TRANSLATION

Notice of the Cyberspace Administration of China on publicly soliciting opinions on the “Personal Information Outbound Transfer Security Assessment Measures (Draft for Comment)”

In order to ensure the security of personal information, safeguard cyberspace sovereignty, national security, and social public interests, and protect the legitimate rights and interests of citizens and legal persons, the Cyberspace Administration of China and relevant departments jointly drafted the “Personal Information Outbound Transfer Security Assessment Measures (Draft for Comment)” in accordance with the Cybersecurity Law of the People’s Republic of China and other laws and regulations. It is now open to society for comments. Relevant units and individuals from all walks of life can submit their opinions by July 13, 2019, via the following methods:

1. Log on to the Government of China Legal Information Website (URL: http://www.chinalaw.gov.cn) and access “Legislative Comments Collection” on the homepage to submit comments.
2. Email to: security@cac.gov.cn
3. Send comments by mail to: Cybersecurity Coordination Bureau, Cyberspace Administration of China, No.11 Chegongzhuang Main Street, Xicheng District, Beijing, Postal Code 100044. Indicate the following on the envelope: “soliciting opinions on ‘Personal Information Outbound Transfer Security Assessment Measures’”

Attachment: Personal Information Outbound Transfer Security Assessment Measures (Draft for Comment) [See below.]

Cyberspace Administration of China

June 13, 2019

Personal Information Outbound Transfer Security Assessment Measures (Draft for Comment)

Article 1: In order to ensure the security of personal information during cross-border data flows, in accordance with the Cybersecurity Law of the People’s Republic of China and other relevant laws and regulations, these Measures are formulated.

Article 2: Network operators who provide personal information collected in the course of operations within the mainland territory of the People’s Republic of China (hereinafter referred to as personal information outbound transfer), shall conduct security assessments in accordance with these Measures. If it is determined by the security assessment that the outbound transfer of personal information may affect national security or harm the public interest, or that the security of personal information is difficult to effectively protect, such information shall not leave the country.

Where the state has other provisions on the outbound transfer of personal information, those provisions apply.

Article 3: Prior to the outbound transfer of personal information, network operators shall declare personal information outbound transfer security assessments to the provincial-level cybersecurity and informatization department.

The provision of personal information to different recipients shall entail separate security assessment declarations. The provision of personal information to the same recipient multiple times or continuously does not necessitate multiple assessments.

A new security assessment is required every 2 years or when there are changes to the purpose, type, or overseas retention period related to the outbound transfer of personal information.

Article 4: Network operators shall provide the following materials for personal information outbound security assessment, and bear responsibility for the authenticity and accuracy of the materials:

1. Declaration form;
2. The contract signed between the network operator and the recipient;
3. Analysis report on the security risks and security measures associated with the outbound transfer of personal information;
4. Other materials required by national cybersecurity and informatization departments.

Article 5: After receiving the declaration material for personal information outbound transfer and verifying its completeness, province-level cybersecurity and informatization departments shall organize experts or technical capabilities to conduct security assessment. The security assessment should be completed within 15 working days; complicated cases may receive extensions.

Article 6: Personal information outbound transfer security assessments shall focus on the following:

1. Whether the outbound transfer complies with relevant national laws, regulations, and policies.
2. Whether the terms of the contract can fully safeguard the legitimate rights and interests of personal information subjects.
3. Whether the contract can be effectively carried out.
4. Whether the network operator or recipient has a history of harming the legitimate rights and interests of personal information subjects, and whether relatively serious cybersecurity incidents have occurred.
5. Whether the network operator obtained the personal information legally and appropriately.
6. Other matters to be assessed.

Article 7: Provincial-level cybersecurity and informatization departments shall simultaneously notify the network operators and national cybersecurity and informatization departments of the results of the personal information outbound transfer security assessment.

Network operators may file an appeal with national cybersecurity and informatization departments if there are objections to the conclusion of the personal information outbound transfer security assessment made by the cybersecurity and informatization departments at the provincial level.

Article 8: Network operators shall keep records of personal information outbound transfers and retain those records for at least 5 years. The records should include:

1. The date and time of the outbound transfer of personal information;
2. The identity of the recipient, including but not limited to the recipient’s name, address, contact information, etc.;
3. The type, quantity, and degree of sensitivity of the personal information undergoing outbound transfer;
4. Other contents as stipulated by national cybersecurity and informatization departments.

Article 9: Network operators shall report the current year’s personal information outbound transfers, contract performance, and other information to their local provincial cybersecurity and informatization departments before December 31st of each year.

Relatively serious data security incidents should be promptly reported to the province-level cybersecurity and informatization departments.

