CAICT releases 2nd version of the Data Flows Convention

On July 1, CAICT, together with over 80 domestic companies (CAEIT, China Unicom, China Telecom, Alibaba, JD, 360, Didi, 21Vianet, etc.), released the Convention on Self-Discipline in the Data Flow Sector (v2.0), an updated version of Secure Data Flow Industry Convention released on April 27, 2016. The 2nd version of the Convention was drafted by Internet Law Research Center and Data Center Alliance (DCA) under CAICT.
 
According to CAICT, the Convention was established ahead of laws and regulations to help advance the industry, create data flow principles and build a data flow ecosystem. It provides a more detailed definition of data flows and is broken into three main areas, namely “Data Rights and Interests”, “Data Flow” and “Data Applications”. The main takeaways in each category include:
 

  • Data Rights: outlines enterprises' lawful rights and interests over the data they collect, obtain or generate by lawful and justified means, and prohibits enterprises from obtaining or acquiring data illegally; Requests that enterprises grant users the right to choose, acquire, correct, withdraw and delete their personal data.
  • Data Flow: Requires enterprises to conduct risk assessment during data flow and prohibits sharing of data involving national security or public security; encourages adoption of pilot data flow contracts; requests third-party data flow platforms to disclose relevant information without delay.
  • Data Application: Improve risk assessment system during all steps of data flow; encourages enterprises to work towards developing best practices and technical standards, and improve the third-party certification and audit mechanism.