The Cyberspace Administration of China’s Measures for Security Assessment of Cross-border Data Transfer have retroactive effect for cross-border data transfers conducted prior to September 1, 2022. Businesses have a grace period of just six months to rectify any noncompliant activities pertaining to data transfers out of China, and should bring their practices in line with the security assessment requirements as soon as possible.
The Cyberspace Administration of China (CAC) released its long-awaited, final version of the Measures for Security Assessment of Cross-Border Data Transfer (Measures) and responded to correspondents’ questions (Responses) on July 7, 2022. The Measures will take effect on September 1, 2022. Previously, the draft Measures were released for public comment in October 2021.
In general, the Measures formulate a security assessment mechanism for cross-border data transfers covering important data and personal information, which substantiates the relevant provisions under the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. The content remains mostly unchanged from the draft, but has a few changes to align the Measures more closely with the other latest regulations on data export.
The Measures provide a clear pathway for companies that need to send data overseas for their operations by outlining the specific requirements, steps, and procedures to go through a security assessment; thus it may exert significant impact on multinational corporations’ cross-border data transfer activities and corresponding data compliance measures in China.
The Measures specify the application scope of a security assessment, which reconciles with the draft Provisions on the Standard Contract for the Cross-Border Transfers of Personal Information (Draft Provisions). According to Article 4 of the Measures, an entity that transfers data out of China must apply for a security assessment if any criteria in the following dimensions are met.
Critical Information Infrastructure Operators
If an entity is identified as a critical information infrastructure operator (CIIO) in China, its transfers of important data and personal information out of China, regardless of the volume involved, would be subject to a security assessment.
According to the Security Protection Regulations on the Critical Information Infrastructure, if the network infrastructure or information system of an entity was designated by the industry regulators as “critical information infrastructure” the regulators in charge must notify the designated CIIO of such designation in a timely manner.
Data Handler That Processes Personal Information of More Than 1 Million Individuals
As set out in the Measures, if an entity processes the personal information of more than 1 million individuals, its transfers of personal information out of China would be subject to a security assessment. In addition, according to the Personal Information Protection Law, such entity is also deemed as “personal information processors whose processing of personal information reaches the number prescribed by the State cyberspace administration,” and thus should store the personal information collected and generated within China (Data Localization).
Compared with the draft Measures released in October 2021, the final Measures impose a two-year limitation on the cumulative period for cross-border transfer of personal information. Those entities transferring personal information out of China that consists of (1) the personal information of more than 100,000 individuals, or (2) the sensitive personal information of more than 10,000 individuals since January 1 of the previous year would be subject to a security assessment.
As long as the data to be transferred falls into the category of “important data,” regardless of the volume and the nature of the data handler, such data transfer must go through the security assessment process.
The Measures, for the first time at the regulation level, define the term “important data” as “any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety.” However, we are still waiting for detailed guidance in relation to the scope of important data.
On January 13, 2022, the National Information Security Standardization Technical Committee (TC260) issued the draft Guideline for the Identification of Important Data, which tries to enumerate “important data.” However, such guideline is not final, and as a non-binding national guideline, it lacks legal effect. It may take a few years for all the central government ministries, local governments, and industry regulators in China to define their own rules for identifying important data.
The Measures do not provide a definitive definition for the term “cross-border data transfer.” Referring to the Guidelines for Cross-Border Data Transfer Security Assessment dated 2017, cross-border data transfer generally refers to any movement of personal data (and other restricted classes of data) outside of China.
In the Responses relating to the Measures, the CAC set forth two “cross-border data transfer” scenarios that are subject to security assessment: (1) the data handlers transfer and store data collected and generated in China outside the territory of China; and (2) the data handlers store the data collected and generated within China, but overseas organizations and individuals would have remote access to them. As such, it can be inferred that purely overseas data passing through or entering into China, no matter whether it will be processed in China and transferred back from China, would not be subject to the security assessment requirement.
The security assessment procedure is a combination of a self-assessment of security and the security assessment by the relevant authorities (the CAC).
A self-assessment is required to be conducted and submitted for filing with the government, no matter the company. This takes the route of a standard contractual clause (SCC), security assessment, or certification for cross-border data transfer.
Data handlers are required to perform a self-assessment considering the following factors:
A self-assessment report should be generated accordingly.
Security Assessment by the CAC
The government-led security assessment focuses on assessing the risk that cross-border data transfer activities may pose to national security, public interests, and the legitimate rights and interests of individuals or organizations. The consideration factors in a CAC security assessment cover all the factors considered in a self-assessment, with two additional factors: (1) the impact of the data security regulations and policies of the data-receiving country on the outbound data; and (2) whether the data protection level of overseas recipients meets the requirements of Chinese laws, administrative regulations, and mandatory national standards.
In terms of documentation required for a government-led security assessment, the submission shall include (1) the declaration form; (2) the self-assessment report; (3) legal documents between data handlers and overseas recipients; and (4) other materials needed for security assessment work.
The legal documents signed between the data handler and the overseas recipient must include (but are not limited to) the following duties and obligations:
In approving a procedure, the CAC at the province level will perform the check of completeness of documents within five working days upon receiving the application documents. Then the CAC at the province level will file the applying documents with the State CAC for content checking and approval if they satisfy the documentation requirements. Otherwise, the applying documents will be returned to applicants for further preparation. The State CAC will decide whether to accept the documents within seven working days upon receiving documents from the CAC at the province level and inform the applicants in writing.
The state-level security assessment normally would be completed within 45 days upon acceptance of the case. However, where the situation is complicated or supplementary or corrected materials are needed, the assessment period may be extended appropriately. It is noteworthy that the wording of “not exceeding 60 working days” in the previous draft is removed in this final version of the Measures, which means the CAC’s decision-making time frame could be more uncertain and ambiguous.
There are three possible outcomes for a CAC security assessment application:
China recently released numerous new regulations and national standards in relation to data export, including the Standard Contract Provisions on the Export of Personal Information (Draft for Comment) and the Technical Specifications for Certification of Cross-Border Processing of Personal Information, which correspond to the SCC and certification routes of data export, respectively. These legislations fill in the gap left by the Cybersecurity Law, Data Security Law, and Personal Information Protection Law in terms of cross-border data transfers and lay down a solid foundation for upcoming enforcement.
The security assessment requirements under the Measures, in particular, will take effect on September 1, 2022. The security assessment requirements have retroactive effect for cross-border data transfers conducted prior to this effective date. Businesses have a grace period of six months to rectify any noncompliant activities pertaining to data transfers out of China.
Considering that it normally would take around three months to complete the security assessment process, entities are advised to plan ahead and to start bringing their practices in line with these new requirements as soon as possible to prevent any interruptions to potential data transfer or business operations.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:
Gregory T. Parks
W. Reece Hirsch
*A director of Morgan Lewis Stamford LLC, a Singapore law corporation affiliated with Morgan, Lewis & Bockius LLP