Article 10: The cybersecurity and informatization department at the provincial level shall regularly organize inspection of the outbound transfer of personal information by [network] operators, including the outbound transfer records of personal information, with an emphasis on the fulfillment of contractual obligations, whether there are any violations of national rules or harm to the legitimate rights and interests of data subjects, and other behaviors.

Where any harm to data subjects’ legitimate rights and interests or security incidents of data breach, etc., occur, [the cybersecurity and informatization department at the provincial level] shall promptly require the network operators to rectify, or supervise and urge—through network operators—the recipients to rectify.

Article 11: Where any of the following situations occurs, the cyberspace and informatization departments can require network operators to suspend or terminate the outbound transfer of the personal information:

1. Network operators or recipients experience incidents of relatively serious data breach or abuse;
2. It is impossible or difficult for the data subjects of the personal information to defend their legitimate rights and interests;
3. The network operators or recipients are incapable of safeguarding the security of personal information.

Article 12: Any individual or organization has the right to report any violations of provisions of these Measures in providing personal information abroad to cybersecurity and informatization departments at or above the provincial level, or relevant departments.

Article 13: The contracts or other legally-binding instruments (“Contracts”) signed by network operators and recipients of personal information shall specify:

1. The purposes, types, and retention period of the outbound transfer of the personal information;
2. The data subjects of the personal information are the beneficiary of the contractual provisions related to data subjects’ rights and interests;
3. Where data subjects’ legitimate rights and interests are harmed, they can, by themselves or through an authorized proxy, claim for damages against network operators, recipients, or both, who shall then compensate for the damages, unless they prove they were not responsible;
4. If the contract cannot be implemented due to changes to the legal environment of the country where the recipient is located, the contract shall be terminated or go through a new security assessment;
5. The termination of contracts cannot exempt contractual duties and obligations of network operators or recipients related to the legitimate rights and interests of data subjects, unless the recipients have already destroyed received personal information or carried out anonymization processing;
6. Any other content specified by the parties.

Article 14: Contracts shall specify that network operators bear the following responsibilities and obligations:

1. By means such as email, instant messaging, letter, or fax, notify personal information subjects of basic information about network operators and data recipients, and about the purpose of outbound personal information transfer, types of personal information, and storage duration.
2. Upon request of the personal information subject, provide a copy of the contract.
3. Upon request, relay the personal information subject’s appeal to data recipients, including demanding compensation from recipients; when personal information subject cannot receive compensation from data recipients, [network operators] should make compensation first.

Article 15: Contracts shall specify that recipients bear the following responsibilities and obligations:

1. Provide personal information subjects with a way to access their personal information. When personal information subjects request to correct or delete their personal information, give a response, make a correction or delete at reasonable cost and within a reasonable timeframe.
2. Use personal information according to the purpose specified in the contract. Storage duration of personal information at overseas location may not exceed the time limit agreed in the contract.
3. Affirm that signing the contracts and fulfilling contractual obligations will not violate legal requirements in the recipient’s country. When changes in the legal environment of the recipient’s country and region may affect carrying out the contract, the recipient should promptly notify the network operator and report through the network operator to province-level cybersecurity administration.

Article 16: Contracts shall specify that recipients should not transfer received data to third parties, unless the following requirements are satisfied:

1. The network operator already notified personal information subjects through email, instant messaging, letter, or fax, about the purpose of onward transfer to third parties, the identity and nationality of third parties, the types of personal information being transferred, and storage duration by third parties, etc.
2. Recipients commit that when personal information subjects request stopping onward transfer to third parties, recipients should stop onward transfer and ask third parties to destroy previously received personal information.
3. When personal sensitive information is involved, consent from personal information subjects has been obtained.
4. When a personal information subject’s legitimate rights and interests are harmed due to onward transfer to third parties, the network operator agrees to first assume responsibility for compensation.

Article 17: The analysis report by network operators regarding security risks in personal information outbound transfer and security safeguard measures should at least include:

1. Background, size, industry, financials, reputation and cybersecurity capabilities of the network operator and recipient.
2. A plan for personal information outbound transfer, including duration, the number of involved personal information subjects, the scope of outbound information, and whether personal information will be transferred to third parties after outbound transfer.
3. A risk analysis of personal information outbound transfer and measures that ensure personal information security and protect the legitimate rights and interests of personal information subjects.

Article 18: Network operators that have provided personal information abroad in violation of the provisions of these Measures, shall be dealt with in accordance with relevant laws and regulations.

Article 19: Where there are clear provisions regarding outbound transfer of personal information in treaties, agreements, etc., reached between China and other countries, regions, or international organizations, those provisions shall apply, except where China has declared reservations.

Article 20: Overseas organizations, in conducting business activities and when collecting the personal information of domestic users through the Internet and other means, shall fulfill the responsibilities and obligations of network operators in these measures through domestic legal representatives or organizations.

