中国通过期待已久的《数据出境安全评估办法》
07/27/2022Takeaways:
要点:
- “Data export” refers to the overseas transfer from China of data collected and generated within China, as well as the scenario in which a foreign entity or foreign individual is granted the authority to access to any data stored within China.
- "数据出境"是指从中国向境外传输在中国境内收集和产生的数据,以及境外实体或个人被授予访问存储在中国境内的数据的权限的情形。
- The new measures specify the requirements on security assessment and thresholds and the scope of data that is subject to the government security assessment.
- 新《办法》明确了对安全评估的要求和适用情形,以及申报安全评估的数据范围。
- The new measures provide a six-month grace period for compliance.
- 新《办法》规定了六个月的合规宽限期。
On July 7, 2022, the Cyberspace Administration of China (CAC) of the People’s Republic of China (PRC or China) released the final version of the long-awaited Measures on Security Assessment for Data Export (Measures, “《数据出境安全评估办法》” in Chinese). The Measures specify the thresholds of data and information, the export of which is subject to CAC’s security assessment. The Measures will come into effect on September 1, 2022, and they grant a grace period of six months from the effective date of the Measures for a data processor to rectify data exports that occurred prior to September 1, 2022, but not in compliance with the requirements of the Measures. This means that data processors whose cross-border transfer activities meet the thresholds of the security assessment under the Measures must file with the CAC for a government security assessment no later than March 1, 2023. Companies in China that are currently exporting important data and/or personal data outside of China should take immediate action to assess whether their cross-border data transfer meets any of the thresholds of the Measures discussed in Section I of this alert.
2022年7月7日,中华人民共和国国家互联网信息办公室(网信部门)发布了期待已久的最终版《数据出境安全评估办法》(《办法》)。《办法》规定了出境需要经过网信部门安全评估的数据和信息的门槛。《办法》自2022年9月1日起施行,并给予数据处理者自《办法》施行之日起6个月的宽限期,对2022年9月1日以前发生但不符合《办法》要求的数据出境进行整改。这意味着,跨境传输活动达到《办法》安全评估门槛的数据处理者,必须在2023年3月1日前向网信部门申报安全评估。目前向境外提供重要数据和/或个人信息的在中国注册的公司应立即采取行动,评估其跨境数据传输是否符合本文第一节所述的《办法》中的情形。
Security assessment for data export, which has been addressed in high-level detail in the Cybersecurity Law (effective from June 1, 2017, see our previous alert), the Data Security Law (effective from September 1, 2021, see our previous alert) and the Personal Information Protection Law (effective from November 1, 2021 see our previous alert), requires that Critical Information Infrastructure (CII) operators and data processors who are handling personal information exceeding a certain threshold must pass a security assessment by the CAC before exporting certain data and personal information. The Measures establish the legal regime on security assessment for data export and will have significant impact on business operators in China that process and export important data or certain quantities of personal information overseas.
