- “Data export” refers to the overseas transfer from China of data collected and generated within China, as well as the scenario in which a foreign entity or foreign individual is granted the authority to access to any data stored within China.
- The new measures specify the requirements on security assessment and thresholds and the scope of data that is subject to the government security assessment.
- The new measures provide a six-month grace period for compliance.
On July 7, 2022, the Cyberspace Administration of China (CAC) of the People’s Republic of China (PRC or China) released the final version of the long-awaited Measures on Security Assessment for Data Export (Measures, “《数据出境安全评估办法》” in Chinese). The Measures specify the thresholds of data and information, the export of which is subject to CAC’s security assessment. The Measures will come into effect on September 1, 2022, and they grant a grace period of six months from the effective date of the Measures for a data processor to rectify data exports that occurred prior to September 1, 2022, but not in compliance with the requirements of the Measures. This means that data processors whose cross-border transfer activities meet the thresholds of the security assessment under the Measures must file with the CAC for a government security assessment no later than March 1, 2023. Companies in China that are currently exporting important data and/or personal data outside of China should take immediate action to assess whether their cross-border data transfer meets any of the thresholds of the Measures discussed in Section I of this alert.
Security assessment for data export, which has been addressed in high-level detail in the Cybersecurity Law (effective from June 1, 2017, see our previous alert), the Data Security Law (effective from September 1, 2021, see our previous alert) and the Personal Information Protection Law (effective from November 1, 2021 see our previous alert), requires that Critical Information Infrastructure (CII) operators and data processors who are handling personal information exceeding a certain threshold must pass a security assessment by the CAC before exporting certain data and personal information. The Measures establish the legal regime on security assessment for data export and will have significant impact on business operators in China that process and export important data or certain quantities of personal information overseas.
数据出境的安全评估，已在《网络安全法》（自 2017 年 6 月 1 日起生效，请参阅我们之前的文章）、《数据安全法》（自 2021 年 9 月 1 日起生效，请参阅我们之前的文章）和《个人信息保护法》（自 2021 年 11 月 1 日起生效，请参阅我们之前的文章）中进行了概要性的规定，要求关键信息基础设施运营者和处理个人信息达到一定门槛的数据处理者在向境外提供特定数据和个人信息之前必须通过网信部门的安全评估。《办法》确立了数据出境安全评估的法律制度，将对在中国境内处理和向境外提供重要数据或一定数量个人信息的经营者产生重大影响。
I. Scope of Application of the Measures
A security assessment is required before a data processor exports data overseas if it has any of the following circumstances:
|Definitions and Observations
|1.||When a data processor exports any important data
|The Measures broadly define “important data” as “data that may endanger national security, economic operation, social stability, public health and safety once it is tampered with, destroyed, leaked, or illegally obtained or used.”
The concept of important data was first raised in the Cybersecurity Law, under which network operators in China are required to categorize data and formulate backup and encryption measures for the protection of “important data.”
The Data Security Law further requires that business operators that process “important data” must appoint a responsible person and establish a specific internal department for important data protection, carry out risk assessments on a regular basis and report the risk assessment results to the competent authorities.
|2.||When a critical information infrastructure (CII) operator exports any personal information
|CII refers to important network facilities and information systems in important industries and fields, such as public communication and information service, energy, transportation, water resources, finance, public services, e-government affairs, science, technology and industry for national defense, as well as other important network facilities and information systems of which destruction, loss of function and data divulgence may seriously endanger national security, people’s livelihoods and public interests.
CII operators fall within a narrower set of data processors that operate critical information infrastructure as defined above.
|3.||When a data processor that processes personal information of one million individuals or more exports any personal information
|This scenario targets a data processor that processes personal information of one million individuals or more during its operation, such as large internet platforms and APP operators.
