Page 9 - The South China Business Journal
P. 9
the relevant industry regulator, who will • Risks to national security, social and public interests, as well as
then conduct a security review if any of three individual lawful interests.
defined situations apply:
Mandatory Blocking of some Overseas Transfers
• The aggregated data contains the personal
information of more than 500,000 individuals;11 The draft of the security measure cited the conditions that
would prohibit overseas transferring of cross-border data.14 These
• The data contain information on certain measures include:
matters relating to National Security or
information concerning cybersecurity such • The cross-border transfer is in violation of relevant laws,
as security vulnerabilities or specific security regulations or rules;
measures of key information infrastructures;
• The data subject has not been approved for cross-border
• ‘Other information likely to affect National transfer;
Security, plus societal and public interest’.
• The transfer will damage public and national interests;
The draft’s requirement of individual industry
regulators to carry out security assessments • It will endanger national security interests;
increases the fear that these security reviews
may be applied unequally across industries, thus • Any other reason that the Cyberspace Administration of China
potentially posing further hurdles for companies (CAC), Ministry of State of Security deem necessary.
whose products or services overlaps into
different areas.12 Each of the above conditions will vary according to different
industries and will be at the discretion of the industry regulators.15
Factor Involved In a Security Assessment The American Chamber and other Foreign Chambers in
China were concerned about the vagueness of the draft for the
The current draft provides details regarding Cybersecurity Law. They contacted the proper authorities and
the assessment of cross-border data (either asked for clarification and elaboration on a few key points drafted
done by a network operator or industry in April for the Cybersecurity Law. However, the law was passed on
regulator) with its focus on:13 June 1st, 2017, with the details regarding the law remaining unclear
from a foreign company standpoint. If your company is unsure
• The legitimacy, property and necessity for of what step to take next for staying compliant with the new law,
cross-border transfers; we recommend contacting a cybersecurity consultant or lawyer
specialized such as Dr. Michael Tan, Partner of TaylorWessing
• Personal information involved, including (Shanghai) for professional advice. Dr. Tan was our guest speaker
the volume, scope, type, data’s security, and last month at our AmCham cybersecurity event.■
whether the data subject has been approved;
CN Care Cyber Cloud Ltd.
• The importance of the data involved,
including its volume, scope and type; B4-B6, 15/F, Block B
Nanfang Securities Building
• The security protection capabilities and No. 2016 Jianshe Road
measures taken by the data recipient, and the Luohu District, Shenzhen
environment of the nation/region where the
recipient of the data is located; 14 Ibid.
15 Ibid.
• Gauging whether there is risk of the data
being leaked, damaged, interfered with, or
changed after the cross-border data transfer or
subsequent transfers thereafter;
11 The April 2017 draft of the Draft Security Measures in-
cluded an additional category in instances where the volume
of the data exceeded 1,000 GB. This was removed in the May
2017 draft.
12 Greenleaf G., Livingston S., (2017) 147 Privacy Laws &
Business International Report 9 [2017] UNSWLRS 69. PRC’s
NEW DATA EXPRT RULES: ‘ADEQUACY WITH CHINESE
CHARACTERISTICS’? UNSW Sydney NSW 2052 Australia.
13 Ibid.
South China Business Journal 7
then conduct a security review if any of three individual lawful interests.
defined situations apply:
Mandatory Blocking of some Overseas Transfers
• The aggregated data contains the personal
information of more than 500,000 individuals;11 The draft of the security measure cited the conditions that
would prohibit overseas transferring of cross-border data.14 These
• The data contain information on certain measures include:
matters relating to National Security or
information concerning cybersecurity such • The cross-border transfer is in violation of relevant laws,
as security vulnerabilities or specific security regulations or rules;
measures of key information infrastructures;
• The data subject has not been approved for cross-border
• ‘Other information likely to affect National transfer;
Security, plus societal and public interest’.
• The transfer will damage public and national interests;
The draft’s requirement of individual industry
regulators to carry out security assessments • It will endanger national security interests;
increases the fear that these security reviews
may be applied unequally across industries, thus • Any other reason that the Cyberspace Administration of China
potentially posing further hurdles for companies (CAC), Ministry of State of Security deem necessary.
whose products or services overlaps into
different areas.12 Each of the above conditions will vary according to different
industries and will be at the discretion of the industry regulators.15
Factor Involved In a Security Assessment The American Chamber and other Foreign Chambers in
China were concerned about the vagueness of the draft for the
The current draft provides details regarding Cybersecurity Law. They contacted the proper authorities and
the assessment of cross-border data (either asked for clarification and elaboration on a few key points drafted
done by a network operator or industry in April for the Cybersecurity Law. However, the law was passed on
regulator) with its focus on:13 June 1st, 2017, with the details regarding the law remaining unclear
from a foreign company standpoint. If your company is unsure
• The legitimacy, property and necessity for of what step to take next for staying compliant with the new law,
cross-border transfers; we recommend contacting a cybersecurity consultant or lawyer
specialized such as Dr. Michael Tan, Partner of TaylorWessing
• Personal information involved, including (Shanghai) for professional advice. Dr. Tan was our guest speaker
the volume, scope, type, data’s security, and last month at our AmCham cybersecurity event.■
whether the data subject has been approved;
CN Care Cyber Cloud Ltd.
• The importance of the data involved,
including its volume, scope and type; B4-B6, 15/F, Block B
Nanfang Securities Building
• The security protection capabilities and No. 2016 Jianshe Road
measures taken by the data recipient, and the Luohu District, Shenzhen
environment of the nation/region where the
recipient of the data is located; 14 Ibid.
15 Ibid.
• Gauging whether there is risk of the data
being leaked, damaged, interfered with, or
changed after the cross-border data transfer or
subsequent transfers thereafter;
11 The April 2017 draft of the Draft Security Measures in-
cluded an additional category in instances where the volume
of the data exceeded 1,000 GB. This was removed in the May
2017 draft.
12 Greenleaf G., Livingston S., (2017) 147 Privacy Laws &
Business International Report 9 [2017] UNSWLRS 69. PRC’s
NEW DATA EXPRT RULES: ‘ADEQUACY WITH CHINESE
CHARACTERISTICS’? UNSW Sydney NSW 2052 Australia.
13 Ibid.
South China Business Journal 7