数据出境的安全评估,已在《网络安全法》(自 2017 年 6 月 1 日起生效,请参阅我们之前的文章)、《数据安全法》(自 2021 年 9 月 1 日起生效,请参阅我们之前的文章)和《个人信息保护法》(自 2021 年 11 月 1 日起生效,请参阅我们之前的文章)中进行了概要性的规定,要求关键信息基础设施运营者和处理个人信息达到一定门槛的数据处理者在向境外提供特定数据和个人信息之前必须通过网信部门的安全评估。《办法》确立了数据出境安全评估的法律制度,将对在中国境内处理和向境外提供重要数据或一定数量个人信息的经营者产生重大影响。
I. Scope of Application of the Measures
一、《办法》的适用范围
A security assessment is required before a data processor exports data overseas if it has any of the following circumstances:
有下列情形之一的,数据处理者应当在数据出境前申报安全评估:
| No. | Statutory Circumstances 法定情形 |
Definitions and Observations 定义和我们的观点 |
|---|---|---|
| 1. | When a data processor exports any important data 数据处理者向境外提供重要数据 |
The Measures broadly define “important data” as “data that may endanger national security, economic operation, social stability, public health and safety once it is tampered with, destroyed, leaked, or illegally obtained or used.” 《办法》将“重要数据”宽泛定义为“一旦遭到篡改、破坏、泄露或者非法获取、非法利用等,可能危害国家安全、经济运行、社会稳定、公共健康和安全等的数据”。 The concept of important data was first raised in the Cybersecurity Law, under which network operators in China are required to categorize data and formulate backup and encryption measures for the protection of “important data.” 《网络安全法》首次提出“重要数据”的概念,规定中国的网络运营者应当采取数据分类、数据备份和加密等措施以保护 "重要数据"。 The Data Security Law further requires that business operators that process “important data” must appoint a responsible person and establish a specific internal department for important data protection, carry out risk assessments on a regular basis and report the risk assessment results to the competent authorities. 《数据安全法》进一步要求,处理“重要数据”的经营者必须指定一名负责人,并设立专门的内部部门负责重要数据的保护,定期进行风险评估,并向主管部门报告风险评估结果。 |
| 2. | When a critical information infrastructure (CII) operator exports any personal information 关键信息基础设施(CII)运营者向境外提供个人信息 |
CII refers to important network facilities and information systems in important industries and fields, such as public communication and information service, energy, transportation, water resources, finance, public services, e-government affairs, science, technology and industry for national defense, as well as other important network facilities and information systems of which destruction, loss of function and data divulgence may seriously endanger national security, people’s livelihoods and public interests. 关键信息基础设施是指公共通信和信息服务、能源、交通、水利、金融、公共服务、电子政务、国防科技工业等重要行业和领域的,以及其他一旦遭到破坏、丧失功能或者数据泄露,可能严重危害国家安全、国计民生、公共利益的重要网络设施、信息系统等。 CII operators fall within a narrower set of data processors that operate critical information infrastructure as defined above. 关键信息基础设施运营者的范围较小,是指那些运营上述定义中的关键信息基础设施的数据处理者。 |
| 3. | When a data processor that processes personal information of one million individuals or more exports any personal information 处理100万人以上个人信息的数据处理者向境外提供个人信息 |
This scenario targets a data processor that processes personal information of one million individuals or more during its operation, such as large internet platforms and APP operators. 这种情况针对的是在运营过程中处理100万人以上个人信息的数据处理者,如大型互联网平台和APP运营者。 Regardless of how many individuals’ personal information will be exported, if the data processor processes personal information of at least one million individuals, any export of personal information by the data processor is subject to security assessment. 无论向境外提供多少人的个人信息,处理100万人以上个人信息的数据处理者向境外提供个人信息都应当经过安全评估。 |
| 4 | When a data processor who has, since January 1 of the previous year cumulatively exported personal information of more than 100,000 individuals, or the sensitive personal information of more than 10,000 individuals exports any personal information 自上年1月1日起累计向境外提供10万人个人信息或者1万人敏感个人信息的数据处理者向境外提供个人信息 |
This scenario targets a data processor based on the number of individuals whose personal information or sensitive personal information has been exported by the data processor within a certain period of time. 这种情况针对的是在一定时间内向境外提供个人信息或敏感个人信息达到一定的数量的数据处理者。 “Sensitive personal information” refers to personal information, of which leakage or unlawful use may lead to discriminatory treatment or serious damage to personal or property safety, including race, ethnicity, religious beliefs, personal biometrics, medical health information, financial accounts, and personal whereabouts, etc., including personal information of minors younger than 14 years old. “敏感个人信息”是指一旦泄露或者非法使用,容易导致歧视性待遇或人身、财产安全受到严重危害的个人信息,包括种族、民族、宗教信仰、个人生物特征、医疗健康信息、金融账户、行踪轨迹等信息,以及不满十四周岁未成年人的个人信息。 Hospitals, schools, banks and other organizations that typically process sensitive personal information are more likely to be the focus of this scenario. Also, multinational companies that have many local employees in China whose personal information and/or sensitive personal information have been shared by its offshore headquarters or affiliates during the years following January 2021 might also be included in this threshold. 医院、学校、银行和其他通常处理敏感个人信息的组织,更有可能成为这种情形的关注重点。此外,自2021年1月起,在中国有许多本地员工的个人信息和/或敏感个人信息被其境外总部或关联公司共享的跨国公司也可能被纳入这一情形中。 |
| 5. | Other circumstances to be designated by the CAC that require security assessment 网信部门规定的其他需要申报数据出境安全评估的情形 |
This leaves room for the CAC to introduce other circumstances where it believes a security assessment is necessary. 为网信部门引入其认为有必要进行安全评估的其他情况留下了空间。 |
Please note that data export not only includes the scenario where data collected and generated within the PRC is transferred and stored outside of the PRC but also includes the scenario where a foreign entity or individual is granted the authority to access or use any data stored within the PRC.
