China publishes draft measures regulating cross-border transfer of data

The Cyberspace Administration of China (“CAC”) published the Draft Assessment Measures for Transferring Personal Data and Important Data to Overseas Countries (the “Draft”) on 11 April 2017 to solicit public opinions.

Under the Draft, “Network Operators”, which are defined as the owners or administrators of networks or online service providers, are required to store within the territory of China all personal data and important data that they collect within China. If Network Operators want to transfer such data to overseas countries, they will need to go through security assessments.

While self-conducted security assessments will be sufficient in certain circumstances, Network Operators will be required to apply to the relevant government authorities for a supervised security assessment if (i) the personal data of more than 500,000 individuals is involved; (ii) more than 1000GB data is involved; (iii) the data includes nuclear facilities, chemicobiology, national defence and the military, population health data or includes data relevant to large scale engineering activities, the ocean environment or sensitive geographic information; (iv) the data concerned includes system vulnerability, security protection and other types of cybersecurity information of critical information infrastructure; or (v) it will be a critical information infrastructure operator that transfers personal data or important data to overseas countries.

The Draft also specifies the critical factors to be considered in a security assessment and the circumstances under which no personal data or important data can be transferred to overseas countries.

Compared with the PRC Cybersecurity Law and the other existing regulations on cross-border transfer of data, the scope of this Draft is very broad. If the final version remains unchanged, many organisations might need to re-evaluate and re-design their data hosting plans.

Please click here to read a Law-Now article for more detailed discussion about the Draft.

TC260 publishes the White Paper on Big Data Security Standardisation

The National Information Security Standardisation Technical Committee (“TC260”) published the White Paper on Big Data Security Standardisation (the “White Paper”) on 8 April 2017.

The White Paper provides a general overview of the main regulatory framework of big data in both China and foreign countries, and introduces the undergoing standardisation work for big data security. The White Paper also includes analysis on big data security risks and challenges, as well as examples of big data security projects.

According to the White Paper, TC260 and the National Information Technology Standardisation Committee (“TC28”) will be the leading organisations to formulate big data security standards in China. Currently, around twelve national standards, including “Information Technology—Big Data—Terms” and “Information Technology—Data Transaction Service Platform—Description of Data Transaction”, are being formulated by TC28. TC260 is also in the process of formulating standards including “Information Security Technology—Personal Information Security Specifications”, “Information Security Technology—Big Data Service Security Capability Requirements”, and “Information Security Technology—Big Data Security Management Guidance”. Some of the standards are suggestive, whereas others are mandatory. The standards will further guide the security development of the various big data projects.

Please click here for the full version (Chinese only) of the White Paper.

CSAA hosts forum discussing the security and development of civilian UAVs in China

The Chinese Society of Aeronautics and Astronautics (“CSAA”), together with several major operators in the unmanned aerial vehicles (“UAV”) industry, hosted the China Civilian UAV Security and Development Forum in April. One of the main focuses of the forum was discussing how technologies and self-discipline in the industry can contribute to the security and development of UAVs in China.

One technical measure proposed is to establish a digital platform, through which UAVs manufactured by different manufacturers can connect and share data. The platform can be used to monitor flight, detect risks and manage other aspects of the UAVs and to realise real-time control. Other technical measures discussed include technologies for setting polygonal regions having a no-fly zone, establishing ADS-B broadcasting pre-warning systems and implementing real-name registration systems.

In the national 13th Five-Year Plan for the Development of a Modern and Integrated Transportation System, the development and use of UAVs are specifically encouraged. During the past years, UAVs have been used for package delivery by major e-commerce operators (e.g. JD) on a trial basis. Following the Interim Regulations on the Management of Civilian UAVs, the government is considering formulating more detailed legal requirements based on developmental trends in technology and the rules recognised by industry operators in practice.

China publishes the Draft Cryptography Law

The Office of State Commercial Cryptography Administration published the Draft Cryptography Law (the “Draft Law”) on 13 April 2017 as part of the government’s efforts to strengthen the administration of cybersecurity and national security.

The Draft Law mainly governs the manufacture, sales, export and use of encryption products and technologies, which are classified into three categories: critical, common and commercial. Only critical and common encryption products and technologies can be used to protect national secrets, and are prohibited from being imported to other countries. The sales and use of commercial encryption products and technologies might be subject to licensing requirements. In addition, encryption products and technologies used in critical information infrastructures may be subject to security assessments.

Before the issuance of the Draft Law, there were already existing regulations governing commercial encryption products. After the final version of the Draft Law is published, the existing regulations might be revised and there may be additional implementation rules to guide practice.

Please click here to read the full version (Chinese only) of the Draft Law.

Head over to the lexology site to read the full monthly update http://www.lexology.com/library/detail.aspx?g=bd39dfdc-d291-4419-9c48-f6f218a245c2.