Summary：This note examines the emerging lifecycle for China’s cross-border data transfer (data export) compliance work, under a framework sketched out in the Measures for Cross-border Data Transfer Security Assessment (Exposure Draft), as well as related provisions in the Regulation on Network Data Security Administration (Exposure Draft). Broadly, the compliance lifecycle consists of 3 phases: (i) pre-export risk self-assessment; (ii) for special categories of data export, security assessment organized by the Cyberspace Administration of China (CAC); and (iii) post-export filing of data export security annual report. Throughout the lifecycle, there are ongoing self-management activities, as well as supervisory activities such as CAC inspection, reporting by whistle-blowers, and/or personal information rights advocacy by the relevant societal associations or the People’s Procuratorate.
In China, the Cybersecurity Law (hereinafter “CSL”), the Data Security Law (hereinafter “DSL”) and the Personal Information Protection Law (“hereinafter “PIPL”, together with the CLS and the DSL, the “Three Pillar Laws”) have sketched out a regulatory framework for cross-border data transfer, underpinned by a system which integrates ex-ante security assessment, ex-post monitoring, and ongoing supervision, with emphasis on the protection of important data and personal information.
On 29 October 2021 (3 days before the PIPL took effect), the Cyberspace Administration of China (hereinafter the “CAC”) released an exposure draft of the Measures for Security Assessment of Cross-border Data Transfer (hereinafter the “Draft Measures”). Sixteen days later (on November 14), the CAC released an exposure draft of the Network Data Security Administration Regulation (hereinafter the “Draft Regulation”, together with the “Draft Measures”, the “Draft Implementing Legislations”). The Draft Regulation devotes an entire Chapter 5 (Articles 35-42) to cross-border data transfer security administration.
Currently, moving domestic data across Chinese border is already subject to the security administration requirements under the Three Pillar Laws. The Draft Implementing Legislations aim to flesh out the skeletal requirements of the Three Pillar Laws, and lay out the substantive and procedural steps for PRC data export (formally termed “cross-border data transfer”), thus evolving China’s nascent framework of Data Export Security Administration (hereinafter the “DESA”).
Companies doing business in China or with Chinese counterparties should familiarize themselves with the lifecycle of data export compliance under the upcoming DESA framework, and be ready to timely deploy additional compliance measures in anticipation of its official implementation. On Nov. 9, 2021, we shared a note entitled Another Stripe on China’s Data Compliance Latticework? -- Highlights of the Draft PRC Data Export Security Assessment Measures (hereinafter “Note 1”). In this second note, we share a preliminary roadmap for the key data export compliance lifecycle phases, as reflected in both the Draft Regulation and the Draft Measures.
- Phases 1: PERSA – Pre-Export Risk Self-Assessment
The Draft Measures envisions a two-pronged ex-ante assessment regime, requiring a pre-export risk self-assessment (hereinafter the “PERSA”) by all exporters of personal information or important data (with certain exemptions), followed by a CAC organized security assessment when certain conditions are triggered (Draft Measures, Article 3). A qualified cross-border data transfer requires the data exporter to first conduct a PERSA; further, if the data export falls under one of the prescribed circumstances (See Phase 2 below), the data exporter should apply for a CAC-organized security assessment (hereinafter the “COSA”) upon completion of the PERSA (Draft Measures, Article 6).
The PERSA can be conducted by the data exporter itself or an entrusted third party and shall cover the following aspects (Draft Measures, Article 5):
- The legality, propriety and necessity of the purpose, scope, manner, etc., of the cross-border transfer and the overseas recipient’s data processing activities;
- The volume, scope, category, and sensitivity level of the data concerned, as well as the risks that the data export may impose on national security, public interests, and the lawful rights and interests of individuals or organizations;
- Whether the data processor’s organizational and technical capabilities can prevent risks, such as data leakage, destruction, etc. that might occur in the course of transfer;
- Whether the overseas recipient’s committed accountability, its organizational and technical measures, capabilities etc. could safeguard the security of the data exported;
- The risks of leakage, destruction, alteration, and misuse, etc., after the data export and after any onward transfer, and whether there are effective channels for individuals to seek redress with respect to their personal information rights and interests, etc.; and
- Whether the data export contract concluded with the overseas recipient adequately provides for data protection obligations.
While the Draft Implementing Legislations have yet to become effective, Articles 55 and 56 of the PIPL already impose a form of PERSA requirement on exporter of personal information through the mechanism of “Personal Information Protection Impact Assessment”. In addition, Article 37 of CSL requires that a security assessment organized by the CAC be conducted before a critical information infrastructure operator is to transfer abroad any important information or personal information collected or generated from its operation in China.