需要注意的是,数据出境不仅包括在中国境内收集和产生的数据被传输和存储在中国境外的情况,还包括境外实体或个人获准访问或使用存储在中国境内的数据的权限的情况。
II. Procedures for Security Assessment
二、安全评估程序
1. Self-assessment
1. 自评估
Before a data processor applies with the CAC for security assessment on data export, it is required to conduct a self-assessment with a focus on the following aspects:
数据处理者在向网信部门申请数据出境安全评估前,应当开展数据出境风险自评估,重点评估以下事项:
- the legality, legitimacy and necessity of the purpose, scope and methods of the data export, and the processing of the data by the overseas recipient;
- the scale, scope, type and sensitivity of the data export, and the risks to national security, public interest or the legitimate rights and interests of individuals or organizations, caused by such data export;
- the duties and obligations which the foreign recipient commits to perform, and whether the foreign recipient’s organizational and technical measures and capabilities can guarantee the security of the data export;
- the risks of the data being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the data export, and whether there is a smooth channel for safeguarding personal information rights and interests;
- whether the responsibilities and obligations for data security protection are fully agreed in the relevant contracts or other legally binding documents to be concluded with the foreign recipient (Legal Instrument); and
- other matters that may affect the security of the data export.
2. Government Assessment Requirements and Timeline
2. 政府评估要求和时间表
a. Submission of Materials
a. 材料提交
After a data processor completes the self-assessment and before it enters into any formal Legal Instrument with the overseas recipient, if it determines that the proposed data export meets any of the thresholds summarized in Section I above, it shall submit (i) an application letter, (ii) the self-assessment report, (iii) the proposed Legal Instrument, and (iv) any other materials necessary for the security assessment to the relevant provincial level of the CAC (Provincial CAC).
数据处理者完成自评估后,在与境外接收方签订正式法律文书之前,若拟议的数据出境符合上述第一节中总结的条件,则应提交:(一)申报书;(二)数据出境风险自评估报告;(三)数据处理者与境外接收方拟订立的法律文件;以及(四)省级网信部门安全评估工作需要的其他材料。
b. Timeline
b. 时间表
The Provincial CAC has up to five working days to review the application documents and determine if the application documents are complete. Once approved, the Provincial CAC will forward the application documents to the national-level CAC. The CAC has up to seven working days to review the application documents to determine whether to accept the application and will issue a written notice to the data processor. The CAC will, within 45 working days from the date of issuing the written notice of acceptance to the data processor, complete the security assessment.
省级网信部门应当自收到申报材料之日起5个工作日内完成完备性查验。申报材料齐全的,将申报材料报送国家网信部门。国家网信部门应当自收到申报材料之日起7个工作日内,确定是否受理并书面通知数据处理者。国家网信部门应当自向数据处理者发出书面受理通知书之日起45个工作日内完成数据出境安全评估。
As such, the total government security assessment reviewing period is 57 working days if the application documents are complete and acceptable to the CAC. However, the government assessment period may be extended for a reasonable period of time if there are complications or supplementary or corrected materials are needed. Due to the lack of an explicit limit on the extended period, the CAC has discretion to extend its review and assessment for as long as it believes necessary.
因此,若申报材料齐全且被网信部门受理,安全评估总审查期为57个工作日。但情况复杂或者需要补充、更正材料的,可以适当延长。由于对延长期限没有明确限制,网信部门有权自主延长其认为必要的审查和评估的期限。
If a data processor disagrees with the assessment results, it may, within 15 working days after receipt of the assessment results, apply to the CAC for re-assessment, and the re-assessment results will be final.