Regardless of how many individuals’ personal information will be exported, if the data processor processes personal information of at least one million individuals, any export of personal information by the data processor is subject to security assessment.
|4||When a data processor who has, since January 1 of the previous year cumulatively exported personal information of more than 100,000 individuals, or the sensitive personal information of more than 10,000 individuals exports any personal information
|This scenario targets a data processor based on the number of individuals whose personal information or sensitive personal information has been exported by the data processor within a certain period of time.
“Sensitive personal information” refers to personal information, of which leakage or unlawful use may lead to discriminatory treatment or serious damage to personal or property safety, including race, ethnicity, religious beliefs, personal biometrics, medical health information, financial accounts, and personal whereabouts, etc., including personal information of minors younger than 14 years old.
Hospitals, schools, banks and other organizations that typically process sensitive personal information are more likely to be the focus of this scenario. Also, multinational companies that have many local employees in China whose personal information and/or sensitive personal information have been shared by its offshore headquarters or affiliates during the years following January 2021 might also be included in this threshold.
|5.||Other circumstances to be designated by the CAC that require security assessment
|This leaves room for the CAC to introduce other circumstances where it believes a security assessment is necessary.
Please note that data export not only includes the scenario where data collected and generated within the PRC is transferred and stored outside of the PRC but also includes the scenario where a foreign entity or individual is granted the authority to access or use any data stored within the PRC.
II. Procedures for Security Assessment
Before a data processor applies with the CAC for security assessment on data export, it is required to conduct a self-assessment with a focus on the following aspects:
- the legality, legitimacy and necessity of the purpose, scope and methods of the data export, and the processing of the data by the overseas recipient;
- the scale, scope, type and sensitivity of the data export, and the risks to national security, public interest or the legitimate rights and interests of individuals or organizations, caused by such data export;
- the duties and obligations which the foreign recipient commits to perform, and whether the foreign recipient’s organizational and technical measures and capabilities can guarantee the security of the data export;
- the risks of the data being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the data export, and whether there is a smooth channel for safeguarding personal information rights and interests;
- whether the responsibilities and obligations for data security protection are fully agreed in the relevant contracts or other legally binding documents to be concluded with the foreign recipient (Legal Instrument); and
- other matters that may affect the security of the data export.
2. Government Assessment Requirements and Timeline
a. Submission of Materials
After a data processor completes the self-assessment and before it enters into any formal Legal Instrument with the overseas recipient, if it determines that the proposed data export meets any of the thresholds summarized in Section I above, it shall submit (i) an application letter, (ii) the self-assessment report, (iii) the proposed Legal Instrument, and (iv) any other materials necessary for the security assessment to the relevant provincial level of the CAC (Provincial CAC).
The Provincial CAC has up to five working days to review the application documents and determine if the application documents are complete. Once approved, the Provincial CAC will forward the application documents to the national-level CAC. The CAC has up to seven working days to review the application documents to determine whether to accept the application and will issue a written notice to the data processor. The CAC will, within 45 working days from the date of issuing the written notice of acceptance to the data processor, complete the security assessment.
As such, the total government security assessment reviewing period is 57 working days if the application documents are complete and acceptable to the CAC. However, the government assessment period may be extended for a reasonable period of time if there are complications or supplementary or corrected materials are needed. Due to the lack of an explicit limit on the extended period, the CAC has discretion to extend its review and assessment for as long as it believes necessary.
If a data processor disagrees with the assessment results, it may, within 15 working days after receipt of the assessment results, apply to the CAC for re-assessment, and the re-assessment results will be final.
c. Focus of Review
The key factors that will be considered by the CAC in conducting the security assessment is similar to and broader than those for the self-assessment as described above, including the impact of the data security protection policies and regulations, as well as network security environment of the country or region where the foreign recipient is located and the security of the data to be exported.
3. Other Notable Requirements
The security assessment result is valid for two years. A data processor is also required to re-submit an application for government security assessment in certain circumstances, such as where the cross-border data transfer purpose has changed.