Article 21: The meanings of the following terms found in these measures:

1. “Network operators” refers to network owners, managers, and network service providers.
2. “Personal information” refers to various information recorded by electronic or other means that, alone or in combination with other information, can identify a natural person’s personal identity, including but not limited to the name of the natural person, date of birth, ID number, personal biometric information, address, phone number, etc.
3. “Personal sensitive information” refers to personal information that, if leaked, stolen, tampered with, or illegally used, may endanger personal and property safety, or cause damage to a person’s reputation and physical and/or mental health.

Article 22: These measures shall enter into effect beginning (day) of (month), (year).

CHINESE-LANGUAGE ORIGINAL

Source: http://www.cac.gov.cn/2019-06/13/c_1124613618.htm

Archived version: https://web.archive.org/web/20211006184411/http://www.cac.gov.cn/2019-06/13/c_1124613618.htm

国家互联网信息办公室关于《个人信息出境安全评估办法（征求意见稿）》公开征求意见的通知

为保障个人信息安全，维护网络空间主权、国家安全、社会公共利益，保护公民、法人的合法权益，依据《中华人民共和国网络安全法》等法律法规，国家互联网信息办公室会同有关部门起草了《个人信息出境安全评估办法（征求意见稿）》，现向社会公开征求意见。有关单位和各界人士可以在2019年7月13日前，通过以下方式提出意见：

　　1.登录中国政府法制信息网，进入首页的“立法意见征集”提出意见。

　　2.通过电子邮件方式发送至：security@cac.gov.cn

　　3.通过信函方式将意见寄至：北京市西城区车公庄大街11号国家互联网信息办公室网络安全协调局，邮编100044，并在信封上注明“个人信息出境安全评估办法征求意见”。

　　附件：个人信息出境安全评估办法（征求意见稿）

国家互联网信息办公室

2019年6月13日

个人信息出境安全评估办法

（征求意见稿）

　　第一条 为保障数据跨境流动中的个人信息安全，根据《中华人民共和国网络安全法》等相关法律法规，制定本办法。

　　第二条 网络运营者向境外提供在中华人民共和国境内运营中收集的个人信息（以下称个人信息出境），应当按照本办法进行安全评估。经安全评估认定个人信息出境可能影响国家安全、损害公共利益，或者难以有效保障个人信息安全的，不得出境。

　　国家关于个人信息出境另有规定的，从其规定。

　　第三条 个人信息出境前，网络运营者应当向所在地省级网信部门申报个人信息出境安全评估。

　　向不同的接收者提供个人信息应当分别申报安全评估，向同一接收者多次或连续提供个人信息无需多次评估。

　　每2年或者个人信息出境目的、类型和境外保存时间发生变化时应当重新评估。

　　第四条 网络运营者申报个人信息出境安全评估应当提供以下材料，并对材料的真实性、准确性负责：

　　（一）申报书。

　　（二）网络运营者与接收者签订的合同。

　　（三）个人信息出境安全风险及安全保障措施分析报告。

　　（四）国家网信部门要求提供的其他材料。

　　第五条 省级网信部门在收到个人信息出境安全评估申报材料并核查其完备性后，应当组织专家或技术力量进行安全评估。安全评估应当在15个工作日内完成，情况复杂的可以适当延长。

　　第六条 个人信息出境安全评估重点评估以下内容：

　　（一）是否符合国家有关法律法规和政策规定。

　　（二）合同条款是否能够充分保障个人信息主体合法权益。

　　（三）合同能否得到有效执行。

　　（四）网络运营者或接收者是否有损害个人信息主体合法权益的历史、是否发生过重大网络安全事件。

　　（五）网络运营者获得个人信息是否合法、正当。

　　（六）其他应当评估的内容。

　　第七条 省级网信部门在将个人信息出境安全评估结论通报网络运营者的同时，将个人信息出境安全评估情况报国家网信部门。

　　网络运营者对省级网信部门的个人信息出境安全评估结论存在异议的，可以向国家网信部门提出申诉。

　　第八条 网络运营者应当建立个人信息出境记录并且至少保存5年，记录包括：

　　（一）向境外提供个人信息的日期时间。

　　（二）接收者的身份，包括但不限于接收者的名称、地址、联系方式等。

　　（三）向境外提供的个人信息的类型及数量、敏感程度。

　　（四）国家网信部门规定的其他内容。

　　第九条 网络运营者应当每年12月31日前将本年度个人信息出境情况、合同履行情况等报所在地省级网信部门。

　　发生较大数据安全事件时，应及时报所在地省级网信部门。

　　第十条 省级网信部门应当定期组织检查运营者的个人信息出境记录等个人信息出境情况，重点检查合同规定义务的履行情况、是否存在违反国家规定或损害个人信息主体合法权益的行为等。

