LawFlash

China’s Cross-Border Data Transfer Security Assessment Measures Take Effect September 1

August 01, 2022

The Cyberspace Administration of China’s Measures for Security Assessment of Cross-border Data Transfer have retroactive effect for cross-border data transfers conducted prior to September 1, 2022. Businesses have a grace period of just six months to rectify any noncompliant activities pertaining to data transfers out of China, and should bring their practices in line with the security assessment requirements as soon as possible.

The Cyberspace Administration of China (CAC) released its long-awaited, final version of the Measures for Security Assessment of Cross-Border Data Transfer (Measures) and responded to correspondents’ questions (Responses) on July 7, 2022. The Measures will take effect on September 1, 2022. Previously, the draft Measures were released for public comment in October 2021.

In general, the Measures formulate a security assessment mechanism for cross-border data transfers covering important data and personal information, which substantiates the relevant provisions under the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. The content remains mostly unchanged from the draft, but has a few changes to align the Measures more closely with the other latest regulations on data export.

The Measures provide a clear pathway for companies that need to send data overseas for their operations by outlining the specific requirements, steps, and procedures to go through a security assessment; thus it may exert significant impact on multinational corporations’ cross-border data transfer activities and corresponding data compliance measures in China.

APPLICATION SCOPE

The Measures specify the application scope of a security assessment, which reconciles with the draft Provisions on the Standard Contract for the Cross-Border Transfers of Personal Information (Draft Provisions). According to Article 4 of the Measures, an entity that transfers data out of China must apply for a security assessment if any criteria in the following dimensions are met.

Data Subjects

Critical Information Infrastructure Operators

If an entity is identified as a critical information infrastructure operator (CIIO) in China, its transfers of important data and personal information out of China, regardless of the volume involved, would be subject to a security assessment.

According to the Security Protection Regulations on the Critical Information Infrastructure, if the network infrastructure or information system of an entity was designated by the industry regulators as “critical information infrastructure” the regulators in charge must notify the designated CIIO of such designation in a timely manner.

Data Handler That Processes Personal Information of More Than 1 Million Individuals

As set out in the Measures, if an entity processes the personal information of more than 1 million individuals, its transfers of personal information out of China would be subject to a security assessment. In addition, according to the Personal Information Protection Law, such entity is also deemed as “personal information processors whose processing of personal information reaches the number prescribed by the State cyberspace administration,” and thus should store the personal information collected and generated within China (Data Localization).

Data Volume

Compared with the draft Measures released in October 2021, the final Measures impose a two-year limitation on the cumulative period for cross-border transfer of personal information. Those entities transferring personal information out of China that consists of (1) the personal information of more than 100,000 individuals, or (2) the sensitive personal information of more than 10,000 individuals since January 1 of the previous year would be subject to a security assessment.

Important Data

As long as the data to be transferred falls into the category of “important data,” regardless of the volume and the nature of the data handler, such data transfer must go through the security assessment process.

The Measures, for the first time at the regulation level, define the term “important data” as “any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety.” However, we are still waiting for detailed guidance in relation to the scope of important data.

On January 13, 2022, the National Information Security Standardization Technical Committee (TC260) issued the draft Guideline for the Identification of Important Data, which tries to enumerate “important data.” However, such guideline is not final, and as a non-binding national guideline, it lacks legal effect. It may take a few years for all the central government ministries, local governments, and industry regulators in China to define their own rules for identifying important data.

WHAT CONSTITUTES A ‘CROSS-BORDER DATA TRANSFER’

The Measures do not provide a definitive definition for the term “cross-border data transfer.” Referring to the Guidelines for Cross-Border Data Transfer Security Assessment dated 2017, cross-border data transfer generally refers to any movement of personal data (and other restricted classes of data) outside of China.

In the Responses relating to the Measures, the CAC set forth two “cross-border data transfer” scenarios that are subject to security assessment: (1) the data handlers transfer and store data collected and generated in China outside the territory of China; and (2) the data handlers store the data collected and generated within China, but overseas organizations and individuals would have remote access to them. As such, it can be inferred that purely overseas data passing through or entering into China, no matter whether it will be processed in China and transferred back from China, would not be subject to the security assessment requirement.

SECURITY ASSESSMENT PROCEDURE

The security assessment procedure is a combination of a self-assessment of security and the security assessment by the relevant authorities (the CAC).

Self-Assessment

A self-assessment is required to be conducted and submitted for filing with the government, no matter the company. This takes the route of a standard contractual clause (SCC), security assessment, or certification for cross-border data transfer.

Data handlers are required to perform a self-assessment considering the following factors:

  1. The purpose, scope, and manner of the cross-border data transfer and the legality, legitimacy, and necessity of the overseas data recipient processing data.
  2. The scale, scope, type, and sensitivity of the transferred data, and the possible risks to national security, public interests, and the legitimate rights and interests of individuals or organizations arising from the cross-border data transfer.
  3. The overseas data recipient's commitment to assume responsibility and obligations, as well as the management and technical measures to fulfill the responsibilities and obligations, and the ability to ensure the security of the transferred data.
  4. The risk of data being tampered with, destroyed, leaked, lost, transferred, or illegally obtained or illegally used during and after the exit, and the existence of channels for safeguarding the rights and interests of personal information.
  5. Adequate compliance of data transfer-related contracts between the data handler and the overseas recipient or other legally binding documents with the data security protection responsibilities and obligations.
  6. Other matters that may affect cross border data transfer security.

