On 7 July 2022, the Cyberspace Administration of China (“CAC“) issued the Measures for the Security Assessment of Outbound Data Transfers (“Measures“), which will take effect on 1 September 2022. The Measures underwent three rounds of public consultation in 2017, 2019 and 2021 before they were finalised.
In its final form, the Measures contain 20 articles. We have identified 11 topics within the Measures that cover:
|1.||Purpose and scope||1 & 2|
|3.||Security assessment triggers||4 & 14|
|4.||Data transfer legal documents||9|
|6.||Security assessment applications||6|
|7.||Security assessments||3, 8, 10, 11 & 14|
|8.||Security assessment timescales||7, 12 & 13|
|10.||Liability||16, 17 & 18|
|11.||Effective date and transitional period||20|
In the following, we shall discuss each of the topics that we have identified in turn.
Purpose and Scope – Articles 1 & 2
The stated purpose of the Measures is “to regulate outbound data transfer activities, protect personal information rights and interests, protect national security and social and public interests, and promote a safe and free flow of data across borders” (Article 1).
Article 2 goes on to state that the measures apply to security assessments of outbound data transfers involving important data and personal information collected and generated by data processors through their operations in China. Based on Article 2, it seems that the Measures do not apply to personal information collected and generated by data processors from outside of China.
Important Data – Article 19
The Measures contain a definition of important data in the context of outbound data transfers. Important data is a nebulous concept in Chinese laws and regulations which requires further elaboration by the CAC and relevant industry regulators. For now, the term has only been further defined in the field of automotive data and in a few draft regulations. Below we compare the definition in the Measures with the core of the definition in the Several Provisions on Vehicle Data Security Management (Trial) (“Trial Provisions“).
|Measures for the Security Assessment of Outbound Data Transfers||Several Provisions on Vehicle Data Security Management (Trial)||Comments|
For the purposes of these Measures, the term “important data” means any data, the tampering, damage, leakage, or illegal acquisition or use of which, if it happens, may endanger national security, the operation of the economy, social stability, public health and security, etc.
The term “important data” refers to any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may lead to endangerment of national security or public interests, or infringement of the lawful rights and interests of an individual or organisation, including the following data:
Both definitions are risk-based, though the consequences that they consider differ slightly. We have made bold the more significant differences.
As the CAC was involved in the preparation of both regulations, the differences suggest that the definition of important data will generally be: data that, if breached, may endanger the interests of the nation, public or persons.
Security Assessment Triggers – Articles 4 & 14
An entity must declare intended outbound data transfers by a data processor to provincial CACs and seek security assessments if the data processor:
1) intends to transfer important data;
2) is a Critical Information Infrastructure operator (“CIIO“) intending to transfer personal information;
3) is a personal information processor who has processed the personal information of over 1 million people;
4) has cumulatively made outbound transfers of the personal information of over 100 thousand people since 1 January of the previous year;
5) has cumulatively made outbound transfers of the sensitive personal information of over 10 thousand people since 1 January of the previous year; and
6) falls within other situations prescribed by the CAC.
Whether companies will be regarded as CIIOs remain unclear in many industries. Despite the uncertainty in existing and future regulations,a more straightforward judgement would be that a company is not a CIIO unless it has been notified by a competent authority that it has been identified as a CIIO.
It is understood that many companies would prefer to see a rise in the threshold transfer volumes of personal information that trigger security assessments.
Security assessments can also be retriggered in one of the following circumstances:
1) there is a change in the particulars of processing by the overseas recipient, which will affect the security of the data, or the period for retaining data is to be extended;
2) there is any change in the data security protection policies and legislation and cybersecurity environment, or a force majeure event occurs where the overseas recipient is located,
3) there is a change in the actual control of the data processor or overseas recipient or any change to the data transfer agreement, which will affect the security of the outbound data; or
4) any other circumstance exists that may affect the security of the data.
Data Transfer Legal Documents – Article 9
The Measures state that the legal documents between the data exporter and data importer for outbound data transfers should cover:
1) the purpose and method of the outbound data transfer, the scope of data, and the purpose and method of the data processing;
2) the data retention place and period, and obligations when the retention period expires, the transfer purpose completes, or the agreement is terminated;
3) restrictions against onwards transfers of outbound data to others;
4) security measures to be adopted when material changes occur in relation to the overseas recipient, the legal, regulatory environment and cybersecurity environment of the destination country, or a force majeure event occurs that makes it difficult to ensure data security;
5) remedial measures, liability for breach of contract and dispute resolution in the event data security protection obligations are breached; and
6) requirements for proper emergency disposal and ensuring the channels and ways for individuals to safeguard their personal information rights and interest when data is exposed to the risk of security breaches.
On a related note, the CAC also issued the Draft Provisions on Standard Contracts for the Export of Personal Information on 30 July 2022, which also deal with outbound data transfers and contains a draft Standard Contract that was prepared for use in situations that would not trigger the security assessments under the Measures. While they certainly have some similarities, companies should not assume that signing the Standard Contract would meet the requirements in the Measures.
