It has been six months since the Cyberspace Administration of China (the CAC) released the Rules on Data Outbound Transfer Security Assessment (the Data Outbound Transfer Assessment Rules). Several companies have pioneered in filing their data outbound transfer security assessment (the Security Assessment) application for approval, but many were rejected for improvement or correction. Based upon our work in this area, we are explaining the important things to meet the requirements of the security assessment by the CAC.
Who are subject to the Security Assessment?
- Entities located in China which transfer outbound the important data and/or personal information they process in their operation in China (the Domestic Processors);
- Entities outside China which directly process the important data and/or the qualified personal information from data subjects in their services to the customers in China (the Foreign Processors)
Who should file for the Security Assessment?
- Domestic Processors should file on individual basis by themselves;
- Foreign Processors should each file by a domestic entity authorized by them, or, according to the CAC, should each establish a presence in China to file and conduct follow-up communication with the Chinese authorities relating to data outbound transfer from time to time.
According to a private Q&A session with the CAC, it is not allowed for Foreign Processors to use any third party to file for the Security Assessment on their behalf. Foreign Processors can only use affiliates in China for the filing purpose. If they do not have affiliates in China, they have to establish their presence in China in order to file. It is quite different from the GDPR. It is unclear what the reason is for such a requirement, but such a requirement seems not compatible with a law that claims extraterritorial efforts.
What triggers the Security Assessment?
Outbound transfer of data meeting any one of the following will trigger the Security Assessment:
- Important data
- Any pieces of personal information by the critical information infrastructure operator or by processors which process personal information of more than 1 million data subjects as of September 1, 2022, or thereafter
- As of the data of the self-assessment report, processors who have outbound-transferred the personal information of 100 thousand data subjects from January 1 of the previous year
- As of the date of the self-assessment report, processors who have outbound-transferred the sensitive personal information of 10 thousand data subjects from January 1 of the previous year
The above also serves as the definition for data to which the government has a security concern if being outbound transferred. Data processors can still freely transfer the non-important and non-personal data, the personal information below the threshold or not processed by a CIIO.
What is outbound transfer of data?
For the Security Assessment purpose, outbound transfer of data happens when:
- Domestic Processors transfer and/or store outside of China data collected and generated from in-China business operation (the Domestic Data);
- Domestic Processors allow entities or individuals outside of China to search, check, download or export the Domestic Data;
- Foreign Processors directly process data from Chinese customers in location outside of China
How to determine the important data?
Under the law, the industrial regulatory authorities should formulate and publish the important data catalogue and the industrial determination guidelines in their respective industries, and the local governments are responsible for formulating and publishing the important data catalogue and the regional determination guidelines in their governing regions. Data processors should follow the aforesaid determination guidelines to determine important data in their respective industries and regions. When they are sharing the important data with third parties, they should impose the protection obligations for the important data they are subject to upon those third parties. Therefore, data processors outbound transferring should follow the above guidelines to determine important data of their own and determine important data from third parties based upon the notices and instructions they receive from those sharing third parties.
What is the consequence after the Security Assessment is triggered?
- The data processors should, in addition to the normal assessment required under PIPL, assess security risks of personal information and important data in all outbound transfer scenarios
- The data processors should file for the Security Assessment no later than March 1, 2023
What is the consequence for failure to file timely for Security Assessment?
Processors triggering the Security Assessment but fail to file timely for the Security Assessment should stop the outbound transfer of all important data and all personal information till they have properly filed for and received approval on the Security Assessment, or till their data outbound transfer is below the threshold for filing.
What is the procedure for the Security Assessment?
- It is highly suggested that the processors should have a fully identity disclosed consultation with the provincial office of the CAC whose jurisdiction they are subject to. If an offline meeting can be arranged, that will be better. The consultation is not a statutorily defined procedure, but it will be very helpful to understand the details of the specific filing logics that applies to a specific filing, and the specific expectation of the CAC for the filing.