III. Our Observations
The Measures equally apply to not only domestic Chinese companies who export data outside China during cross-border transactions but also the transfer/share of data by the Chinese subsidiaries of multinational corporations (MNCs) to their overseas headquarters and affiliate(s) within the same MNC group. This happens on a daily basis, as sensitive personal information of employees of the China operations of foreign companies or organizations is transferred to overseas headquarters for HR management purposes or where information of China-based customers/vendors/distributors is exported for business purposes. MNCs with presences in China should take the Measures seriously and start to review their cross-border data transfer practices as soon as possible with guidance from counsel.
The Measures grant a grace period of six months from the effective date of the Measures (September 1, 2022) for a data processor to rectify data exports that occurred prior to September 1, 2022, but not in compliance with the requirements of the Measures. We suggest that MNCs that have operations and subsidiaries in China and that have obtained or have access to important data and/or personal information from China that will cause each of its affiliates in China to evaluate, with guidance from counsel, as to whether its cross-border data transfer is subject to the Measures and the CAC government security assessment review the following key elements:
1) whether it is a Critical Information Infrastructure (CII) operator;
2) whether it is processing and exporting important data;
3) whether it is processing personal information of one million or more individuals;
4) whether it has transferred personal information of 100,000 individuals or more on a cumulative basis since January 1 of the previous year; and
5) whether it has transferred sensitive personal information of 10,000 or more individuals on a cumulative basis since January 1 of the previous year.
If the data processor in China meets any of the above thresholds, the cross-border transfer of data will be subject to the self-assessment and the CAC government security assessment before the data is transferred outside China in a cross-border transfer.
On the other hand, if and only if none of the thresholds listed above is met, the data processor in China may rely on a data sharing/transfer agreement with the foreign recipient without the CAC government security assessment. Notably, on June 30, 2022, the CAC published the draft Provisions on the Standard Contract for the Cross-border Transfers of Personal Information (Draft Provisions, “《个人信息出境标准合同规定（征求意见稿）》” in Chinese). According to the Draft Provisions, a standard data-sharing/transferring contract can be relied upon for cross-border transfer of data only if a data processor in China does not meet any of the thresholds listed above (as discussed in more details in Section I in this article). The Draft Provisions and an attached draft standard contract set forth the key provisions that must be contained in the standard contract for cross-border data sharing. In addition, the Draft Provisions require a data processor to conduct a personal information protection impact assessment (which is a self-assessment) before it transfers personal information overseas. The Draft Provisions also require the data processor to file both the standard contract and the report of its personal information protection impact assessment with the relevant provincial-level CAC within 10 working days after the standard contract comes into effect. Unlike the government security assessment described in Section II of this alert, this is a filing rather than an approval process with the government authority.
Furthermore, on June 24, 2022, China’s National Information Security Standardization Technical Committee published the Practical Guidelines for Cybersecurity Standards - Specification for Security Certification of Cross-Border Processing of Personal Information (Certification Specification, “《网络安全标准实践指南- 个人信息跨境处理活动安全认证规范》” in Chinese), which takes effect on the same date. According to the Certification Specification, which is a national standard rather than a mandatory law or regulation, a certification can be obtained for the (i) the cross-border processing of personal information among subsidiaries or affiliates of a MNC or the same economic entity; or (ii) analysis and evaluation of the behavior of Chinese domestic natural persons outside the PRC. As such, if the PRC subsidiary of a MNC in China does not meet any of the thresholds listed above (Section I of this article), the Chinese subsidiary of the MNC might also apply to obtain security certification from a certification unit in China for the cross-border transfer of data with its overseas’ affiliates according to the requirements of the Certification Specifications. However, neither the Certification Specification nor any other published regulations have identified any specific institution that is qualified to conduct such certification.
We will monitor the developments of regulations, implementation rules and guidelines regarding the cross-border data transfer in China, and keep you updated.