Released on 7 July 2022, the Measures for the Security Assessment of Outbound Data Transfers become effective from 1 September ('Measures'). The Measures published by the Cyberspace Administration of China supplement the Data Security Law and Personal Information Protection Law adopted in 2021 by setting forth the security assessment obligations for companies in China transferring data aboard. Although the Measures mainly apply to companies deemed as critical information infrastructure operations or those handling the personal information of more than 1 million individuals, companies should be aware of the legal obligations since the Measures includes a catch-all clause in the applicable scope.

Applicable scope

Mainly, the security assessment applies to two data handlers who transfer aboard important data and/ or personal information collected and generated in the territory of the People's Republic of China.  

1. critical information infrastructure operators ("CIIOs");

2. Personal information handlers that have processed the personal information of more than 1 million individuals.

For companies who do not fall in the above scope, a security assessment is still applicable to those companies meeting one of the following conditions.

  • Transfer important data aboard
  • Transfer personal information of more than 100,000 individuals in accumulative from 1 January of the preceding year
  • Transfer sensitive personal information of more than 100,000 individuals in accumulative from 1 January of the preceding year
  • Other situations stipulated by the State Internet Information Department that require security assessment

Applicable data

Mandatory security assessments concern four types of data that may cross over. For companies, conducting a data assessment and clarification is essential to understand the types of data processed and whether a security assessment is required.

CIIO

The Regulations on the Security and Protection of Critical Information Infrastructure regulations define CIIO as companies engaged in “important industries or fields”, including:  

  • Public communication and information services;  
  • Energy;  
  • Transport;  
  • Water;  
  • Finance; 
  • Public services;  
  • E-government services;  
  • National defense; and  
  • Any other important network facilities or information systems that may seriously harm national security, the national economy, people's livelihoods, or public interest in the event of incapacitation, damage, or data leaks

Most foreign companies are unlikely to be deemed as CIIO except those engaged in energy or finance sectors.

Important data

The Measures echo the Data Security Law by defining ‘important' data as “data that may endanger national security, economic operation, social stability, or public health and safety once tampered with, destroyed, leaked, or illegally obtained or used. Companies should also note that specific important data catalogs shall be formulated by each region and department under Data Security Law. Therefore, companies should be prepared for forthcoming details related to their industry and region.

Personal Information

Personal information refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymised.

For companies, personal information is mainly handled by human resources, finances, and the marketing department.

Sensitive Personal Information

The Personal Information Protection Law classifies the following as sensitive personal information

  • Religious beliefs;
  • Biometrics;
  • Specific identities, medical and health;
  • Financial accounts, whereabouts, and other information of a natural person;
  • Personal information of minors under the age of fourteen 

Security Assessment Procedure  

Security assessments are required to be submitted to the local cyberspace administration which will be forwarded to the CAC for assessment and approval. The assessment and approval are provisioned as 57 days maximum from the submission date, though the authorities may require further supplementary materials or return materials with deficiencies. Assessment results are valid for 2 years and shall be reapplied 60 working days before the expiration date.

Where subsidiaries are required to submit data to overseas headquarters and subject to security assessment, subsidiaries should renegotiate the timeframe in advance to complete the security assessment before transferring data aboard – and include ample time to submit supplementary material if required.

1217578a.jpg

Conducting Self-Assessment

Applicants are required to conduct a self-assessment of the export as part of the security assessment application. The self-assessment focuses on the risks posed by the data export to national security and the personal rights of the individuals and organisations of the collected data. The Measures stipulate that the applicant shall consider the following points in the self-assessment.

  • The legality, legitimacy, and necessity of the purpose, scope, and method of the cross-border data transfer, and the processing of the data by the overseas recipient.
  • The scale, scope, type, and sensitivity of the data being transferred, and the possible risks that the cross-border data transfer could pose to China's national security, public interests, and the legal rights of individuals and organizations.
  • The responsibilities and obligations are undertaken by the overseas recipient [of the data], and whether the management and technical measures and capabilities for fulfilling the responsibilities and obligations can ensure the security of outbound data.
  • The risk of the data being tampered with, destroyed, leaked, lost, transferred, or illegally obtained or used during the overseas transfer or after it exits the country, and whether the channels for safeguarding the rights and interests of the PI [subjects] are unobstructed.
  • Whether or not the data export-related contracts or other legally binding documents (hereinafter collectively referred to as “legal documents”) that are entered into with the overseas recipient fully stipulate the responsibility and obligations of data protection.
  • Other matters that may affect the security of data export.

Material Submission

Applicants are required to submit the following material for the security assessment:

  • A declaration;
  • Self-assessment report;
  • Data processing agreement between the data controller and the foreign recipient; and
  • Other materials required for safety assessment work

Security Assessment and Re-Assessment

In the security assessment, the CAC will also consider the following:

  • The impact of data security protection policies and regulations and the network security environment of the country or region where the foreign recipient is located;
  • Whether the level of data protection of the foreign recipient meets the requirements of the laws and administrative regulations of the PRC and mandatory national standards;
  • Compliance with PRC laws, administrative regulations, and departmental rules;
  • Other matters that the CAC deems necessary to be assessed.

Where the assessment is rejected, a re-assessment can be applied within 15 working days of the assessment result. However, the re-assessment result is final, and no further appeal is permitted.

Amendments

During the assessment validity period, companies are required to notify the authorities if any of the following changes occur:

  • Changes to the purpose, methods, scope, and types of data exported, as well as the purposes and methods for which foreign recipients process data, that affect the security of exported data, or extend the period of overseas retention of personal information and/or important data;
  • Changes in the data security protection policies, regulations, and network security environment of the country or region where the foreign recipient is located, as well as other force majeure circumstances such as changes in the actual control of the data controller or the foreign recipient, changes in the legal documents of the data controller and the foreign recipient, and other changes that affect the security of exported data;
  • Other circumstances that affect the security of exported data.

Where the CAC finds that the approved cross-border transfer no longer meets the security requirements for transferring data, the transfer can be terminated. In such a case, the company should rectify and resubmit the security assessment.

For companies affected by the Measure, it is essential to start preparations before 1 September. Violations of the Measures are subject to the same penalties as the Date Security Law and Personal Information Protection Law.  

Preparing for 1 September 2022

  • Analysing all currently processed data, especially in HR, Administrative, Finance, Marketing
  • Evaluating all overseas recipients of the data transferred and communicating the procedure to such recipients - namely the data processing agreement and transfer deadlines
  • Formulating or updating policies for affected data transfers
  • Training affect departments on the Measures and related policies

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.