- The processors should file the application package initially with the provincial office of the CAC for the formality review (which should complete the review within 5 working days) to ensure that the filing is complete and is in good order and format;
- If the filing passes the formality review, the provincial office of the CAC will forward the filing to the CAC for substance review, and the CAC will make a determination that whether it accepts the application in 7 working days and issue a notice to the applicant;
- The substance review will take 45 working days and may be extended if the assessment of the filing is complicated or if the CAC requests for correction and supplement. The CAC will notify the result of the Security Assessment in writing to the applicant upon completion; and
- If the applicant disagrees with the Security Assessment result, it may apply within 15 working days for review of the result. The finding from the review will be final, which means that the administrative finding of the Security Assessment may not be subject to the judicial review, although the procedure of the Security Assessment may be. For each understanding the issue by the audience in the U.S., it is like the mechanism of the CFIUS.
What are the administrative liabilities for violation of the Security Assessment requirement?
- Processors outbound-transferring the personal information that is subject to but without the Security Assessment could be imposed (1) a fine up to the higher between RMB 50 million or 5% of the total revenue of the previous year, (2) forfeiture of the income from the illegal outbound transfer, (3) a Security Assessment violation record on the credit report of the processors, (4) a fine up to RMB 1 million on the responsible executives and other staff of the processors responsible for the violation, and (5) ban of those individuals to take any management roles and data protection role for a certain period subject to the discretion of the supervisory authority
- CIIOs outbound transferring the data in violation of the Security Assessment could be (1) fined up to RMB 500K, (2) ordered to stop the outbound transfer, (3) revoked of their business registration, plus (4) with their executives and other staff responsible for the violation being fined up to RMB100K
- Non-CIIO processors outbound transferring the important data in violation of the Security Assessment could be, other than the order to correct the violation, (1) fined up to RMB 10 million, (2) revoked of their business registration, and (3) with their executives and other staff responsible for the violation being fined up to RMB 1 million
What should be filed for the Security Assessment?
- A photocopy of the unified social credit code of the processor, bearing the company seal
- A photocopy of the personal ID (for Chinese national) or passport (for expatriates) of the legal representative of the data processor, bearing the company seal
- A photocopy of the personal ID of the authorized employee by the data processor specifically for the filing, bearing the company seal
- An original of the authorization letter (in government pre-made form) from the data processor to the authorized employee, properly signed by the legal representative and applied with the company seal
- An original of the application form for the Security Assessment (in government pre-made form) and an original letter of commitment (in government pre-made form), properly signed by the legal representative and applied with the company seal
- A photocopy of the data processing agreement or terms for outbound transfer between the data process and the foreign recipient to be concluded, bearing the company seal as the applicant's certification
- An original data outbound transfer risk self-assessment report (following the government pre-made template), properly signed by the legal representative and applied with the company seal
The application package filed for the Security Assessment should be made in paper form and burned in discs.
What is the focus of the Security Assessment?
- The lawfulness, legitimacy and necessity of the purpose, scope, and methods (of data outbound transfer)
- The impact on the outbound transferred data of the local data security and protection laws and regulation, as well as the local cyber security environment, of the country/region where the recipients locate; whether the level of the protection (on the outbound transferred data) by the foreign recipients meets the protection requirements under the Chinese laws, regulations and the compulsory Chinese national standards
- The scale, scope, categories and (security concern related) sensitivity of the outbound transferred data, and the risks during and after transfer of being modified without authorization, sabotaged, leaked, lost, transmitted without authorization, or illegally accessed or used
- Whether the data security and personal information rights and interests can be sufficiently safeguarded (during the transfer and by the recipients after transfer)
- Whether the legal documents to be concluded between the Processors and their foreign recipients have sufficiently provided the data security protection related obligations and liabilities
- The compliance status with the Chinese laws, regulations, and rules
The above should be clearly assessed and addressed as the main focus of the Security Assessment Report by the processors, as well. In the assessment of the above, data processors are expected to use simple and clear language and format to (1) identify the issue or the risk, (2) explain the mitigation measures, and (3) the effect of the mitigation, for each line item above.
