Internet service providers in China will be put under tighter scrutiny when they handle overseas transfers of personal information, according to a draft regulation of the Cyberspace Administration of China.
The introduction of the regulation, tentatively called the Assessment Regulation on the Security of Personal Information’s Overseas Uses, is intended to better safeguard internet users’ rights, national security, public interests and cyberspace sovereignty, the administration said in a statement on June 13, while calling for opinions and suggestions to improve the draft.
Based on the Network Security Law, the draft requires internet service operators to conduct security screening on personal information gathered in their operations within Chinese borders. Any transfer of information that is likely to affect national security, public interests or personal information security is banned by the document.
The draft regulation stipulates that internet service providers must submit the result of the screening to provincial-level cyberspace departments. Operators will also be ordered to provide their contracts with overseas recipients of personal information.
Provincial-level cyberspace authorities will scrutinize the material submitted by operators and check whether their overseas businesses are law-abiding, whether their contracts are capable of protecting personal information and whether the personal information they handle is legitimate. They will also check whether they have poor records concerning personal information operations or have had major cybersecurity incidents.
Internet service providers handling personal information will need to set up a database of their overseas business records, and keep such records for at least five years, according to the draft regulation.
The records will include the identity, contacts and addresses of overseas recipients, the types, quantities and the level of sensitivity of the information to be transferred, and other content selectively required by cyberspace authorities, the draft says.
Cyberspace departments will have the power to request operators suspend or stop the transfer of personal information to overseas parties if there is a massive leak or abuse of the information, or if the information is considered at risk.
Hong Yanqing, a researcher on cyberspace operations at Peking University, said that leaking, illegal transfer or misuse of personal information are all highly prone to personal and asset security breaches and therefore must be handled in a secure and appropriate manner.
Li Jianling, a senior researcher on cybersecurity at the Ministry of Public Security, said information is not only a commercial resource but also a national strategic resource. He said Western nations have paid great attention to the protection of personal information.