Presentation by Jing Di at APRICOT 2018 on Tuesday, 27 February 2018.

1. - - - -
- - -
- - -
APRICOT 2018
APNIC 45
Jing Di
China Academy of Information and Communications Technology
(CAICT)
February, 2018

2. CONTENTS
01 .
02 & ) .
03 04 & (
05 ( .
06 & -

3. () ) ) ( - - -
0

4. -. , ,, -. , ,,
,
. , . , ,
UN: United Nations
OECD: Organization for Economic Co-operation and Development
EU: European Union
Different Expressions

5. ( E 89 9C D 9
0 D9 D 0 F H 8
2 C 89 ) GC
09 C D
. . .- . - .-
.
. 2
. - . - .
, - . - .-
.
1 C
9 - 9 E
. - - .- . .
., .,, - .- ,
Definitions of Cross-Border Data Flow
2 9 F9 9 D 9 9 8 9 8 D CC D 89 C
D E D 9 , D9 9D 8 D CHCD9 C

6. - - - 2 -
0 00

7. The cross-border flow of specific data is strictly prohibited
u '
u ' '
u ''
Country Act Core Content
Russia Federal Law on Information, Information
Technologies, and Information Protection
Information of Russian citizens must be
stored in Russia.
Australia Australian Government Policy and Risk
management guidelines for the storage
and processing of Australian Government
information in outsourced or offshore ICT
arrangements
Government data with higher security
levels cannot be stored in any offshore
public cloud databases, and must be
stored in private cloud databases with
higher security protocols
Korea Act on the Promotion of Information and
Communications Network Utilization and
Information Protection
Communication service providers should
take necessary matures to prevent the
flow of important information about
industry, economy, science and
technology to foreign countries through
the Internet
China Law of the People's Republic of China on
Guarding State Secrets
Prevent data that contains state secrets
flowing out of China

8. u ,
u , , - , ,
- ,
u - ,
, , - ,
u ,
Transmission safety evaluation of cross-border data flows
The consent of
data subject
Safety risk
assessment and
certification for
cross-border data
Full and effective
protection
measures of data
receiving countries
Data transmission
, - , -

9. u , , - ,, - -
,
u ,, , ,, - , - , ,
u , , ,
u , ,
, , , ,
Backup of cross-border data flows in the internal area
, : , ,
, , : , , ,- , ,

10. . - 0 33
. 0 0 -0
0

11. U.S.
EU
u A 0, 0 1 , 0.3 2
u 0. :0 , , , , : ,. , -
0 1 . : 0
u . ,20 . - 0 , , 1 A ,
:: 0 1 0 2 2 0 0 0, 0
: 0 0
u 0. 30 1 A 1 :0 , . - 0 , , - .
02 ,
u "', , 0. ' 0. 0” . 0 0 0 -0
, 0 3 0 0 3, 3 . 0 : 0
, 0 , 0 : 0. 1 :0 , , , , 10 0
30 : .0 , . : A 3 30 0 . ,A
, 02 , :0. 1 0 30 0. 0
u “', , 0. ' 0. 0” . 0 0 1 :0 ,
, , 0. : 0. 0, 0 ,50 - 3
. 0 0 00 “, 0 , 0 : 0. 0 0 ”
, , 0 -0 , 0 3 ,50 0.0 ,
0, 0 : 0 0 , , , -0 2 , 10 0
30 0 . 0 , 30 0 0 0 :
“Safe Harbor” Phase (2000.07-2015.10)
Backgrounds

12. u ( D E: A E E: 2" "
E: 2 A CD E AC I
AC E E "
u , AC C DD C C E E
AC E EC D E E EC "
u DFC C E CAC D D E E E: : : C
AC E E DE C D E: 2 D D E E:
D D A : D D E: E : AE C
E "
u , C D E: AE E CAC D D D A
: CD C FC A E AC E E C F E CD
D E C : D"
u - CD: A C E D D: F C F E I E:
C 1C ( DD 1( 2 E E E D
) A CE E 1C DA CE E ).1 "
u C D A E: E: “D AC A D”.
u ' C CI E:D E BF E
AC E E ” DE C “) E C E E ) C E ”.
u F D: E E C E: CE E
AF D: E: A I D E CED DF EE E E: 1(
E E D"
“Safe Harbor” Phase (2000.07-2015.10)

13. u 20 0 3 0 A A 6
A 6 A 3 A “.05 0 1 ”
C0 3 0 3 06 A 0 A 1 6 3
u , A 60A A 03C 55 2A A 0 0A 0 A 2
A 03 0 3 2 1 3 2 2 A
0 3 1 A . 0 3
u .2 0 A 0 5 3
0 2 0 02A 0 A 02 1 A 30A0
A 2A 6 0A - -2A 1
0 A 5 A 2 0 2 3 A
“.05 0 1 ” C0 3
Transition Phase (2015.10-2016.02)

14. Transition Phase (2015.10-2016.02)
Standard contract terms mentioned in “Data Protection Directive”
u - , , , , , . , "
, " , , , , ,
, , - - , ,
. . , ,
-, ,
u , , - “
, , ,”.
u . - , , ,
, , , , , , ,
, ,- , , , , ,- ,
,.
u , , , - . . ,
u , , ,. --, , , -
, - --, , ,

15. Transition Phase (2015.10-2016.02)
Binding business rules (Article 29 Working Group, 2003)
u - “ ”
u -
- -
- - -
u -
- -
u - -
- -
“ - ”
u - - .
u -
-

