Research On Data Outbound Rules In China

Data has distinctive characteristics in today's world,and has a more natural flow advantage.In the era of globalization,data continues to add value as it flows.In 1980,"Guidelines on the Protection of Privacy and Cross-border Flow of Personal Data" first proposed the meaning of cross-border flow of data,but only personal data was included.The data referred to in this article mainly includes personal information and important data.In recent years,the global cross-border flow of data has grown rapidly.As a large data country,China's cross-border flow of data has brought many benefits and values,but it also highlights worrying risks.Therefore,it is urgent to study the rules of cross-border flow of data."The Cyber Security Law",which came into effect on June 1,2017,is the first comprehensive legislation on cross-border flow of data in China,and it has made clear and unified regulations.Subsequently,its supporting measures were also introduced one after another,forming a "one law,two standards,three methods" data cross-border transfer flow system,and established China's data cross-border flow rules.China's data cross-border flow system is constructed by "the Cyber Security Law" and is supported by other related supporting measures.The main content is to conduct a security assessment for data outbound.Data outbound is regulated in principle by "the Cyber Security Law".The main implementation measures currently include the Personal Information and Important Data Outbound Security Assessment Methods(Draft for Comment)and the Personal Information Outbound SecurityEvaluation Methods(Draft for Comment).The measures were launched on April 11,2017 and June 13,2019,and are currently being sought for comments.The two measures stipulated the exit of personal information and important data in China,but the content was very different after two years.Compared with "the Cyber Security Law",the two have expanded the scope of the obligatory subject of data departure from "operators of critical information infrastructure" to "network operators".In this regard,there is no difference between the two.However,there are some differences in the evaluation subject,evaluation process,key evaluation content,data subject's consent,evaluation cycle and continuous supervision.It can be found that the main changes in China 's existing data outbound rules legislation focus on three aspects.First,the scope of China 's data outbound assessment obligations has expanded.Second,China intends to introduce “Standard contract clauses”.Third,data legislation transforms from the complete localization of data to the emergence of extraterritorial effect.First of all,the "Critical Information Infrastructure Operator" in "the Cyber Security Law" does not specify its specific scope and protection measures,but only authorizes the State Council to stipulate.The State Cyberspace Office issued the "Regulations on the Security Protection of Critical Information Infrastructure(Draft for Solicitation of Comments)",which stipulates the types of network facilities and information systems that should be included in the protection scope of critical information infrastructure.The subject of obligations in the GDPR are data controllers and data processors.And GDPR specifys detailed responsibilities and obligations.Compared with the EU,and taking into account the current legislative needs in China,it is necessary to explore the rationality of the expansion of the subject of data outbound security assessment obligations.Secondly,"Personal Information Outbound Security Assessment Method(Consultation Draft)" emerges the shadow of the "standard contract clauses"."Standard contract clauses" are one of the EU personal data exit paths and have a long history."Standard contract clauses" translate statutory obligations and liabilities stipulated by law into contractual obligations and default obligations,especially into contractual obligations and default obligations of dataparties as third parties.But whether China can introduce "standard contract clauses" into the data outbound rules.Considering China's national conditions,legislation,and judicial environment,it is necessary to make a pros and cons analysis.Thirdly,compared with the "Outbound Security Evaluation Measures for Personal Information and Important Data(Consultation Draft)",the "Outbound Security Evaluation Measures for Personal Information(Consultation Draft)" appears the shadow of extraterritorial effect.Prior to this,China's legislation on data has a clear tendency to localize storage.The measures set out the responsibilities and obligations of overseas personal information recipients,and made a "binding" on the contract,which is an unprecedented innovation compared with the previous legislation.But compared with China,GDPR and the Cloud Act have more obvious extraterritorial effect on data legislation.This article is divided into four chapters to elaborate.The first chapter explains the cross-border flow of data and data outbound.The first section discusses the important position of data outbound in the cross-border flow of data.The content mainly includes determining the concept of data and data cross-border flow,and demonstrating the need to focus on regulating data outbound in cross-border flow of data.The second section discusses the legislative concept and institutional framework of China's data cross-border flow rules.Among them,the legislative concept is the local storage of data,while the institutional framework is based on data outbound.Chapter 2 discusses the content and problems of China's data outbound rules.The first section mainly analyzes the content of China's data outbound rules and discusses the first case of data outbound in China.The second section is to analyze the relevant laws and regulations on data outbound,and summarize the issues that need to be discussed in China's data outbound legislation.The third chapter discusses the legislative changes of China's data outbound rules and reviews them.The first section is about the expansion of the scope of the subject of data outbound obligations.By comparison,it analyzes the legislation of the EU,and then demonstrates the rationality of China's legislation.The second section firstdescribes the initial appearance of the “standard contract clauses” in China's data outbound,then studies the historical evolution and basic logic of the “standard contract clauses” in the EU,and finally introduces “standard contracts clauses” into our country 's data outbound rules,the pros and cons of the terms are analyzed.The third section compares the Cloud Act with the GDPR and discusses the extraterritorial effect of China's data cross-border flow rules.Chapter 4 makes recommendations on the improvement of China's data outbound rules based on the first three chapters.The first is the need to correctly implement the legislative policy of data localization,and to clarify the scope and definition of the main body of data outbound obligations.The definition of "network operator" can refer to the legislative provisions of the GDPR on the concept of data controllers and processors;followed by it is to recommend that the "Standard contract clauses" cannot be introduced blindly,but need to be optimized and designed in Chinese style.Finally,this paper proposes that on the one hand,the externality of the law needs to be improved,on the other hand,the international judicial assistance system must also be changed.It is the only way to promote the signing of bilateral or multilateral agreements in order to continuously exert the guiding force of our country's data rules and realize the cross-border flow of data system dominated by China.