Background and Pending Deadline
The deadline for compliance with the Measures for the Security Assessment of Outbound Data Transfers (the "Measures") is March 1, 2023. To re-cap, the Measures require a security assessment by the Cybersecurity Administration of China ("CAC") for the following cross-border data transfers:
- All cross-border transfers of "important data";
- The cross-border transfer of personal information ("PI") by a "critical information infrastructure operator" ("CIIO")
- The cross-border transfer of PI by a processor that has processed the PI of more than 1,000,000 people ever; and
- The cross-border transfer of PI by a processor that has (a) transferred the PI of more than 100,000 people cross-border since Jan 1 of the previous year; OR (b) transferred the "sensitive PI" of more than 10,000 people cross-border since Jan 1 of the previous year.
(For details on these triggers and the context of the Measures, see our previous article: http://blog.galalaw.com/post/102hu3u/china-updates-on-outbound-data-transfers)
The Measures specify that the CAC's security assessment may take 57 days. And as a preliminary step, the company seeking the security assessment must first conduct its own self-assessment, which will also take some time. Hence, to avoid the substantial penalties non-compliance that are possible under the Measures, all companies involved in cross-border data transfers out of China should immediately begin the process of determining whether a security assessment under the Measures is required for any of their data transfers.
If a self-assessment determines that a CAC security assessment is not required, then the processor should quickly take steps to implement one of the other two options for legalizing cross-border data transfers from China, which are the use of the new (still in draft form) China standard contractual clauses ("SCCs") or seeking PI Protection Certification.
Guidance and Filing Procedures
Further details on security assessment procedures have been released by the CAC in the form of the Guide to Applications for Security Assessment of Outbound Data Transfers (the "Guide"). Critically, this Guide has led provincial-level CACs to gradually open channels to receive security assessment applications and to open hotlines for inquiries. As of the date of this article, 18 major provincial-level CACs have released information, including Beijing, Tianjin, Shanghai, Chongqing, Hebei, Shanxi, Liaoning, Jilin, Jiangsu, Zhejiang, Fujian, Jiangxi, Guangdong, Hainan, Sichuan, Guizhou, and Inner Mongolia. The information released so far varies, with the CACs of Shanghai and Zhejiang Province having released more complete local official explanations, the CACs of Hainan Province and Jiangsu Province having released more limited practical guidance, and the Beijing CAC having only held a policy interpretation meeting offline without any resulting report or published guidelines.
In addition, the Guide provides that the following procedures and materials will be relevant to all security assessment applications:
1. The application materials shall be in written form and attach a digital version recorded on an optical disk.
2. The required application materials included:
- Photocopy of unified social credit code certificate;
- Photocopy of ID card of the legal representative;
- Photocopy of ID card of the case handler;
- Power of attorney for the case handler;
- Application letter for Security Assessment, including the letter of commitment and the Application Form;
- Photocopies of cross-border transfer related contracts or other legally binding documents to be concluded with the overseas recipients;
- Self-Assessment report on cross-border data transfer risks;
- Other relevant supporting materials.
3. The basic process will be as follows:
Given the practical details and procedures being released at both the national and local levels, it is becoming increasingly clear that the CAC-led security review process will be strictly enforced. As such, the "wait and see" approach that many companies have taken in respect of many of China's recent data and privacy rules may not work in this instance. As such, any companies involved in China-related cross-border data transfers should not delay beginning their self-assessments to determine whether they will need to go down this path, or can use the easier alternatives of China SCCs or PI Protection Certification. Note that penalties for non-compliance can be considerable - up to RMB 50 million or 5% of last year's annual revenue in serious cases under the PIPL.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.