On September 1, 2022, the Security Assessment Measures for Outbound Data Transfers (Measures) made by the Cyberspace Administration of China (CAC) came into effect. The Measures supplement the provisions on data security assessments as set forth in the Personal Information Protection Law and other relevant laws. The CAC also released the Guidelines for Declaration of Security Assessment for Data to Be Transmitted Abroad (Guidelines), first edition, on August 31, 2022; which also came into effect on September 1, 2022, and provided more guidance on the declaration for security assessment under the Measures.

Application Scope

The Measures apply to the security assessment of critical data and personal information collected and generated by a data processor in its operation within the territory of China. According to the Measures, a data processor is now required to declare the relevant information to the CAC for the security assessment of the outbound data transfer in the following circumstances:

  1. Where a data processor provides critical data abroad (the “critical data”, as defined in Article 19 of the Measurement, is data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, the economic operation, social stability, public health and security, etc.);
  2. Where a data processor is a key information infrastructure operator, or processes the personal information of more than 1,000,000 individuals;
  3. Where a data processor provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals in total abroad since January 1 of the previous year; and
  4. Other circumstances prescribed by the CAC for which a declaration for security assessment for outbound data transfer is required.

In addition to the activities as of the September 1, 2022 effective date, the Measures also apply retroactively to activities prior to September 1, 2022, and data processors are required to rectify any activities that are not in compliance with the Measures within the six-month period preceding September 1, 2022.

Outbound Data Transfers

The Guidelines define an outbound data transfer to be any of the following circumstances:

  1. Where a data processor transfers or stores abroad data collected or generated during its operation within the territory of China;
  2. Where the data collected and generated by a data processor is stored within the territory of China, but the overseas institutions, organizations or individuals are able to find, retrieve, download or export the data; and
  3. Any other activity of outbound data transfer as stipulated by the CAC.

Security Assessment Procedure

The procedure for conducting a data security assessment under the Measures includes the following:

  1. The data processor must conduct a self-assessment before declaring to the CAC for the security assessment. The self-assessment report is one of the required materials in the declaration to the CAC. A template of the self-assessment report can be found in the Guidelines.
  2. The data processor shall submit the following materials to the CAC via the cyberspace authority at the provincial level: (1) the declaration form, (2) the self-assessment report on the risks of the outbound data transfer, (3) underlying legal documents (relevant contract on the data or other legally binding documents) to be concluded by the data processor and the overseas recipient, and (4) other materials necessary for the security assessment.
  3. The cyberspace authority at the provincial level determines whether the materials are complete within five business days upon receiving the materials, and if the materials are complete, sends them to the CAC.
  4. The CAC notifies the data processor of whether the materials are accepted within seven business days upon receiving the materials, and if the materials are accepted, organizes the relevant departments of the State Council, the cyberspace administration at the provincial level and the specialized institutions to conduct the security assessment, which shall be completed within 45 business days after the CAC issues the written notification of acceptance. The 45 days’ reviewing period may be extended if the situations are complicated or if any supplementary or corrected materials are necessary.

Thus, the process is supposed to take no more than 57 business days in total upon the data processor’s submission of the materials, provided that the materials meet all requirements and the reviewing period in the CAC is not extended.

Key Points of Security Assessments

The self-assessment by the data processor and the assessment by the authorities under the Measures have a few key elements in common, including:

 

Re-assessment

Data processors will be informed of the result of any security assessment in writing, and the result of passing the security assessment is valid for two years. Re-assessment is required when the result is to expire within 60 days, or in any of the following circumstances:

  1. The purpose, method, scope and type of the outbound data transfer, or the purpose and method of data processing by the overseas recipient have changed, affecting the security of the data provided abroad, or extending the period of storage of personal information and critical data abroad;
  2. The security of the data provided abroad is affected due to changes in the data security protection policies or regulations or the cybersecurity environment of the country or region where the overseas recipient is located, any other force majeure event, or any change in the actual control of the data processor or the overseas recipient, or any change in the legal documents between the data processor and the overseas recipient; and
  3. Any other circumstance affecting the security of the data provided abroad.