数据处理者对评估结果有异议的,可以在收到评估结果15个工作日内向网信部门申请复评,复评结果为最终结论。
c. Focus of Review
c. 审查重点
The key factors that will be considered by the CAC in conducting the security assessment is similar to and broader than those for the self-assessment as described above, including the impact of the data security protection policies and regulations, as well as network security environment of the country or region where the foreign recipient is located and the security of the data to be exported.
网信部门在进行安全评估时将考虑的关键因素与上述自评估相似且范围更广,包括数据安全保护政策法规的影响,以及境外接收方所在国家或地区的网络安全环境和出境数据的安全性。
3. Other Notable Requirements
其他值得注意的要求
The security assessment result is valid for two years. A data processor is also required to re-submit an application for government security assessment in certain circumstances, such as where the cross-border data transfer purpose has changed.
安全评估的结果有效期为2年。在某些情况下,数据处理者应当重新申报评估,例如向境外提供数据的目的发生变化。
III. Our Observations
三、我们的观察
The Measures equally apply to not only domestic Chinese companies who export data outside China during cross-border transactions but also the transfer/share of data by the Chinese subsidiaries of multinational corporations (MNCs) to their overseas headquarters and affiliate(s) within the same MNC group. This happens on a daily basis, as sensitive personal information of employees of the China operations of foreign companies or organizations is transferred to overseas headquarters for HR management purposes or where information of China-based customers/vendors/distributors is exported for business purposes. MNCs with presences in China should take the Measures seriously and start to review their cross-border data transfer practices as soon as possible with guidance from counsel.
《办法》不仅适用于在跨境交易中向境外提供数据的中国内资公司,也适用于跨国公司的中国子公司向其境外总部和同一跨国公司集团内的关联公司传输/共享数据。这种情况每天都在发生:境外公司或组织的中国业务员工的敏感个人信息被传输到境外总部进行人力资源管理,或者中国客户/供应商/分销商的信息因商业目的被传输到境外。在中国开展业务的跨国公司应认真对待《办法》,并在律师的指导下尽快开始审查其跨境数据传输实践。
The Measures grant a grace period of six months from the effective date of the Measures (September 1, 2022) for a data processor to rectify data exports that occurred prior to September 1, 2022, but not in compliance with the requirements of the Measures. We suggest that MNCs that have operations and subsidiaries in China and that have obtained or have access to important data and/or personal information from China that will cause each of its affiliates in China to evaluate, with guidance from counsel, as to whether its cross-border data transfer is subject to the Measures and the CAC government security assessment review the following key elements:
《办法》给予数据处理者自《办法》生效之日起(2022年9月1日)6个月的宽限期,以整改2022年9月1日之前发生但不符合《办法》要求的数据出境。我们建议在中国境内开展运营和设有子公司的跨国公司,以及已从中国获取或获取重要数据和/或个人信息的跨国公司,在律师的指导下,基于以下因素评估其跨境数据传输是否受《办法》以及网信部门安全评估审查的约束:
1) whether it is a Critical Information Infrastructure (CII) operator;
是否是关键信息基础设施运营者;
2) whether it is processing and exporting important data;
是否正在处理并向境外提供重要数据;
3) whether it is processing personal information of one million or more individuals;
是否正在处理100万人以上个人信息;
4) whether it has transferred personal information of 100,000 individuals or more on a cumulative basis since January 1 of the previous year; and
自上年1月1日起累计向境外提供10万人以上个人信息;和
5) whether it has transferred sensitive personal information of 10,000 or more individuals on a cumulative basis since January 1 of the previous year.
自上年1月1日起累计向境外提供1万人以上敏感个人信息。
If the data processor in China meets any of the above thresholds, the cross-border transfer of data will be subject to the self-assessment and the CAC government security assessment before the data is transferred outside China in a cross-border transfer.
