The Cybersecurity Law ("CSL"), Personal Information Protection Law ("PIPL"), and Data Security Law ("DSL") of the People's Republic of China (the "PRC") introduced a security assessment of the outbound transfer of important data and personal information. The Cybersecurity Administration of China ("CAC") recently issued the Measures for Security Assessment of Outbound Data Transfers ("Data Security Assessment Measures")4 and the Guide to the Application for Security Assessment of Outbound Data Transfers (First Edition) ("Data Security Assessment Guidelines"),5 both of which took effect on September 1, 2022. The Data Security Assessment Measures and Data Security Assessment Guidelines specify under what circumstances a security assessment is required for outbound data transfers and how to apply for that security assessment. Data processors have until March 1, 2023 to address any past non-compliance. Companies should therefore review their current and past data transfer situations, identify and address any non-compliance, and undergo a data security assessment as needed.

Data Security Assessments Required for Certain Outbound Data Transfers

The Data Security Assessment Measures provide for the following three specific circumstances and a catch-all situation for mandatory data security assessment. The catch-all provision gives CAC discretion in deciding on the circumstances where data security assessment is needed.

  1. outbound transfer of important data by a data processor;
  2. outbound transfer of personal information by a critical information infrastructure operator ("CIIO") or a personal information processor that has processed personal information of more than 1,000,000 individuals;
  3. outbound transfer of personal information by a personal information processor that has made outbound transfers of personal information of 100,000 individuals cumulatively or sensitive personal information of 10,000 individuals cumulatively since January 1 of the preceding year; or
  4. other circumstances where an application for a security assessment of an outbound data transfer is required, as prescribed by the CAC.

As for the second circumstance above, it seems unclear whether there is a time period for calculating the number of individuals whose personal information is or have been processed by a personal information processor. Therefore, absent regulatory clarifications, personal information processors need to examine the entire history of their outbound data transfers and personal information processing to assess whether their activities trigger a data security assessment under the Data Security Assessment Measures.

The Data Security Assessment Guidelines state that the term "outbound transfer" includes activities in which a data processor transfers any data collected and generated in its operation within the PRC to an overseas recipient or allows any overseas entity, organization or individual to consult, retrieve, download or export such data. This scope covers a wide range of data management situations common to multinational companies, such as transmitting business data outside the PRC via email and File Transfer Protocol, maintaining centralized document management systems for global operations with servers hosted outside the PRC, and allowing overseas offices to access servers/databases in the PRC. Multinationals operating in the PRC should therefore carefully consider whether they fall within the categories of data processors subject to security assessments for outbound data transfers.

To assess whether a cross-border data transfer falls within the above-mentioned circumstances for mandatory data security assessment, it is important to understand the following definitions:

  • Important Data: The Data Security Assessment Measures define "important data" as "data that, once tampered with, destroyed, leaked, illegally obtained, or illegally used, may endanger national security, economic operation, social stability, public health and safety, etc."6 A national standard (Draft For Comments) dated January 7, 2022, Information Security Technology - Guideline For Identification Of Critical Data,7 provides further guidance on how to identify important data. Under the DSL, competent industry regulators are charged with formulating industry-specific catalogs of important data.8 In this regard, companies should closely monitor developments in industry-specific guidance in the PRC to determine whether their contemplated outbound transfers involve important data.
  • CIIO: Transfer of any personal information by a CIIO is subject to mandatory data security assessment. CIIO refers to an operator of the key network facilities and information systems in important industries and areas such as public telecommunication and information service, energy, transport, water conservancy, finance, public service, e-government and science and technology industry for national defense, which may seriously endanger the national security, national economy, people's livelihood and public welfare once they are subject to any destruction, loss of function or data leakage.9 The relevant industry regulators are tasked with informing an entity whether their network infrastructure or information system has been designated as "critical information infrastructure."10 Therefore, a data processor should have clear knowledge of whether it is designated as CIIO.
  • Personal Information and Sensitive Personal Information: The term "personal information" is broadly defined under the PIPL as "all kinds of information relating to any identified or identifiable natural person, whether it is in an electronic form or any other form, exclusive of any anonymized information."11 The term "sensitive personal information" is defined in Article 28 of the PIPL as "personal information, the leakage or illegal use of which may lead to violations of personal dignity of a natural person or harm to personal or property safety" and includes a data subject's biometrics, religious beliefs, health data, financial metrics, and travel records as well as any personal information of a minor under the age of 14.