Self–assessments – Article 5
After a security assessment is triggered, but before a security assessment application is made, a data processor should conduct a self-assessment. Data processors need to address the following factors during self-assessments:
1) the legality, legitimacy and necessity of the transfer and the purpose, scope and manner of data processing by the overseas recipient;
2) the quantity, scope, type and sensitivity of the outbound data, and the risks the outbound data might pose to national security, public interests, and the lawful rights and interests of individuals and organisations;
3) whether the responsibilities and obligations undertaken by the overseas recipient and the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations can ensure the security of the outbound data;
4) the risk of the outbound data suffering from data breaches, including unauthorised onward transfers, during and after the outbound data transfer, and whether individuals have smooth channels to safeguard their rights and interests in their personal information and other data;
5) whether data security protection responsibilities and obligations are sufficiently stipulated in the data transfer agreement or other documents; and
6) other matters that may affect the security of the outbound data transfer.
Some of the factors described above are also subjects of the personal information protection impact assessment (“PIPIA“) required under the Personal Information Protection Law (“PIPL“). We believe it would be cost-effective for companies to consider all assessment factors under both the PIPL and the Measures and make one consolidated self- assessment.
Security Assessment Applications – Article 6
Applications for security assessments should contain:
1) an application form;
2) a self-assessment report;
3) a copy of the outbound data transfer agreement; and
4) other materials required by the CAC.
Security Assessments – Articles 3, 10, 8, 11 & 14
According to Article 3 of the Measure, a security assessment of outbound data transfers should combine ex-ante assessment and ongoing supervision and self-assessment and security assessment.
The substantive content of a security assessment by the CAC overlaps significantly with the above-mentioned self- assessments, except for the following matters:
1) the impact of data security protection policies and legislation and the cybersecurity environment of the country or region where the overseas recipient is located on the security of the outbound data; whether the data protection level of the overseas recipient meets the requirements of Chinese laws and administrative regulations and the mandatory national standards;
2) the compliance with China’s laws, administrative regulations and departmental rules; and
3) other matters to be assessed the CAC deems necessary.
We note that item 1) above seems to describe something which is similar to the “transfer impact assessment” in the EU and that data processors are not expected to cover such things in their self-assessment report. As government departments have limited resources, we doubt that they will make such assessments on a case-by-case basis. Accordingly, we wonder whether a central transfer impact assessment list exists at this time, whether it will become accessible in the future, and how it will be managed and updated.
The CAC can terminate security assessments if the CAC requires additional materials and a data processor refuses to submit them.
Under Article 14, the results of a security assessment are valid for two years unless a retriggering event occurs. Data processors will need to apply for a reassessment after expiration.
Security Assessment Timescales – Articles 7, 12 & 13
Security assessment applications need to be submitted to the relevant provincial CAC, which should confirm the completeness of documents within a maximum of 5 working days. Then the application documents will be provided to the central CAC for substantive review, which should take a maximum of 45 working days from the date of issuing a written acceptance of the application. Accordingly, in normal circumstances, the entire process of applying for and undergoing a security assessment might take up to 50 working days (approximately 2.5 months).
However, the Measures allow the CAC to extend the deadline for completing a security assessment “as appropriate” if the “case is complicated or there are materials to be supplemented or corrected…”
If a data processor objects to the assessment results, it should apply for a reassessment within 14 working days of the receipt of the assessment results. According to Article 15, the results of a reassessment are final.
Confidentiality Obligations – Article 15
Institutions and staff that participate in security assessments must keep confidential, as required by law, any information that they learn during their work. This includes any state secret, personal privacy, personal information, trade secret, confidential business information, and other data.
Liability – Articles 16, 17 & 18
Any person may report violations of the Measures to the CAC.
If the CAC discovers outbound data transfers that have passed a security assessment no longer conform to the Measures during the implementation of data transfers, it may notify the data processor to terminate such transfers. If the data processor needs to continue making such transfers, it should make “rectification as required” before
applying for a reassessment. The full implications of this are unclear at this time, but it suggests that the CAC may eventually interpret or construe data transfer agreements and decide whether they are being properly performed, or they might attach conditions to the transfers following their assessments or both.
Violations are to be dealt with under the Cybersecurity Law, the Data Security Law or the PIPL, and other laws and regulations depending on the data processor, the data and the nature of the violation. We note that violations of the PIPL may attract the highest penalties, specifically, up to CNY 50 million or 5% of the violator’s revenue in the previous year.
Effective Date and Transitional Period – Article 20
The Measures take effect on 1 September 2022. This means that any relevant outbound transfers from 1 September 2022 should only be carried out after data processors have passed security assessments. For outbound data transfers carried out before 1 September 2022, “rectification” shall be completed within 6 months after 1 September 2022. It is unclear if this means that the data processor must pass the security assessment within this 6-month grace period, or perhaps the submission of an application for security assessment within this period would be sufficient. Nevertheless, given these deadlines, possible delays, the 2022 spring festival holidays and other factors, werecommend that data processors should endeavour to submit their applications for security assessments as soon as possible.
The requirements for security assessment apparently add a layer of onerous compliance burdens to the operations of many businesses. The various thresholds of personal information that trigger security assessments are low and may affect many multinational companies doing business in China. These new requirements also create some uncertainty, particularly among entities that depend on cross-border transfers of data to conduct business. This uncertainty will not be resolved until the Measures take full effect and the processing of security assessments becomes standardised in practice.
Businesses that will likely be subject to the security assessment regime should act now – take stock of their data flows, renegotiate their cross-border data transfer contracts and ensure that their data protection practices align with the requirements of the Measures and other Chinese laws and regulations. Businesses that operate in areas of higher risk may also wish to begin creating contingency plans in case they are prohibited from transferring certain data out of China.