Released on the 7 July 2022, the Measures for the Security Assessment of Outbound Data Transfers becomes effective from 1 September (‘Measures’).
The Measures published by the Cyberspace Administration of China supplements the Data Security Law and Personal Information Protection Law adopted in 2021. It setts forth the security assessment obligations for companies in China transferring data aboard. The Measures mainly applies to companies deemed as critical information infrastructure operations or those handling personal information of more than 1 million individuals. Although companies should be aware of the legal obligations since the Measures includes a catch-all clause in the applicable scope.
Mainly, the security assessment of outbound data transfers applies to two data handlers who transfer aboard important data and/ or personal information collected and generated in the territory of the People’s Republic of China.
|1. Critical information infrastructure operators (“CIIOs“);
|2. Personal information handlers that have processed personal information of more than 1 million individuals.
For companies who do not fall in the above scope, the security assessment of outbound data transfers is still applicable to those companies meeting one of the following conditions.
- Transferring important data aboard
- Transferring personal information of more than 100,000 individuals in accumulative from 1 January of the preceding year
- Transferring sensitive personal information of more than 100,000 individuals in accumulative from 1 January of the preceding year
- Other situations stipulated by the State Internet Information Department that require security assessment
Mandatory security assessments concerns four types of data which may cross over. For companies, conducting a data assessment and clarification is essential to understand the types of data processed. Companies should also evaluate whether a security assessment is required.
The Regulations on the Security and Protection of Critical Information Infrastructure defines CIIO as companies engaged in “important industries or fields”. Mainly, companies falling in the following industries:
- Public communication and information services;
- Public services;
- E-government services;
- National defense; and
- Any other important network facilities or information systems that may seriously harm national security, the national economy and people’s livelihoods, or public interest in the event of incapacitation, damage, or data leaks
Most foreign companies are unlikely to be deemed as CIIO except those engaged in energy or finance sectors.
The Measures echoes the Data Security Law by defining ‘important’ data as “data that may endanger national security, economic operation, social stability, or public health and safety once tampered with, destroyed, leaked, or illegally obtained or use. Specific important data catalogue shall be formulated by each region and department under Data Security Law. Therefore, companies should be prepared for forthcoming details related to their industry and region.
Personal information refers to one of the following:
- any kind of information related to an identified; or
- identifiable natural person as electronically or otherwise recorded.
However, it excludes information that has been anonymised.
For companies, personal information is mainly handled by human resources, finances, and marketing department.
Sensitive Personal Information
The Personal Information Protection Law classifies the following as sensitive personal information
- Religious beliefs;
- Specific identities, medical and health;
- Financial accounts, whereabouts and other information of a natural person;
- Personal information of minors under the age of fourteen
Security Assessment Procedure
Security assessments are required to be submitted to the local cyberspace administration. Then forwarded to the CAC for assessment and approval. The assessment and approval are provisioned as 57 days maximum from the submission date. Though the authorities may require further supplementary materials or return materials with deficiencies. Assessment results are valid for 2 years and shall be reapplied 60 working days before the expiration date.
Where subsidiaries are required to submit data to overseas headquarters and subject to security assessment, subsidiaries should renegotiate the time-frame in advance. This allows the security assessment to be completed before transferring data aboard.
Applicants are required to conduct a self-assessment of the export as part of the security assessment application. The self-assessment focuses on the risks posed by the data export to national security and the personal rights of the individuals and organisations of the collected data. The Measures stipulate that applicant shall consider the following points in the self-assessment.
- The legality, legitimacy, and necessity of the purpose, scope, and method of the cross-border data transfer, and the processing of the data by the overseas recipient.
- The scale, scope, type, and sensitivity of the data being transferred. And the possible risks that the cross-border data transfer could pose to China’s national security, public interests. And the legal rights of individuals and organizations.
- The responsibilities and obligations undertaken by the overseas recipient [of the data], and whether the management and technical measures and capabilities for fulfilling the responsibilities and obligations can ensure the security of outbound data.
- The risk of the data being tampered with, destroyed, leaked, lost, transferred, or illegally obtained or used during the overseas transfer or after it exits the country, and whether the channels for safeguarding the rights and interests of the PI [subjects] are unobstructed.
- Whether or not the data export-related contracts or other legally binding documents (hereinafter collectively referred to as “legal documents”) that are entered into with the overseas recipient fully stipulate the responsibility and obligations of data protection.
- Other matters that may affect the security of data export.
Applicants are required to submit the following material for the security assessment:
- A declaration;
- Self-assessment report;
- Data processing agreement between the data controller and the foreign recipient; and
- Other materials required for safety assessment work
Security Assessment and Re-Assessment
In the security assessment, the CAC will also consider the following:
- The impact of data security protection policies and regulations and the network security environment of the country or region where the foreign recipient is located;
- Whether the level of data protection of the foreign recipient meets the requirements of the laws and administrative regulations of the PRC and mandatory national standards;
- Compliance with PRC laws, administrative regulations, and departmental rules;
- Other matters that the CAC deems necessary to be assessed.
Where the assessment is rejected, a re-assessment can be applied within 15 working days of the assessment result. However, the re-assessment result is final, and no further appeal is permitted.
During the assessment validity period, companies are required to notify the authorities if any of the following changes occur:
- Changes to the purpose, methods, scope, and types of data exported, as well as the purposes and methods for which foreign recipients process data, that affect the security of exported data, or extending the period of overseas retention of personal information and/or important data;
- Changes in the data security protection policies, regulations, and network security environment of the country or region where the foreign recipient is located, as well as other force majeure circumstances such as changes in the actual control of the data controller or the foreign recipient, changes in the legal documents of the data controller and the foreign recipient, and other changes that affect the security of exported data;
- Other circumstances that affect the security of exported data.
Where the CAC finds that the approved cross-border transfer no longer meets the security requirement, the transfer can be terminated. In such case, the company should rectify and resubmit the security assessment.
For companies affected by the Measures, it is essential to start preparations before the 1 September. Violations of the Measures are subject to the same penalties of the Date Security Law and Personal Information Protection Law.