The Cyberspace Administration of China (hereinafter referred to as the ‘CAC’) released the Security Assessment Measures on Cross-border Data Transfer (Draft For Comments ）(《数据出境安全评估办法(征求意见稿)》, hereinafter referred to as the ‘Measures’) seeking public comments on 29 October 2021. The Measures address the issue of conducting security assessment for transfer of data from China to overseas recipients. This article briefly summarizes the key provisions of the Measures which may impact those entities who are transferring or are to transfer data to overseas recipients.
1. Scope of Application
Unless otherwise prescribed by laws or administrative regulations, data processors shall go through the security assessment according to these Measures if they provide a) important data collected/generated during their operations within the territory of China and b) personal information which is subject to security assessment pursuant to the laws, to overseas recipients.
2. Situations for going through security assessment
Transfer of personal information and important data[i] collected or generated by critical information infrastructure operators (hereinafter referred to as the ‘CIIOs’) during their operations within the territory of China to overseas recipients shall be subject to security assessment.
Non-CIIOs shall go through security assessment if any of the following circumstances are satisfied: -
· The data to be transferred to overseas recipients contains important data;
· The personal information processor, which processes over 1 million individuals’ personal information, provides personal information to overseas recipients; or
· The personal processor provides accumulatively over 100 thousand individuals’ personal information or over 10 thousand individuals’ sensitive personal information
The Measures also set out a catch-all clause for other circumstances required for going through security assessment as stipulated by the CAC.
3. How to initiate the security assessment process
For those data processors falling within the scope of going through the security assessment, they shall a) firstly conduct a self-assessment on the risks of providing data to overseas recipients prior to provision of the data to overseas recipients; and b) then submit the application to the CAC for security assessment via the local provincial-level CAC authorities. The application materials to be submitted shall include the following:
· Application letter;
· Self-assessment report on risks of cross-border transfer of data;
· Contract(s) or other legally binding documents to be concluded between the data processor and the overseas recipient(s);
· Other materials required for conducting the security assessment.
4. Self-assessment report
The Measures stipulate that in the course of assessing the risks for transfer of outbound data, the data processor shall take various matters into account, in particular the following:
· the legality, legitimacy and necessity of the cross-border transfer of data, and the purpose, scope and method of processing of data by the overseas recipients;
· the quantity, scope, type and sensitivity of outbound data and the risks of causing damage to the national security, public interests as well as legitimate rights and interests of individuals or organizations;
· whether the management and technical measures adopted by data processors and capabilities of data processors during the data transfer process can prevent the risks of data leakage or data destruction/damage;
· the responsibilities and obligations undertaken by the overseas recipients, and whether the overseas recipients’ management and technical measures and capabilities to perform these responsibilities and obligations can ensure the security of outbound data;
· Risks of data leakage, damage, tampering, abuse, etc. after data is exported and is re-transferred, and whether there are smooth channels for individuals to safeguard their rights and interests related to their personal information;
· whether the data export-related contracts concluded with overseas recipients fully stipulate the responsibilities of data security protection.
5. Conducting of Security Assessment and Timelines
a) Authorities conducting the security assessment
· If the CAC accepts the security assessment application, it shall organize the competent authorities such as authorities in charge of respective industries concerned, relevant departments of the State Council, the provincial-level cyberspace administration authorities as well as specialized agencies to conduct security assessment.
b) What to be assessed
· The security assessment focuses on the risks that data export activities may bring to national security, public interests, and the legitimate rights and interests of individuals or organizations, the contents of which basically overlap with the contents of self-assessment by the data processors.
c) The data processor shall be notified of the assessment result in writing.
· The CAC shall, within seven working days from the date of receipt of the application materials, determine whether to accept the assessment application, and give feedback on the acceptance results in the form of a written notice.
· The CAC shall complete security assessment of outbound data within 45 working days commencing from the date of issuing the written notice of acceptance; if the circumstance is complex or supplementary materials are required, the said time limit may be extended appropriately, but generally shall not exceed 60 working days.
6. Validity period of security assessment result
a) The security assessment result is valid for two years.
b) If any of the following circumstances occurs during the validity period, the data processors shall re-apply for assessment:
· Any change occurs to the purpose, method, scope, or type of outbound data, or the use or method of data processing by the overseas recipient, or the period for overseas storage of personal information and important data is extended;
· Any change in the legal environment of the country or region where the overseas recipient is located, any change in the actual control of the data processor or the overseas recipient, or any change in the contract between the data processor and the overseas recipient that may affect the security of the outbound data;
· Other circumstances affecting the security of outbound data.
c) If it is necessary to continue the outbound provision of the original data upon expiration of the validity period, the data processor shall apply for assessment again 60 working days before expiration. If no new application is filed for assessment under such circumstances, relevant data exporting activities shall be ceased.
d) Where the CAC finds that any data exporting activities which have passed the security assessment no longer satisfy the data exporting security management requirements during the actual process, it shall cancel the assessment results and notify the data processor in writing. The data processor shall terminate its data exporting activities. If it is necessary to continue such activities, the data processor shall make rectifications according to the relevant requirements and re-apply for the security assessment after completing the rectifications.
The Measures regulate the cross-border transfer of data and aim at achieving a balance between ensuring the security of data (and the rights and interests relating to the data) and free flow of data. Companies are recommended to consider if to take an approach of localizing the storage of data within China considering certain specific data exporting activities are subject to the security assessment and there shall be risks of not passing such security assessment or the security assessment result being cancelled. Companies which are conducting data exporting activities or contemplating data exporting activities will have to keep alert on the legal updates in this regard.
[i] As for the identification of important data, according to Article 21 of the PRC Data Security Law, the national data security work coordination mechanism shall coordinate relevant government departments to formulate important data catalogs and strengthen the protection of important data. All regions and departments shall, in accordance with the data classification and hierarchical protection system, determine specific catalogs of important data in their respective regions, departments, and related industries and fields, and implement key protection measures on the data included in the catalog.