Transferring Data Outside of China: New Security Assessment Regulations Businesses Need to Know
The Cyberspace Administration of China (CAC) released the concept Security assessment measures for cross-border data transfers (the Security Assessment Design Measures) for public comments on October 29, 2021 – shortly before the effective date of the Personal Data Protection Act (PIPL), Nov 1, 2021.
The three pillars of China’s cybersecurity and data law – the Cybersecurity Act (CSL, in force on June 1, 2017), the Data Security Act (DSL, effective September 1, 2021), and the PIPL – all impose some restrictions on cross-border data transfers and require government security controls as a precondition for transferring data abroad in certain situations.
The draft security assessment measures provide some clarity on the questions we discuss in this article.
Who should do a security assessment?
- Operators of critical information infrastructures (CIIs);
- Any entity that transfers “key data” outside of China;
- Any processor of personal information that processes personal information of 1 million persons or more;
- Any entity that has provided aggregate personal information of more than 100,000 individuals, or sensitive personal information of 10,000 individuals outside of China; and
- Other circumstances prescribed by the CAC.
As mentioned in our previous article “Am I a CII Operator?” – New regulations in China provide more clarity, companies will be notified if they are identified as operators of CIIs. However, the exact scope of “key data” remains unclear.
What does the assessment process look like?
Before transferring data outside of China, a company must conduct a risk self-assessment. After the self-evaluation, he submits a review request to the CAC, together with, among other things, a letter of application, the self-evaluation report and the contract to be concluded with the foreign recipient.
The CAC will decide within 7 working days whether the application will be accepted. If accepted, the application will be approved (or rejected) within 45 working days in ordinary cases or within 60 days in complicated cases.
What are the assessment criteria?
The draft security assessment measures aim to protect individual rights and interests, safeguard national security and public interests and promote the secure and free flow of data across borders. When assessing a data transfer request, the CAC considers several factors, including:
- the legality, appropriateness and necessity of the purpose, scope and method for such cross-border data transfer;
- the data security policies and laws and cybersecurity environment of the recipient country/region;
- whether the recipient meets the protection standards established by Chinese laws, regulations and mandatory national standards;
- the amount, size, types and sensitivity of the data transferred;
- the risks of leakage, tampering, loss, destruction, transfer, illegal access or misuse during and after transfer; and
- whether the data transfer agreement contains adequate provisions on obligations and responsibilities to protect data security.
What should a data transfer agreement contain?
A data transfer agreement for security assessment must contain:
- the purposes and methods of the transfer, the extent of the data transferred, the data processing purposes and methods of the overseas recipient;
- the location and period of data storage outside of China, the measures to be taken after the storage period or after the contract term has expired or the processing purposes have been fulfilled;
- restrictions on the transfer of such data by the overseas recipient to other parties;
- security measures to be taken when the control or business scope of the recipient, or the legal environment in the recipient’s country/region, changes;
- liability for breach of security obligations and binding and enforceable dispute resolution clauses; and
- emergency plans and open channels to protect individual rights and interests.
The draft security assessment measures do not prescribe a set of standard contractual clauses to be entered into by the security assessment applicant. It appears that the applicant will have some flexibility to determine the form and content of its own data transfer agreement with the recipient.
However, we still expect the CAC to publish a standard data transfer agreement for data handlers who are not subject to government security controls under the draft security assessment measures (i.e, companies that are not CII operators or do not process “important data” or large amounts of personal data). Those companies can rely on the standard data transfer agreement form to be published as a legal basis to transfer data abroad, without applying for and completing the government security assessment.
What happens after the CAC completes the assessment?
The CAC approves or denies the data transfer request based on the results of the security assessment. The approval is valid for 2 years. Companies should reapply for approval at the end of the validity period or if there is a material change in the relevant circumstances (e.g., transfer purposes, scope of data transferred, legal environment in the recipient’s country or control of the applicant or recipient).
When will the draft security assessment measures take effect?
The current draft is open for public comments until November 28, 2021. After that, the CAC will review the comments received and may review the draft security review measures. There is no published timeline on when the measures will be finalized or come into effect.
There are still uncertainties arising from various aspects of the safety assessment regime (e.g., what time period will be used to calculate the total amount of personal information transferred by a company outside of China? Whatever the final assessment threshold, the draft security assessment measures seem to have sent a clear message that companies reaching the assessment threshold should expect regular, case-by-case government assessment exercises in China if they intend to transfer data outside of China. As such, if they have not already done so, companies should begin reviewing their data practices in China to assess their risk levels.
We will continue to monitor future developments and provide further updates.