中国境内的数据处理者有上述情形之一的,应在通过跨境传输将数据传输到中国境外之前,对数据的跨境传输进行自评估和网信部门的安全评估。
On the other hand, if and only if none of the thresholds listed above is met, the data processor in China may rely on a data sharing/transfer agreement with the foreign recipient without the CAC government security assessment. Notably, on June 30, 2022, the CAC published the draft Provisions on the Standard Contract for the Cross-border Transfers of Personal Information (Draft Provisions, “《个人信息出境标准合同规定(征求意见稿)》” in Chinese). According to the Draft Provisions, a standard data-sharing/transferring contract can be relied upon for cross-border transfer of data only if a data processor in China does not meet any of the thresholds listed above (as discussed in more details in Section I in this article). The Draft Provisions and an attached draft standard contract set forth the key provisions that must be contained in the standard contract for cross-border data sharing. In addition, the Draft Provisions require a data processor to conduct a personal information protection impact assessment (which is a self-assessment) before it transfers personal information overseas. The Draft Provisions also require the data processor to file both the standard contract and the report of its personal information protection impact assessment with the relevant provincial-level CAC within 10 working days after the standard contract comes into effect. Unlike the government security assessment described in Section II of this alert, this is a filing rather than an approval process with the government authority.
另一方面,当且仅当未出现任何上述情形时,中国境内的数据处理者可以选择采用与境外接收方签订数据共享/传输协议的方式,而无需进行网信部门的安全评估。值得注意的是,网信部门于2022年6月30日公布了《个人信息出境标准合同规定(征求意见稿)》草案(《规定(草案)》)。根据《规定(草案)》,只有当中国境内的数据处理者不符合上述情形时,才能依据标准的数据共享/传输合同进行跨境传输(详见本文第一节)。《规定(草案)》和所附标准合同草案规定了跨境数据共享标准合同中必须包含的关键条款。此外,《规定(草案)》要求数据处理者向境外提供个人信息之前,必须进行个人信息保护影响评估(即自评估)。《规定(草案)》还要求数据处理者在标准合同生效后10个工作日内,向有关省级网信部门提交标准合同和个人信息保护影响评估报告。与本文第二节中描述的安全评估不同,这是向政府机构提交的备案申请,而非审批流程。
Furthermore, on June 24, 2022, China’s National Information Security Standardization Technical Committee published the Practical Guidelines for Cybersecurity Standards - Specification for Security Certification of Cross-Border Processing of Personal Information (Certification Specification, “《网络安全标准实践指南- 个人信息跨境处理活动安全认证规范》” in Chinese), which takes effect on the same date. According to the Certification Specification, which is a national standard rather than a mandatory law or regulation, a certification can be obtained for the (i) the cross-border processing of personal information among subsidiaries or affiliates of a MNC or the same economic entity; or (ii) analysis and evaluation of the behavior of Chinese domestic natural persons outside the PRC. As such, if the PRC subsidiary of a MNC in China does not meet any of the thresholds listed above (Section I of this article), the Chinese subsidiary of the MNC might also apply to obtain security certification from a certification unit in China for the cross-border transfer of data with its overseas’ affiliates according to the requirements of the Certification Specifications. However, neither the Certification Specification nor any other published regulations have identified any specific institution that is qualified to conduct such certification.
此外,2022年6月24日,中国国家信息安全标准化技术委员会发布了《网络安全标准实践指南-个人信息跨境处理活动安全认证规范》(《认证规范》),并于同日生效。《认证规范》是一项国家标准,而非强制性法律或法规,《认证规范》适用于:(i)跨国公司或者同一经济实体下属子公司或关联公司之间的个人信息跨境处理活动;或(ii)分析和评估中国境内自然人在境外的行为。因此,如果跨国公司在中国的中国子公司不符合上述情形(本文第一节),跨国公司的中国子公司可以根据《认证规范》的要求,向中国认证单位申请获得安全认证,以便与其境外的关联公司进行跨境数据传输。但是,《认证规范》以及其他已发布的法规都没有规定有资格进行此类认证的特定机构。
We will monitor the developments of regulations, implementation rules and guidelines regarding the cross-border data transfer in China, and keep you updated.
我们将密切关注有关中国跨境数据传输的法规、实施规则和指南的发展,并随时为您提供最新信息。