In addition to the two developments we reported on in our last blog post, on July 7, 2022, the long-waited, final version of the Measures for Security Assessment of Cross-border Data Transfer (《数据出境安全评估办法》, “Measures”) were released by the Cyberspace Administration of China (“CAC”). With a very tight implementation schedule, the Measures will take effect on September 1, 2022. The full text of the Measures can be found here (currently available only in Mandarin Chinese).
In this blog, we highlight a few key takeaways from the final Measures.
(1) Who must carry out a security assessment?
According to Article 4, an entity that transfers data out of China must apply for a security assessment if any of the following criteria are met:
- the entity transfers “important data” out of China – the Measures define “important data” as “any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety;”
- the entity transfers of personal information out of China as (1) a critical information infrastructure (CII) operator, or (2) a data processing entity that processes personal information of over one million individuals;
- the entity transfers personal information out of China since January 1 of the previous year that consist of (1) the personal information of more than 100,000 individuals, or (2) the sensitive personal information of more than 10,000 individuals; or
- under other circumstances specified by the CAC.
These thresholds remain unchanged from those provided in the draft version of the Measures issued in October 2021.
(2) How should a security assessment be carried out and what is the timeline?
Under Article 5 of the Measures, data processing entities need to carry out a self-assessment before they can apply through provincial CACs for a security assessment to be carried out and approved by the CAC at the central level.
Upon receipt of the application, a provincial CAC must confirm whether the application materials are complete within 5 working days. If the application package is complete, the provincial CAC will pass on the application to the central CAC.
The CAC will inform the applicant in writing whether an application has been accepted within 7 working days of receipt.
After an application is officially accepted, the CAC is required to conclude the assessment and make a decision within 45 working days. For complex cases or where additional application materials are required, this period can be extended, and the CAC needs to notify the applicant of the estimated time extension.
If the applicant is not satisfied with the assessment result, it can apply to the central CAC for a re-evaluation within 15 working days from receipt of the result. The re-evaluation result will be considered the final conclusion.
(3) What materials are required for a security assessment?
Article 6 of the Measures requires data processing entities to submit the following materials when applying for the security assessment:
- application form;
- self-assessment report for cross-border data transfers;
- the agreement or other legally binding documents to be entered into between the data processing entity and the recipient outside of China; and
- other materials required for the security assessment.
The Measures set forth detailed requirements with respect to the matters to be considered in both the self-assessment and the formal assessment. The Measures also stipulate the contents that must be included in the agreement to be entered into between the parties. Although the application form is yet to be released, an applicant would likely need to demonstrate in the application materials its compliance with the substantial criteria for the security assessment in the Measures, such as the lawfulness, legitimacy and necessity of the purpose, scope, method and other aspects required to justify the cross-border data transfer.
(4) How often do companies need to carry out a security assessment?
The assessment result is valid for 2 years. A data processing entity may also need to re-submit an application in certain circumstances, such as where the cross-border data transfer purpose has changed.
(5) Is there a grace period?
The Measures will take effect on September 1, 2022. For cross-border data transfers that are carried out before that date, the rectification must be completed within 6 months. It is not quite clear whether the 6-month rectification period would also apply to cross-border data transfers that commence after September 1, 2022. Regardless, the grace period is relatively short, especially for companies that may have complicated data flows out of China.