Notice of the State Internet Information Office on “personal information and important data and exit safety assessment approach (draft)” for public comment

To protect personal information and important data security, safeguard cyberspace sovereignty and national security, public interests and promote the free flow of network information according to law and orderly, according to the “National Security Law of People’s Republic of China,” “Network Security Act People’s Republic of China” and other laws and regulations I do together with relevant departments to draft the “personal information and important data and exit safety assessment approach (draft)”, now solicited comments from the public. The units and the public have until 11 May 2017, comments in the following ways:

First, by way of the letter and comments to: Chaoyang Dajie No. 225 National Internet Information Office Network Security Coordination Bureau of Dongcheng District, Postal code: 100010, and indicate on the envelope “comments.”

Second, to send by e-mail: security@cac.gov.cn.

Accessories: personal information and important data safe exit assessment approach (draft)

National Internet Information Office

April 11, 2017

Personal information and important data safe exit assessment approach

(Draft)

    The first is the protection of personal information and important data security, safeguard cyberspace sovereignty and national security, public interest, the protection of citizens, legal persons and the legitimate interests of other organizations, “National Security Law of People’s Republic of China “, “People’s Republic of China in accordance with network security law “and other laws and regulations formulated.

The second network operator to collect and generated operating in the territory of the People’s Republic of China personal information and important data should be stored in the territory. Due to business needs, and where to provide the outside, it should have a safety assessment in accordance with this approach.

Article data and exit safety assessment should be a just, objective and effective principle, the protection of personal information and important data security, network information according to the law to promote the orderly flow freely.

Article personal information abroad, personal information should explain the data subject exit the purpose, scope, content, recipient and the recipient country or region, and with its consent. Personal information of minors abroad is subject to the consent of their guardians.

Article national network co-ordination department letter outbound data security assessment, guidance or competent regulatory authorities organize outbound data security assessment.

Article VI industry or the competent regulatory authorities responsible for the security industry data and exit assessment, regularly organize this Industry Data departure security check.

Article VII network operators should exit before the data, self-organization of outbound data security assessment, and assessment for results.

Article VIII of data exit safety assessment should focus on the assessment of the following:

(A) the need for outbound data;

(Ii) relates to personal information, the personal information including the number, scope, the type, sensitivity, and personal body information on whether they exit, and the personal information;

(C) relates to important data, including the number, scope, the type and sensitivity of other important data;

Security measures (d) the recipient of the data, ability and level, as well as country and regional network security environment;

(V) Data transfer after departure and then leak, damage, tampering, abuse and other risks;

(Vi) data outbound and outbound data convergence possible risks to national security, public interests, the legitimate interests of individuals brought;

(7) other important things to evaluate.

Article IX there is one case of outbound data, network operators should be reported to the Organization for Security assessment charge of the industry or regulatory authorities:

(A) contains or contain a total of more than 50 million personal information;

(Ii) the amount of data exceeds 1000GB;

(C) contains nuclear facilities, chemical and biological, national defense, and other areas of population health data, large-scale engineering activities, the marine environment and sensitive geographic information data;

(D) contains critical information infrastructure system vulnerabilities, network security and other safety information;

(E) critical information infrastructure operators to provide personal information and important data to the outside;

(Vi) that may affect national security and public interests, in charge of industry or regulatory authorities believe should be evaluated.

In charge of industry or regulatory authorities is not clear, assessed by the national network of faith sector organizations.

Article X safety assessment of industry executives, or regulatory organization, it shall within sixty working days to complete, and timely feedback to the safety assessment of the network operator, net in the letter submitted to the State Department.

Article XI either of the following cases, the data may not leave:

(A) personal information personal information without the subject’s consent outbound, or may infringe personal interests;

(B) data and exit to the country’s political, economic, science and technology, national defense and other security risks that could affect national security, harm the public interest;

(Iii) other recognized not permitted to leave the country by the network and Information Department, police departments, security departments and other relevant departments.

Article XII of the network operator should be based on business development and operations of the network, each year at least once for outbound data security assessment, timely assessment report or competent regulatory authorities.

When the data receiver a larger change change data and exit the purpose, scope, quantity, type, etc. occur, major security event data recipient or outbound data, it is timely to re-evaluate security.

Article XIII violations of relevant laws and regulations and in this way to provide data to the outside, any individuals and organizations have the right to report to the national network and Information Department, police departments and other relevant departments.

Article XIV violation of these rules shall be punished in accordance with relevant laws and regulations.

Article XV agreement on data out of the country the government signed with other countries and regions of China, the provisions of the agreement.

Information involving state secrets in accordance with the relevant regulations.

Article XVI of other individuals and organizations within the territory of People’s Republic of China and produced by collecting personal information and important data outbound security assessment carried out with reference approach.

Article XVII meaning of the following terms of:

Network operators, is the owner of the network, network managers and service providers.

Outbound data refers to personal information and important data network operators will collect and generated operating in the territory of the People’s Republic of China, to provide located outside of institutions, organizations and individuals.

Personal information, refer to various identification information can be used alone or in combination with other natural personal identity information electronically recorded or otherwise, including but not limited to name a natural person, date of birth, ID number, personal biometric information, address, phone numbers.

Important data refers to data closely related to national security, economic development, and social and public interests, specific reference to the relevant national standards and a range of important data identification guides.

Article XVIII of this approach since 2017 implementation date.

In the original chinese:

http://www.cac.gov.cn/2017-04/11/c_1120785691.htm