A self-assessment report should be generated accordingly.

Security Assessment by the CAC

The government-led security assessment focuses on assessing the risk that cross-border data transfer activities may pose to national security, public interests, and the legitimate rights and interests of individuals or organizations. The consideration factors in a CAC security assessment cover all the factors considered in a self-assessment, with two additional factors: (1) the impact of the data security regulations and policies of the data-receiving country on the outbound data; and (2) whether the data protection level of overseas recipients meets the requirements of Chinese laws, administrative regulations, and mandatory national standards.

In terms of documentation required for a government-led security assessment, the submission shall include (1) the declaration form; (2) the self-assessment report; (3) legal documents between data handlers and overseas recipients; and (4) other materials needed for security assessment work.

The legal documents signed between the data handler and the overseas recipient must include (but are not limited to) the following duties and obligations:

  1. The purpose, manner, and scope of cross-border data transfer, and the use and manner of data processing by the overseas data recipient, etc.
  2. The location and duration of data retention outside the country, as well as the measures for handling the cross-border data after the retention period is reached, the agreed purpose is completed, or the legal document is terminated.
  3. Binding requirements for the overseas data recipient to transfer the data to other organizations or individuals.
  4. The security measures to be taken by the overseas data recipient in case of substantial changes in actual control or business scope, or changes in the data security protection policies and regulations and network security environment in the country or region, as well as other force majeure circumstances that make it difficult to ensure data security.
  5. Remedial measures for violation of data security protection obligations, liability for breach of contract, and dispute resolution.
  6. Proper conduct of emergency response requirements and the protection of individuals to safeguard the rights and interests of their personal information ways and means in case data has been tampered with, or damage, leakage, loss, transfer, or illegal access, illegal use, and other risks have occurred.

In approving a procedure, the CAC at the province level will perform the check of completeness of documents within five working days upon receiving the application documents. Then the CAC at the province level will file the applying documents with the State CAC for content checking and approval if they satisfy the documentation requirements. Otherwise, the applying documents will be returned to applicants for further preparation. The State CAC will decide whether to accept the documents within seven working days upon receiving documents from the CAC at the province level and inform the applicants in writing.

The state-level security assessment normally would be completed within 45 days upon acceptance of the case. However, where the situation is complicated or supplementary or corrected materials are needed, the assessment period may be extended appropriately. It is noteworthy that the wording of “not exceeding 60 working days” in the previous draft is removed in this final version of the Measures, which means the CAC’s decision-making time frame could be more uncertain and ambiguous.

There are three possible outcomes for a CAC security assessment application:

  1. The application is rejected, which means the CAC determines the application does not fall within the scope of a security assessment. In this circumstance, however, entities would still need to take the SCC or certification route for such cross-border data transfer.
  2. The application passed the security assessment, which means the applicant entity could proceed with the proposed cross-border data transfer in accordance with its filed items. The assessment results will be valid for two years. After the expiration of the validity or if a situation occurs that would affect the security of the outbound data, such as changes in the purpose, method, scope, and type of the exported data and changes in the purpose and method of the processing of the exported data by overseas recipients, the data handler must conduct a re-assessment. What’s more, notwithstanding any approval of a security assessment filing, the CAC has the power to order a data handler to terminate a cross-border data transfer if the CAC determines that such cross-border data transfer no longer meets data export security management requirements.
  3. The application failed the security assessment, which means the applicant shall not conduct the proposed cross-border data transfer. Further, in this circumstance, the entity should not rely on an SCC or certification for the proposed transfer. Unlike the previous draft, the Measures give the applicant entity a chance of argument when its application is rejected as the result of the security assessment. Where data handlers have any disagreement on assessment results, they may apply to the CAC for a re-assessment within 15 working days of receiving the results. The re-assessment results are final.

A LEGAL WAY FORWARD

China recently released numerous new regulations and national standards in relation to data export, including the Standard Contract Provisions on the Export of Personal Information (Draft for Comment) and the Technical Specifications for Certification of Cross-Border Processing of Personal Information, which correspond to the SCC and certification routes of data export, respectively. These legislations fill in the gap left by the Cybersecurity Law, Data Security Law, and Personal Information Protection Law in terms of cross-border data transfers and lay down a solid foundation for upcoming enforcement.

The security assessment requirements under the Measures, in particular, will take effect on September 1, 2022. The security assessment requirements have retroactive effect for cross-border data transfers conducted prior to this effective date. Businesses have a grace period of six months to rectify any noncompliant activities pertaining to data transfers out of China.

Considering that it normally would take around three months to complete the security assessment process, entities are advised to plan ahead and to start bringing their practices in line with these new requirements as soon as possible to prevent any interruptions to potential data transfer or business operations.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:

Beijing/Shanghai
Todd Liao

Hong Kong
Charles Mo

London
Pulina Whitaker

Philadelphia
Gregory T. Parks

San Francisco
W. Reece Hirsch

Singapore
Daniel Chia*

Tokyo
Mitsuyoshi Saito

*A director of Morgan Lewis Stamford LLC, a Singapore law corporation affiliated ‎with Morgan, Lewis & Bockius LLP