Article 4 of the Draft Measures specifies the circumstances where a data processor engaging in cross-border transfer shall apply for a COSA. Such circumstances include:
- Personal information and important data collected and generated by a critical information infrastructure operator;
- The dataset concerned contains important data;
- The export of personal information by a processor who processes the personal information of over 1 million people;
- On a cumulative basis, export of the personal information of more than 100,000 people or the sensitive personal information of more than 10,000 people; and
- Other circumstances prescribed by the CAC.
It is noteworthy that Article 37 of the Draft Regulation does not include the cumulative volume thresholds regarding personal information and sensitive personal information (Item 4 above) in the list of COSA triggering items; however, it does grant to the CAC the power to prescribe “other circumstances” which will trigger COSA. It remains to be seen whether a future version of the Draft Measures will keep or further revise the two cumulative volume thresholds.
For specific COSA steps and requirements, please refer to Highlight 4 of Note 1.
- Phase 3: DESAR – Data Export Security Annual Report
According to Article 40 of the Draft Regulation, an exporter of personal information or important data shall prepare a Data Export Security Annual Report (hereinafter the “DESAR”) and file with the cyberspace authority by January 31 of each year. The DESAR shall cover the following aspects of the filer’s data export activities in the previous year:
- the names and contact information of all data recipients;
- the type, volume and purpose of the data export;
- the overseas storage location of the data, the storage period, and the scope and mode of use;
- user complaints concerning the exported data and the handling of such complaints;
- the occurrences of data security incidents and their dispositions;
- situations involving post-export onward transfers of the data concerned; and
- other matters concerning data export which require reporting, as specified by the State cyberspace authority.
- Throughout the Lifecycle: Self-management and Ongoing External Supervision
According to Article 39 of the Draft Regulation, A data processor shall fulfill a series of obligations in connection with its data export activities, such as ensuring that the purpose, scope, manner and type and volume of data export are compliant with those specified during the PERSA or COSA (as applicable) process; supervising the data recipient to comply with the DESA requirements; properly responding to and addressing user complaints; cooperating with CAC in its DESA enforcement activities; and ensuring there is prior agreement with data subjects concerning any onward data transfer, etc.. Where the CAC or a competent authority conducts a data export security inspection, the data exporter is required to take a series of measures to assist in the inspect work (Draft Regulation, Article 57).
For a data exporter subject to COSA, if the CAC has found that a previously cleared data export activity no longer meets the relevant security management requirements, it will revoke the security assessment result. In such case, the data processor shall terminate the data export activity, conduct rectification as required, and re-apply for COSA after completing such rectification (Draft Measures, Article 16). The Draft Legislations also provide for a whistleblowing mechanism, enabling employees, customers, suppliers, and business partners, etc. to file complaints or reports (Draft Measures, Article 15); in addition, the People’s Procuratorate, personal information protection industry associations and consumer protection organizations may advocate for large group of individuals whose personal information rights are infringed by a data exporter (Draft Regulation, Article 59).
- Our Observations
China’s nascent DESA framework has the core objective of ensuring that enterprises’ data export activities do not endanger national security, public interest, and the information rights of individuals and organizations in China. Therefore, with the fast evolving regulatory and technological development, the application scope of DESA can potentially be fairly broad and enforcement practices will remain in a state of flux for a period of time.
Failure to effectively formulate, implement and monitor data export compliance steps can create significant legal exposure. Depending on the level of severity, non-compliance could subject the data exporter to various monetary penalties (up to RMB 10 million) and operational penalties, ranging from rectification order to revocation of business license. The officer directly in charge and other responsible personnel could also face a monetary fine of up to RMB 1 million for egregious non-compliance. (DSL, Article 46; Draft Regulation, Article 64). Where the data export noncompliance coincides with a violation of any of the Three Pillar Laws, more severe liability could be imposed under such law.
Once the Draft Implementing Legislations are enacted, fulfilling the regulatory requirements will be more challenging for those data processors (especially multinational companies with China operations) who do not have adequate visibility of their data outflow activities and lack safeguards against the associated pitfalls. Thus, we suggest that companies with existing or potential data export scenarios be proactive in getting ready to take appropriate compliance steps. Some of the steps may include:
- Conduct internal review of applicable data export and processing scenarios, and subsequently identify corresponding compliance requirements with respect to personal information and important data (if applicable);
- For companies handling important data and certain types of personal information, it is prudent to consider establishing a localized storage system;
- Companies may also further review their cross-border data transfer policies, procedures, and processes, benchmarked against the DESA requirements;
- Carry out PERSA according to the likely requirements under the DESA framework;
- Review and update data security protection obligations in contracts concluded with overseas recipients;
- For companies whose data export activities may trigger COSA, it is important to start ramping up the internal data export compliance systems, so as to shorten the COSA assessment time.