It is worth mentioning that the CAC does not need any local legal opinion from the foreign law firm of the foreign country about the impact of the local laws and regulations on the outbound transferred data. An honest general understanding about it by the data processor will be sufficient.
Lastly, in terms of the scale, scope, categories and (security concern related) sensitivity of the outbound transferred data, the data processor should not only share the information as of the date of the Assessment Report, but also should include its honest projection in the 2 years after the Assessment Report.
What are the requirements for the legal documents of the data outbound transfer?
- The legal documents can take the form of a Data Processing Agreement or clauses on data processing in the relevant contracts for the outbound transfer
- The legal documents in the filing do not need to be the executed version, but need to be an execution-ready version
- Once the China Standard Contractual Clause (the CN SCC) for data cross-border transfer is finalized, the data processors are expected to sign the CN SCC with the foreign data recipients. Since it is now only a draft for comment, data processors can use whatever that makes sense for them, although the CAC prefers that the data processors use the draft CN SCC for its convenience
- Whatever the form of the legal documents, the legal documents should cover the following:
- The purpose, methods, scope, usage and way of usage by the foreign recipient of the data outbound transferred
- The storage location and time period of the outbound transferred data, and the ways of disposal after the transfer purpose has been fulfilled or the termination/expiration of the legal documents for the outbound transfer
- The restrictions when the foreign recipients further transfer the outbound transferred data to third party recipients
- The proper security measures that should be taken against the situations where there is a change of control or change of business with the foreign recipients; any substantial change in the laws and regulations, as well as the cyber security environment; or the security of the outbound transferred data cannot be safeguarded due to force majeure
- The remedial measures, breach liabilities and security measures that should be taken when there is any breach of the obligations to protect the security of the outbound transferred data
- The emergency response requirements when the outbound transferred data have been tampered, sabotaged, leaked, lost, transmitted or illegally accessed or used; and the ways and methods for the data subjects to safeguard their personal information
What are the requirements for the Security Assessment Report?
- The Security Assessment Report should be a self-made report by the filling data processor, and the legal representative of the data processor should personally guarantee its truthfulness, accuracy, completeness and binding
- It should be made within three months of the filling. If the data processor uses any third party's service to complete certain part(s) of the Assessment Report, the data processor should disclose the information of the third party, the work conducted by the third party, and ask the third party to apply its company seal on the part of the Assessment Report that is completed by the third party or with the major devotion from the third party
- Other than the summary of the legal documents and the responses to the focus of the Security Assessment, among other things, the Security Assessment Report should also emphasize the background information of the data outbound transfer, including the businesses caused the data outbound transfer, the applications used for the data outbound transfer, the information of the data that are outbound transferred, and the foreign data recipient's data security capabilities
When another filing for the Security Assessment should be made?
- The Security Assessment has a valid term of two years. Upon expiration of the two years, if the data processor still meets the threshold for the Security Assessment, the data processor should submit another filing for the Security Assessment
- During the two-year term, the data processor should also make another filing if:
- There is any change, that may have impact on the security of the outbound transferred data or extend the storage term of the same, to the purpose, methods, scale and categories of the outbound transferred data; or, to the usage and ways of process of the foreign recipient
- There is any change, that may impact the security of the outbound transferred data, to the data security protection laws and regulations, the cyber security environment, force majeure, or change of control with the data processor or the foreign data recipient, or to the legal document for the outbound transfer of the data
- When another filing is required, the filing should be made in 60 days of the change or 60 days before the expiration
Can a data processor do nothing if it does not meet the threshold for the Security Assessment?
No. Whether the threshold is met should be based upon a serious assessment, not on rough estimate or speculation. The proof of a serious assessment is the Security Assessment Report. Therefore, a data processor should run a self-assessment and make a Security Assessment Report before March 2023 as its basis of its decision whether to make a Security Assessment filing.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.