China has been continuously strengthening and developing data security rules over the last decade. One of the hallmarks of this trend is increasing regulation over outbound cross-border data flows.
Against this background, the Cyberspace Administration of China (CAC) issued the Draft Measures for Security Assessment for Cross-Border Data Transfers (the draft measures) on 29 October 2021, open for public comment until 28 November 2021. The draft measures seek to implement the outbound data transfer provisions within the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, and other laws and regulations by focusing on the compliance procedures that entities should follow for outbound data transfers.
The draft measures show a stricter regulatory approach towards cross-border transfers of data. They contain a security assessment trigger that is as low as 10,000 people's sensitive information. Many companies expected higher thresholds, and multinational corporations (MNCs), which often use global systems to process customer and employee data, will likely be affected. As the draft measures require entities to conduct self-assessments before outbound data transfers, MNCs will also face uncertainty regarding current outbound data transfers and whether they can pass security assessments for future data transfers.
The draft measures have the purpose of regulating outbound data flows, protecting personal information rights and interests, safeguarding national security and public interests, and promoting the safe and free flow of data across borders.
The draft measures oblige entities that provide important data and personal information – collected and generated during their Chinese operations – to foreign recipients to conduct outbound data transfer security assessments. Entities must complete assessments before making transfers and continually monitor those arrangements.
An entity must declare outbound data transfers to provincial cyberspace administration authorities and seek security assessments by the CAC in the following circumstances:
- The personal information and important data are and were collected and generated by a critical information infrastructure operator.
- The outbound data contains important data.(1)
- The entity processes the personal information of at least one million people.
- The outbound transfers cumulatively involve the personal information of over 100,000 people or the sensitive personal information of over 10,000 people.
- Other situations where the CAC requires a security assessment exist.
It is understood that many companies would prefer to see a rise in the threshold transfer volumes that trigger declarations.
Two types of assessment are described in the draft measures: self-assessments and security assessments by the CAC. An entity must submit the following materials to apply for a security assessment by the CAC:
- a written application form;
- a cross-border data transfer self-assessment report;
- the contract or other legally binding documents to be concluded between the entity and the overseas recipient; and
- any other materials required for the security assessment.
The self-security assessment and the security assessment by the CAC involve the consideration of:
- the legality, legitimacy and necessity of the transfer and the purpose, scope and manner of data processing by the overseas recipient;
- the quantity, scope, type and sensitivity of the outbound data, and the risks the outbound data might pose to national security, public interests, and the legitimate rights and interests of individuals and organisations;
- whether the management and technical measures and capabilities of the entity can prevent risks such as data leakage, destruction and other risks;
- whether the responsibilities and obligations undertaken by the overseas recipient, as well as its management and technical measures and capacity to fulfil those responsibilities and obligations, can guarantee the security of data leaving China;
- the risk, among other things, of leakage, destruction, falsification and misuse of data after export and retransfer, and whether individuals have smooth channels to safeguard their rights and interests in their personal information and other data;
- whether the contract related to outbound data flows adequately deals with data security protection responsibilities and obligations; and
- the destination country's laws and network security environment.
The CAC determines whether to accept security assessment applications within seven working days of receiving application materials. Once an application is accepted, the CAC must complete the security assessment within 45 working days. However, that term may be extended in complicated circumstances, or where supplementary materials are required, but it may not exceed 60 working days in general.
The security assessments by the CAC are valid for up to two years unless a triggering event occurs, in which case a new security assessment by the CAC is required. Triggers include changes to the factors upon which an outbound data transfer security assessment was made.
For further information on this topic please contact Samuel Yang at AnJie Law Firm by telephone (+86 10 8567 5988) or email ([email protected]). The AnJie Law Firm website can be accessed at www.anjielaw.com.
(1) Important data is a type of regulated data, the criteria and scope of which is still to be defined by the authorities.