Overview of Data Security Assessment

Self-Assessment

The Data Security Assessment Measures require that a data processor first conduct a self-assessment of its contemplated outbound data transfer and prepare a self-assessment report.12 According to Article 5 of the Data Security Assessment Measures, a data processor should focus the self-assessment on the following factors:

  • the legality, legitimacy, and necessity of the outbound data transfer and the data processing by the overseas recipient in terms of purpose, scope, and method;
  • the quantity, scope, type, and sensitivity of the outbound data, and the risks that may be brought about by its transfer to national security, the public interest, or the lawful rights and interests of individuals or organizations;
  • whether the responsibilities and obligations undertaken by the overseas recipient and the management, technical measures, and capabilities of the overseas recipient to perform such responsibilities and obligations can ensure the security of the outbound data;
  • the risk of the outbound data being tampered with, damaged, leaked, lost, relocated or illegally acquired or used during and after the outbound data transfer;
  • whether the channels for individuals to safeguard their personal information rights and interests are unobstructed; and
  • whether data security protection responsibilities and obligations are sufficiently stipulated in the contract or other documents with legal force to be executed with the overseas recipient in relation to the outbound data transfer; and other matters that may affect the security of the outbound data transfer.

It is critical that data processors conduct a comprehensive and independent self-assessment so that they are prepared for the CAC's data security assessment. Companies should ensure that their compliance and IT function has the necessary staff, resources and mandate to conduct a self-assessment.

Application Process for Data Security Assessment and Timing

Once a self-assessment is completed, a data processor must submit application materials for the security assessment, which will be reviewed by both the provincial and national levels of the CAC. The provincial level CAC will first review the completeness of the security assessment application within 5 working days of receiving the application materials.13 If the provincial level CAC considers the application materials complete, it will forward them to the national level CAC.

The national level CAC will decide whether to accept the application materials within 7 working days of the date of receipt.14 If the national level CAC accepts the materials, they will complete the security assessment of those materials within 45 working days from the date of the data processor's written notification of acceptance and shall notify the data processor of the assessment results in writing. The review period can be extended as appropriate.15 If the data processor has any objections, it can file a request for reassessment to the national level CAC within 15 working days.16 The Data Security Assessment Measures state that the reassessment decisions are final.17

The assessment outcome of an outbound data transfer will be valid for two years. If key factors relevant to the data security assessment change, a data processor will likely need to reapply for a security assessment.18 This means that companies should continuously assess and monitor their outbound data transfers and prepare to reapply for an assessment if needed.

CAC’s Data Security Assessment

The Data Security Assessment Measures set out factors considered by the CAC when reviewing application materials. Along with the above factors in connection with self-assessment, the CAC will consider whether data processors comply with PRC laws, administrative regulations, and departmental rules. The CAC will also consider the impact of the data security protection policies and legislation and cybersecurity environment of the country or region where the overseas recipient is located, and whether the data protection level of the overseas recipient meets the laws, administrative regulations, and mandatory national standards of the PRC.19

Legal Consequences

Article 18 of the Data Security Assessment Measures provides that any violation shall be dealt with according to the CSL, the DSL, and the PIPL. This means that violations may result in administrative, civil, and criminal penalties.20

Grace Period

For outbound data transfer activities conducted before September 1, 2022, Article 20 of the Data Security Assessment Measures gives data processors a six-month grace period to remedy any non-compliance by March 1, 2023.

Conclusion

The Data Security Assessment Measures and Data Security Assessment Guidelines send a clear message to companies that the PRC is committed to implementing the security assessment mechanism outlined in the CSL, PIPL, and DSL. In view of the six-month grace period, companies are advised to consider the following:

  • Assess their outbound data transfer activities and evaluate their obligations and associated risks based on a review of their operations (e.g., whether and to what extent they process personal information,) and the type of data that have been or are to be exported (e.g., whether it is "important data" or "personal information");
  • Take concrete steps to ensure that their compliance and IT functions have the necessary staff, resources, and mandate to conduct and record the self-assessment process and take remedial actions as appropriate;
  • Evaluate their data privacy policies and practices and conduct self-assessments as soon as possible to provide room for remediation and adjustments; and
  • Monitor the development of any further implementing regulations or industry-specific guidance related to the Data Security Assessment Measures and Data Security Assessment Guidelines.