On July 7, 2022, the Cyberspace Administration of China (the "CAC") formally promulgated the Measures for Security Assessment of Cross-border Data Transfers (the "Assessment Measures"), which specify and implement the provisions on data export in accordance with Article 37 of the Cybersecurity Law of the People's Republic of China (the "CSL"), Article 31 of the Data Security Law of the People's Republic of China (the "DSL"), and Articles 36, 38, and 40 of the Personal Information Protection Law of the People's Republic of China (the "PIPL"). The Assessment Measures generally continue with strict supervision toward data exports and adopt the institutional framework proposed in the Measures for Security Assessment of Cross-border Data Transfers (Draft for Comment) (the "Draft Assessment Measures"), issued by the CAC on October 29, 2021, but relaxed provisions are also found in their details. In this newsletter, we briefly analyze the main contents of the Assessment Measures and highlight notable key issues and potential challenges.
Defining the "export of personal information and important data"
According to Article 2 of the Assessment Measures, applicable data export activities are those where data handlers provide cross-border important data and personal information collected and generated in the course of their operations within China mainland. In addition, the export of de-identified personal information also falls into the application scope of the Assessment Measures in accordance with the definition of personal information stipulated in Article 4 of the PIPL.
As for understanding the "export of personal information and important data", we summarize the applicable data export activities under the Assessment Measures into two categories in line with the introduction of CAC's accompanying press briefing1, which include: (i) cross-border transfer and storage of data collected and generated in China mainland; and (ii) storing data collected and generated in China mainland, but providing overseas institutions, organizations, and individuals with right of access and use to such data.
In addition, significant concerns have been raised as to whether the Assessment Measures apply to the circumstances stipulated by Article 3.2 of the PIPL i.e., whether overseas entities' direct collection of personal information from domestic personal information subjects is subject to a cross-border data transfer security assessment ("Security Assessment"). The Assessment Measures do not clearly address this issue, and it needs to be further clarified in subsequent supervision practice. However, considering the system interpretation, we tend to take the view that, for personal information, "export" in the Assessment Measures only refers to circumstances where domestic personal information handlers export personal information in accordance with Chapter III of the PIPL. In other words, an overseas entity may not be required to perform a security assessment under the Assessment Measures to directly collect personal information from domestic personal information subjects. In view of the uncertainty in the application scope of the Assessment Measures, it is advisable for relevant enterprises to pay close attention to regulatory developments and to consider obtaining a personal information protection certification when collecting personal information directly from domestic personal information subjects, in accordance with the Practice Guidelines for Cybersecurity Standards - Technical Specifications for the Certification of Personal Information Cross-border Processing, officially issued by the Secretariat of the National Information Security Standardization Technical Committee on June 24, 2022.
Circumstances subject to the application for Security Assessment
Article 4 of the Assessment Measures specifies four circumstances subject to the Security Assessment, which are:
- data handlers who export important data;
- critical information infrastructure operators or personal information handlers who export personal information and have processed the personal information of at least 1 million individuals;
- data handlers who have cumulatively exported personal information of at least 100,000 individuals or sensitive personal information of at least 10,000 individuals since January 1 of the previous year;
- other circumstances where an application for Security Assessment is required as prescribed by the CAC.
The following are key points for these applicable circumstances.
I. All exports of important data are subject to the Security Assessment2
According to Article 31 of the DSL, the CAC is entitled to formulate regulations for the export of important data. Accordingly, Article 4 of the Assessment Measures requires all circumstances where data handlers export important data to be subject to an application for Security Assessment, which indeed broadens the application scope of Security Assessment with respect to important data exports stipulated by Article 37 of the CSL.
II. The thresholds for determining personal information exports is limited to a maximum of two years
Overall, the Assessment Measures follow the cumulative thresholds proposed by the Draft Assessment Measures for determining the quantities of personal information processed or exported. However, the export thresholds for personal information of 100,000 individuals and sensitive personal information of 10,000 individuals are considered on a rolling basis from January 1 of the previous year. In other words, the thresholds are determined over a maximum period of two years and these quantities are not accounted for on a perpetual basis. This will reduce compliance costs for small businesses whose quantities of personal information exported are relatively small.
Relationship between local storage and the Security Assessment
Controversy exists as to whether enterprises are required to localize their personal information in China under Article 40 of the PIPL if they meet one of the thresholds for processing or exporting personal information under the Assessment Measures. We take the view that although the Assessment Measures do not explicitly mention a localization requirement, Article 40 of the PIPL expressly stipulates that "critical information infrastructure operators" or "personal information handlers who process personal information meet the threshold prescribed by the CAC" are required to perform two data export obligations, namely "local storage" of personal information collected and generated in China and passing a "Security Assessment" when it is indeed necessary to export such data. Therefore, theoretically, localization is in essence a mandatory obligation of enterprises that meet the quantity threshold prior to export. In addition, local storage also helps competent authorities to carry out more efficient supervision of data security. However, considering the low quantity threshold set by the Assessment Measures, it remains to be seen in practice whether the competent authorities will strictly require "local storage" to pass the Security Assessment. Because the lengthy process of the Security Assessment and the uncertainty of its results, data localization (i.e., local storage and avoidance of data exports) may become an option forced upon many enterprises.
1 CAC's accompanying press briefing published on July 7, 2022, for more details please refer to: http://www.cac.gov.cn/2022-07/07/c_1658811536800962.htm (last access on July 8, 2022).
2 According to Article 19 of the Assessment Measures, important data are those data that once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and safety, etc. The Assessment Measures do not clearly list specific types of important data, so the identification of important data still needs to be clarified in accordance with other laws, regulations and standards. Based on the DSL each region or department is responsible for formulating a specific catalog of important data in its own region, department, and relevant industries and fields. The National Information Security Standardization Technical Committee has begun to formulate relevant national standards since 2020, and the Information security technology - Guideline for identification of critical data (Draft for Comments) has been reviewed and revised for several rounds as of January 7, 2021, which will provide principal guidance for the formulation of specific catalogs of important data in each region and department. Among industry regulations, the Several Provisions on Automotive Data Security Management (Trial Implementation) applied to the automotive industry define important data (involved in the process of automobile design, production, sales, use, operation and maintenance) as the data that, once tampered with, destroyed, leaked or illegally obtained or illegally used, may endanger national security, public interest or the legitimate rights and interests of individuals and organizations, and
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.