China had held off on publicly releasing several cybersecurity and privacy regulatory measures due to fears of complicating the U.S.-China trade talks. But after the talk stalled in early May, they went out at short intervals. On June 13, the Cyberspace Administration of China released a draft regulation on outbound transfers of personal information that fleshed out the personal information (PI) protection component of the Chinese cybersecurity law.
Notably, the draft adopted a contractual approach to transferring data from domestic network operators to foreign data receivers. According to Dr. Hong Yanqing, an influential scholar of data privacy, this approach draws from the European Union General Data Protection Regulation’s (GDPR’s) binding corporate rules that allow multinational companies to transfer data internationally between their subsidiaries. Both the Chinese and EU regulations emphasized the need for an adequate level of data protection in destination countries and mandated regulatory approval prior to transfer. Yet, there is a difference. Binding corporate rules are more lightweight, an internal code of conduct without obligation to report the current year’s outbound transfers.
Another noteworthy development is a provision to allow the termination of cross-border data transfers if “the contract cannot be implemented due to changes to the legal environment of the country where the recipient is located.” This clause, together with restrictions on onward data transfer to third parties, can be interpreted as a response to extraterritorial data laws such as the U.S. CLOUD Act. The CLOUD Act is supposedly a legislative fix. It cleared the legal grey zone of requesting U.S. firms to turn in data that is stored on overseas servers. Yet, it would constitute a legal overreach if carried out without harmonization with local laws.
A consensus has emerged in China’s cyber policy debate that measures should be in place to counteract the CLOUD Act’s overreach when it comes to the personal information of Chinese citizens. Another opponent of the CLOUD Act, the EU, is working with the U.S. government to streamline law enforcement access to data. If China were to harmonize those legal conflicts, having localization rules in place would serve as leverage in negotiation.
Lastly, the draft cemented the separate treatment of personal information and important data. The latter refers to information that, if leaked, may infringe on national security. An old data localization guideline from April 2017 treated both types of data under one umbrella. Its stringent rules incurred backlashes from foreign businesses and governments. The new draft focused solely on the outbound transfer of personal information, which hinted at a forthcoming twin draft for important data. This separation stands in line with the National People’s Congress’ legislative plan, where a personal information protection law and a data security law are in the pipeline.
However, a few questions remain. The draft imagined a setup of domestic network operator and overseas receiver. In reality, those two entities commonly belong to the same corporate group. It is unclear what the data transfer contract would look like if the transfer takes place between subsidiaries.
The new draft has relaxed its requirements on user consent. In the old guideline, no outbound transfer would be allowed without consent by the personal information subject. An internally circulated draft, reportedly, modified it to “implied consent.” The new draft further reduced user friction. Consent is needed only for the onward transfer of sensitive personal information — a small subset of PI — to third parties. A question is whether this change signifies that China has budged to business lobbying and what other controversial points are up for contestation.
An inconvenient fact often neglected by Western observers is that Chinese firms face data localization burdens as well. They have a massive user base of Chinese expats. And Chinese firms increasingly are looking outward for opportunities to expand, as the wild growth at home brought by internet and mobile penetration has lapsed. Chinese firms would have vested interests in reducing compliance costs, much as their foreign counterparts.
While China is unlikely to steer away from its emphasis on jurisdictional control of data, at the working level we may witness more fruitful engagement with stakeholders. Yet-to-be-finalized items range from the scope of network operators, to the ease of transferring non-personal information, and to technical clarifications on sufficiently de-identified PI.
The new draft on cross-border personal information transfer is a major piece of the puzzle in China’s evolving cyber governance regime. Although in the lines we can smell digital protectionism and jurisdictional control over data, the draft does reveal a robust personal information protection scheme in a rapidly changing cybersecurity environment. For firms, the cost of data localization comes not just from increased operational spending, but also from the prolonged period of policy uncertainty.
Qiheng Chen writes about global tech policy. As a reformed technologist, he is pursing graduate study at the School of International and Public Affairs at Columbia, with a bachelor’s in computer science from Brown. You may follow him at @QihengC.