The concept of security assessment for cross-border data transfer was first seen in Article 37 of the PRC Cybersecurity Law taking effect as of June 1, 2017 and only applies to the so-called critical information infrastructure operators (“CIIOs”) exporting personal information (“PI”) and important data generated or collected within China. Reiterated by the Data Security Law taking effect as of September 1, 2021 (“DSL”) and the Personal Information Protection Law taking effect as of November 11, 2021 (“PIPL”), this concept has been further extended and become a statutory pre-requisite for PI export by not only CIIOs but also non-CIIOs. However, after the promulgation of the DSL and the PIPL, its exact scope of application became unclear and the absence of details on the implementation of the PIPL made it difficult for companies to follow. Ambiguities under the laws also provide a good reason for many international companies to take a “wait and see” strategy to manage their data protection compliance in China.
However, such passive strategy will no longer work after the promulgation of the Security Assessment Measures for Cross-border Data Transfer (“Measures”) by China Administration of Cyberspace (“CAC”), which will take effect as of September 1, 2022, as these Measures now substantiate the scope and details of data export security assessment. More importantly, these Measures explicitly set a six-month grace period until March 31, 2023 for companies affected by these Measures to complete their data export security assessments. The explicit deadline obliging companies to stay compliant also indicates the tendency of the Chinese regulators to take a tougher stance on data export control, which could substantially affect international companies whose business could hardly go without cross-border data transfer. More details on the Measures are provided below.
In response to the unclear application scope of security assessment under the existing laws, Article 4 of the Measures specifies that the security assessment shall be mandatory if:
- the data handler exports important data;
- the data handler exporting PI qualifies as a CIIO or processes PI of more than one million individuals;
- on an accrued basis and since January 1 of the preceding year, the data handler has transmitted outside China PI of more than 100,000 data subjects (or sensitive PI of more 10,000 data subjects), or
- other circumstances as prescribed by the CAC.
The quantitative thresholds mentioned above provide a clearer picture for PI export that can be more easily followed. Although the PI related thresholds may seem less relevant for businesses not rich in PI (e.g. traditional manufacturers), the important data mentioned above will expose them to the same data export security assessment, as the concept of managing “important data” is quite tricky under the current legal framework. The DSL and the Measures only provide for a very general definition of important data, while the exact and implementable scope remains unclear. Based on our observations, hi-tech companies or those with extensive R&D activities shall pay particular attention to the topic of important data which could become highly relevant in the context of the Measures. So far, this concept has only been defined with more details in a very limited number of areas (e.g. the Trial Version Provisions on Automotive Data Security Management taking effect as of October 1, 2021). It remains to be seen whether the Chinese regulators will accelerate the development of more detailed and usable guidance on the scope of important data to facilitate the implementation of the Measures.
Articles 6 and 8 of the Measures outline the general methodology (i.e. the areas to be looked upon including the respective assessment criteria) applicable to a data exporter (when conducting self-assessment) and the regulator (when conducting an official assessment based on the results of the data exporter’s self-assessment). The assessment criteria on the one hand, include objective criteria such as whether the data protection competence of the overseas data recipient satisfies the PRC legal requirements including mandatory national standards. On the other hand, they also include quite some subjective criteria such as whether data security or data subjects’ rights can be “fully and effectively” guaranteed, whether the responsibilities and obligations of data security are “fully” agreed in the legal documents to be concluded between the data exporter and overseas recipient. It can be difficult for companies to navigate these subjective criteria as the Chinese regulators obviously have wide discretion to interpret the exact meaning of these subjective criteria in an assessment case. More predictable details need to be worked out through implementation, including consideration of a fixed six-month grace period to seek clarification from the concerned authorities, if necessary.
