Regulatory Policies on Blockchain and Outbound Data Transfer

Data security has become the most urgent and fundamental security issue in the era of digital economy. With the widespread application of big data, cloud computing, artificial intelligence, the Internet of Things and other technologies, the volume of data is growing exponentially. Data has become an important factor of production, and its value is increasingly prominent. On 31 March 2021, the Beijing International Big Data Exchange was established, followed by the Shanghai Data Exchange on 25 November 2022. China is working towards a nationally integrated data center encourage the use of data. However, in the meanwhile, the opaque nature of the process of collecting and sharing big data makes it difficult to trace and account for data abuse, data leakage, data monopoly and other problems. Blockchain, with its decentralized, transparent and immutable characteristics, can record data access and sharing, and provide technical support for addressing data insecurity and monopoly issues. This article focuses on China’s regulatory policies of blockchain and outbound data transfer.

China’s Blockchain Regulatory Environment
Blockchain is not cryptocurrency per se, but a distributed ledger technology for storing data and programming smart contracts. It differs from a centralized database because data will be stored in multiple nodes and across the world. While blockchain applications in cryptocurrency-related businesses are banned in China, China encourages the research and exploration of blockchain technology applications in finance and the real economy.

In general, the Civil Code and the Criminal Law can regulate various transactions and business on the blockchain to promote orderly development of the blockchain industry. The Cybersecurity Law guarantees the operating environment and data security on the blockchain. The Cryptography Law regulates the application and management of cryptography on the chain. The Electronic Signatures Law regulates the behavior of electronic signatures on the chain.

In 2018, the Information Center of the Ministry of Industry and Information Technology released the White Paper on China's Blockchain Industry, indicating that blockchain applications in China are diversified, covering a wide range of fields such as finance, securities, insurance, copyright protection, electronic evidence, healthcare, and the Internet of Things. It also points out that the blockchain industry still faces compliance risks and technical risks, and that projects such as illegal fundraising through blockchain and possible 51% attacks should be treated with caution.

The 2019 Blockchain Information Service Management Regulations aims to encourage the strengthening of self-regulation in the blockchain industry and clarify the obligations of blockchain information service providers and users. Blockchain information service providers shall be responsible for security management, be equipped with technology appropriate to their services, enter into service agreements with blockchain service providers, and require users to authenticate their real identity information, etc.

The current legal system in China can, to a certain extent, solve the legal application issues of blockchain. Considering the blockchain is in the stage of rapid development, it is crucial to improve the legal framework of blockchain and strengthen blockchain-related legislation.

Outbound Data Transfer
Data was first recognized as a civil right and interest under the Civil Code. Data rights and interests include not only the original data itself, but also the data products that result from the reasonable processing of the data. Traditionally, data is stored in a centralized database, which is vulnerable to attacks, making its security difficult to be guaranteed. By using blockchain’s digital signature, consensus mechanism, smart contract and other technologies, a secure and credible data governance system can be established, and the transmission, use, transaction and revenue of data will be recorded and managed with traceability.

When an enterprise uses blockchain to store and transfer information, or uses smart contracts to complete transactions, it may, due to management needs, provide the business data, user information of products or services, employee information, financial data, etc. collected or generated within the territory to the overseas headquarter, affiliates or other third parties, or transmit the name, nationality, address, contact information, etc. of the customer counterpart to the recipient due to procurement or contract performance needs. Considering that the regulation of data security and offshore transmission will be stringent, enterprises, in the need of transmitting or providing data on the blockchain outbound, shall establish their data security compliance mechanism and pay attention to the development of relevant laws and regulations.

Pursuant to the Cybersecurity Law, when requiring providing personal information and important data outside China for business needs (regardless of the quantity), operators of critical information infrastructure shall initiate data outbound security assessment. Pursuant to the Personal Information Protection Law, a personal information processor should go through security assessment, personal information protection certification, and enter into a contract with the overseas recipient in accordance with the standard contract formulated by the competent authority when it is required to provide personal information outbound.

Pursuant to Outbound Data Transfer Security Assessment Measures, outbound activities include the transfer or storage outside of China of relevant data collected or generated by data processors within the territory of China; and data that, while collected and stored within the territory of China, can be visited or accessed by overseas entities.

When the data processor to provide important data outbound, a government-led security assessment will be required in cases of

1. Outbound transfer of important data by data processors;
2. Outbound transfer of data by critical information infrastructure operators;
3. Outbound transfer of data by personal information processors who process personal information of 1 million or more persons;
4. Outbound transfer of data by personal information processors who have in aggregated transferred overseas personal information of 100,000 or more persons or sensitive personal information of 10,000 persons or more since January 1 of the previous year.

Prior to the government-led security assessment, the data processors shall conduct self-assessment to ensure whether they have entered into binding contracts for the outbound data transfer and agreed on the data security protection obligations and responsibilities.

Considering compliance, it is recommended that entities storing or transmitting their data on the blockchain shall take the measures such as (i) classify outbound data; (ii) periodically self-assess the transmission of data outbound; (iii) grant offshore access only to the minimum necessary extent; and (iv) prepare compliant protocols for outbound data transfer in advance.