities and uncertainties brought by regulations with sweeping effect and burdensome obligations, companies doing business in China may increasingly face tough choices balancing data localization, compliance costs, business fragmentation, market attractiveness, regulatory risk, and reputational risk. Foreseeably, more businesses will select to store the data of their Chinese business locally. Multinational companies may seek to further separate and isolate their Chinese operations and infrastructure from those of other countries, on both the technical and the operational level.
Things may not necessarily follow this most restrictive path, however, if China’s regulators narrow the scope of impact and provide more regulatory clarity through implementing rules in the near future.
Are there possible pathways for more open data transfers than the broadest readings of recent developments suggest?
Where there’s a will, there’s a way. Taking personal information for example once again, the PIPL provides several legitimate grounds for outbound transfer of personal information. One is through undergoing the assessment process outlined in the 2021 draft Measures. The others include (1) “undergoing personal information protection certification” under rules that have not yet been set, (2) “concluding a contract with the foreign receiving side in accordance with a standard contract” to be formulated by CAC, and (3) if China enters into a treaty or international agreement “contain[ing] relevant provisions such as conditions on providing personal data outside the borders.” The law also reserves for the government the ability to specify other conditions that would allow transfers through further laws or administrative regulations.
These other potential avenues do not immediately make things easier for those wishing to transfer Chinese personal information abroad, but the third option especially indicates an intention on the part of the Chinese government to explore agreements with other governments that could allow negotiated blanket approvals for data transfer, likely with specific boundaries and conditions. Indeed, the PIPL took effect within days of China’s announcement that it would seek accession to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) trade pact, which includes significant provisions on cross-border data flows, as well as the Digital Economy Partnership Agreement (DEPA) between Chile, New Zealand, and Singapore.
Finally, the draft Measures are just that—not final, and not in effect. The government will officially accept comments through November 28, and historically Chinese authorities have continued consultations with interested parties even longer before finalizing laws and regulations. In all, these factors by no means guarantee the enormous barriers to cross-border business perceived by many in the business community and in foreign capitals will go away, but they do mean that the Chinese government has left itself a less restrictive option. The question is which path it chooses.