16. u A A7
“- ”
u .7 A A -
A D A
- D
u , C A C A
A C A7 . A A
. ( C A A , A 7 A
7 A A D D A E
A E A
u , C E -7 A
“- ”
u .D AA 7 A A A7
A A AA - A A
u C AA A7 . . A
( A A7 A7 -A A
A7 A A A A A A
) A
EU-U.S. Privacy Shield and Umbrella Agreement Phase
(2016.02-Now)
EU-U.S. Privacy Shield (2016.02.02)

17. u ,
. ,
u ., , ,
- . ,
, , .
.. .
, , , , , ,
, , .
u , ,
u , ,
u , ,
u , , , , , ,
u . - , , ,
u , , . ., , . ,
EU-U.S. Privacy Shield and Umbrella Agreement Phase
(2016.02-Now)
EU-U.S. Umbrella Agreement (2016.12.01)

18. 0 0 0
-
0 0 4

19. Management of International Organizations
Time Organization Name Core Proposition
2017.09 EC (European
Commission)
Regulation on the free
flow of non-personal data
It includes principles of free flow of cross-border non-
personal data, data availability principles for regulatory
control , the perfection of EU codes of conduct, etc.
2017.02 GSMA (Global mobile
communication
systems association)
Mobile Economy 2017 Countries need to coordinate each other's privacy and
personal data protection rules to build accountability
mechanisms to ensure efficiently and adequate flow of
cross-border data, thus promoting the prosperity of the
digital economy.
2017.01 B20 (Business20) Key Issues for Digital
Transformation in the G20
Take a positive view of cross-border data flows, and
take the necessary measures to lower barriers to cross-
border data flows to unleash the potential of digital
economic ; places high importance on data protection
to promote global connectivity.
2016.04 EC (European
Commission)
GDPR (General Data
Protection Regulation , to
be implemented in May,
2018)
It has inherited “Directive on the protection of
individuals ”, and increases consumers’ confidence in
online services and e-commerce by giving EU citizens
the basic rights to protect individual information.
2016.04 UNCTAD (United
Nations Conference
on Trade and
Development)
Data protection
regulations and
international data flows:
Implications for trade and
development
The key to addressing the problem of cross-border data
flow is using special documents and establishing more
mechanisms. Data protection legislation should not be
a new obstacle to trade and innovation.

20. Management of International Organizations
Time Organization Name Core Proposition
2013.07 OECD
(Organization for
Economic Co-
operation and
Development)
OECD Guidelines on the
Protection of Privacy and
Trans-border Flows of
Personal Data
It suggests member states to implement data transmission
constraints that are compatible with data transmission
privacy risks, and take sensitivity of personal data and the
purpose and content of data processing into consideration as
well.
2011.11 APEC (Asia-
Pacific Economic
Cooperation)
CBPR (Cross-Border
Privacy Rules)
The level of privacy and information protection of businesses
should be authenticated and published by
and publishes by evaluation institutions . Businesses in this
system can exchange their data freely.
2008.04 SPP (Security
and Prosperity
Partnership (of
North America))
the Statement on the
Free Flow of Information
Sustained economic growth depends on the free flow of
cross-border information and the promotion its applications in
trade and commerce in transparent law, policy and
regulatory environment.
2005.11 APEC (Asia-
Pacific Economic
Cooperation)
APEC Privacy
Framework
Remove barriers to information flows through privacy
protection to ensure sustainable trade and economic growth
in the Asia-Pacific region.

21. 0

22. Opportunities and Challenges
-
u , , , - ,
u , , , , ,
. , .
,-- ,
u , ., . , , , .
, ,? , , , - ,
,
u . , - , .
. . ,
Opportunities
’
- -
u , , . , ’ , , , , , ,
, , - , ,
,
Challenges
-
u - , , , , ,
, , - , , , - ., , ,
- , , , , , , ,
- -
u , , ., , , - , ,
à - , , -, à
, , à -

23. 0

24. 01
02
03
u , . . . - , , , , , , ., , ,
, , , , , ., ,
u .. . , , , , , ,
u - ., , , . . , , . .
, , , -
u , . . ,. , , .
, , . , . , , .
, , , . , .
Improve the Management of Cross-Border Data Flow

25. 01
02
03
u / /
u /-
04
u -
u / - / /
u /
u - / / -
u / / /
u / - /
u / / / / / /
/ /
u - / / /
/ / -
u / - / / / / / / / -
/ / / /- / - /
/ / - /- /
Improve Domestic Legislation and Establish
Specialized Regulatory Agencies

26. 01
02
03
u , 5 0B 2C B 0 0 B B C B , 02
5 0 E 9 B0 30 3 ' B 7 B0 30 3 B BCB ' 0 0 0: 5 0B 2C B
0 0 B B0 30 3
u B01: 7 B 0: 30B0 B 2B B
u B01: 7 0 7 B 20B 3 30B0 B 2B B
u , B 0B 0: 5 0B 2C B 0 0 B B 2 B 5 20B
u / B 0 0:C0B 0 3 /0: 30B 27
Establish Industry Self-Discipline System to Assure
Enterprises to Protect the Personal Data

27. 01
02
03
u A C
u - A A
( ( ( ) ( ) -
) (
( ( (- ) ) )
) ) ( ) )
- ( ) )
- -
04
u E A A C C
A
u A A E
E A A C , A
, A ' A C .
u D A
u A C A A
u
u A E
Strengthen International Cooperation and Actively
Participate in the Formulation of International Rules