Revisiting Your Data Protection Agreement (DPA)
Due to the absence of the Chinese standard contractual clauses (SCCs), many companies have been relying on their existing GDPR-based contractual templates to regulate data export topics. This quite often goes with the misconception that the GDPR, the golden rule of privacy protection, is good enough for the PRC where data protection is just a new topic attracting attention in recent years. Such misperception shall be corrected now particularly as a result of:
(i) the Chinese SCCs are expected to be rolled out soon (see our previous article on this topic) (ii) GDPR-based templates focus on the perspective of EU data export to China (i.e. protection of European interests), which contradicts the intention of the Chinese data export control to protect Chinese interests, let alone that certain concepts like legitimate interests will not find their bases under Chinese laws; and (iii) the concept of “important data” does not exist under the GDPR which, however, is an indispensable aspect to be addressed and managed under a Chinese data export arrangement.
The application scope of the Chinese SCCs is limited and appears to be supplementary to that of the Measures. This means it is possible for companies to conduct a security assessment under the Measures through a contractual arrangement that is not based on the Chinese SCCs, e.g., a DPA based on the GDPR and adapted to Chinese laws. Should this approach be taken, companies should review their existing DPAs carefully against the mandatory requirements under Article 9 of the Measures, including at least:
- the purpose and method of data export, the scope of concerned data, and the purpose and method, etc. for processing the data by the overseas recipient;
- the retention place and period of exported data, as well as the handling measures for the exported data after the retention period expires, the agreed processing purpose is completed, or the DPA is terminated;
- the restrictive requirements on the overseas recipient's re-transfer of the exported data to other organizations and individuals;
- the security measures to be taken by the overseas recipient when its actual control or business scope has changed substantially, or the data security protection policies and regulations and cybersecurity environment of the country or region where the overseas recipient is located have changed, or the occurrence of any other force majeure event, under which data security cannot be ensured;
- the remedial measures, liability for breach of contract and dispute resolution in the event of violation of data security protection obligations agreed in the DPA; and
- the emergency measures to be taken when the data provided abroad is at risk of being altered, destroyed, divulged, lost, transferred, illegally obtained or illegally used, as well as the ways and methods to protect data subject’s rights.
Although many of the above, which are still quite general, may already exist in your DPAs, their plausibility will be subject to scrutiny by PRC regulators and a more stringent interpretation may then take place. Nevertheless, they provide more clarity than previously available and are a good base for revisiting your existing contractual arrangements.
Continuous Compliance Monitoring
The Measures also emphasize the on-going compliance monitoring of data exporters, and such compliance will be closely overseen by the regulators. Article 17 of the Measures stipulates that in case the regulator finds out that an existing security assessment is no longer sustainable, e.g. failure to consistently satisfy the statutory requirements due to any change of processing activities, the regulator will have the power to require an immediate suspension of data export and a new security assessment to enable further data export.
The wording of the Measures indicates that the CAC will play a more active role in enforcing its rules including the Measures. It is foreseeable that the CAC will conduct more frequent check and investigation, which further means that the security assessment itself is not meant to be a purely “formalistic step”, and companies need to spend constant efforts in keeping their data export activities compliant in substance. Any change in cross-border business process – which in reality is hardly avoidable - may have an impact on data export compliance, and will need to be timely monitored and reviewed. This is only doable when data compliance has a high priority on the agenda of the management team, which quite often may not necessarily be the case particularly when the business is suffering from tension like those caused by COVID19.
* * * In general, the Measures provide a clearer picture of the topic of data export security assessment under Chinese law. It is challenging to respect the six-month grace period as there are still quite some ambiguities. To better manage this, it is highly recommendable to revisit your global data protection strategy and consider the following steps in your data compliance exercise in China:
- change the “wait and see” attitude and the “GDPR centralized” mindset;
- revisit your data inventory regarding China and have in place a good data classification system reflecting statutory requirements so as to better assess if and how the Measures will apply to your case;
- gain the required expertise and ramp up to data export security assessment, particularly self- assessment, and urge the organization to be prepared and accommodate to the regulatory challenges brought by the rapidly evolving Chinese data protection regime.