　　发现损害个人信息主体合法权益、数据泄露安全事件等情况时，应当及时要求网络运营者整改，通过网络运营者督促接收者整改。

　　第十一条 出现以下情况之一时，网信部门可以要求网络运营者暂停或终止向境外提供个人信息：

　　（一）网络运营者或接收者发生较大数据泄露、数据滥用等事件。

　　（二）个人信息主体不能或者难以维护个人合法权益。

　　（三）网络运营者或接收者无力保障个人信息安全。

　　第十二条 任何个人和组织有权对违反本办法规定向境外提供个人信息的行为，向省级以上网信部门或者相关部门举报。

　　第十三条 网络运营者与个人信息接收者签订的合同或者其他有法律效力的文件（统称合同），应当明确：

　　（一）个人信息出境的目的、类型、保存时限。

　　（二）个人信息主体是合同中涉及个人信息主体权益的条款的受益人。

　　（三）个人信息主体合法权益受到损害时，可以自行或者委托代理人向网络运营者或者接收者或者双方索赔，网络运营者或者接收者应当予以赔偿，除非证明没有责任。

　　（四）接收者所在国家法律环境发生变化导致合同难以履行时，应当终止合同，或者重新进行安全评估。

　　（五）合同的终止不能免除合同中涉及个人信息主体合法权益有关条款规定的网络运营者和接收者的责任和义务，除非接收者已经销毁了接收到的个人信息或作了匿名化处理。

　　（六）双方约定的其他内容。

　　第十四条 合同应当明确网络运营者承担以下责任和义务：

　　（一）以电子邮件、即时通信、信函、传真等方式告知个人信息主体网络运营者和接收者的基本情况，以及向境外提供个人信息的目的、类型和保存时间。

　　（二）应个人信息主体的请求，提供本合同的副本。

　　（三）应请求向接收者转达个人信息主体诉求，包括向接收者索赔；个人信息主体不能从接收者获得赔偿时，先行赔付。

　　第十五条 合同应当明确接收者承担以下责任和义务：

　　（一）为个人信息主体提供访问其个人信息的途径，个人信息主体要求更正或者删除其个人信息时，应在合理的代价和时限内予以响应、更正或者删除。

　　（二）按照合同约定的目的使用个人信息，个人信息的境外保存期限不得超出合同约定的时限。

　　（三）确认签署合同及履行合同义务不会违背接收者所在国家的法律要求，当接收者所在国家和地区法律环境发生变化可能影响合同执行时，应当及时通知网络运营者，并通过网络运营者报告网络运营者所在地省级网信部门。

　　第十六条 合同应当明确接收者不得将接收到的个人信息传输给第三方，除非满足以下条件：

　　（一）网络运营者已经通过电子邮件、即时通信、信函、传真等方式将个人信息传输给第三方的目的、第三方的身份和国别，以及传输的个人信息类型、第三方保留时限等通知个人信息主体。

　　（二）接收者承诺在个人信息主体请求停止向第三方传输时，停止传输并要求第三方销毁已经接收到的个人信息。

　　（三）涉及到个人敏感信息时，已征得个人信息主体同意。

　　（四）因向第三方传输个人信息对个人信息主体合法权益带来损害时，网络运营者同意先行承担赔付责任。

　　第十七条 网络运营者关于个人信息出境安全风险及安全保障措施分析报告应当至少包括：

　　（一）网络运营者和接收者的背景、规模、业务、财务、信誉、网络安全能力等。

　　（二）个人信息出境计划，包括持续时间、涉及的个人信息主体数量、向境外提供的个人信息规模、个人信息出境后是否会再向第三方传输等。

　　（三）个人信息出境风险分析和保障个人信息安全和个人信息主体合法权益的措施。

　　第十八条 网络运营者违反本办法规定向境外提供个人信息的，依照有关法律法规进行处理。

　　第十九条 我国参与的或者与其他国家和地区、国际组织缔结的条约、协议等对个人信息出境有明确规定的，适用其规定，我国声明保留的条款除外。

　　第二十条 境外机构经营活动中，通过互联网等收集境内用户个人信息，应当在境内通过法定代表人或者机构履行本办法中网络运营者的责任和义务。

　　第二十一条 本办法下列用语的含义：

　　（一）网络运营者，是指网络的所有者、管理者和网络服务提供者。

　　（二）个人信息，是指以电子或者其他方式记录的能够单独或者与其他信息结合识别自然人个人身份的各种信息，包括但不限于自然人的姓名、出生日期、身份证件号码、个人生物识别信息、住址、电话号码等。

　　（三）个人敏感信息，是指一旦被泄露、窃取、篡改、非法使用可能危害个人信息主体人身、财产安全，或导致个人信息主体名誉、身心健康受到损害等的个人信息。

　　第二十二条 本办法自 年 月 日起实施。