The Measures for Security Assessment for Outbound Data Transfer (“Measures”) issued by the Cyberspace Administration of China (“CAC”) came into force on September 1, 2022. The Measures is an implementation regulation intended to supplement the Cybersecurity Law issued in 2016, the Data Security Law issued in 2021, and the Personal Information Protection Law (“PIPL”) issued in 2021. Its purpose is to protect personal information rights and interests, national security, social and public interests as well as clarify the specific requirements of cross-border data transfer.
1. Scope
Applicability
Once critical data and personal information generated and collected in PRC are to be provided abroad, the Measures will be applicable. Cross-border transfer means that, foregin subjects can access the above data or information, whether or not the data or information is stored in PRC or overseas. For example, access to personal information of domestic entity’s employees by foreign management of the foreign parent company of the domestic entity will qualify as cross-border transfer of personal information.
Critical Data
Critical data has been identified according to the harmful consequences, i.e., data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and security, etc. The subject of critical data assessment extends from operators of critical information infrastructures to all data processors.
Personal Information
Personal information in need of security assessment include: (i) a critical information infrastructure operator provides personal information abroad; (ii) a data processor processing the personal information of more than one million individuals transfers personal information abroad; (iii) a data processor has cumulatively transferred abroad personal information of 100,000 individuals or sensitive personal information of 10,000 individuals since January 1 of the previous year.
2. Assessment Progress
A data processor shall not only declare security assessment for an outbound data transfer but also conduct self-assessment. Self-assessment is the pre-procedure of the declaration of security assessment. Whether or not the data processor will make the final declaration to the relevant authorities, it shall complete the self-assessment. Security assessment shall be conducted throughout the entire process of the outbound data transfer.
In general, security assessment consists of the following steps:
(i) self-assessment;
(ii) application for security assessments to the provincial-level cyberspace administration with an application form, a self-assessment report, a copy of the outbound data transfer agreement and other necessary materials;
(iii) the cyberspace administration organizes and completes the assessment and issues a written result;
(iv) if a data processor has any objection to the result, it can apply to CAC for a re-assessment.
The results of the security assessment for an outbound data transfer are valid for 2 years except that the data processor shall update the security assessment immediately with any circumstance affecting the security of the data transferred abroad.
3. Assessment Matters
Self-assessment and security assessment generally focus on the following matters:
Self-Assessment |
Security Assessment |
legality, legitimacy and necessity of the purpose, scope and method of the outbound data transfer and data processing by the overseas recipients; |
|
scale, scope, type and sensitivity of the data to be transferred abroad, and the risks to national security, public interests or the legitimate rights and interests of individuals or organizations caused by the outbound data transfer; |
size, scope, types and sensitivity of data to be transferred abroad, and the risks that the data may be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the data is provided abroad; |
risks of data to be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the outbound data transfer; whether the channel for the maintenance of personal information rights and interests is smooth; |
whether data security and personal information rights and interests can be fully and effectively guaranteed; |
responsibilities and obligations that the overseas recipient promises to undertake, and whether the overseas recipient’s management and technical measures and capabilities for performing its responsibilities and obligations can guarantee the security of the outbound data transfer; |
impact of data security protection policies and regulations and the cybersecurity environment of the country or region where the overseas recipient is located on the security of data to be provided abroad, and whether the data protection level of the overseas recipient meets the requirements of the laws and administrative regulations of the People’s Republic of China and mandatory national standards; |
whether the relevant contracts on the data to be concluded with the overseas recipient or other legally binding documents have fully agreed on the responsibilities and obligations to protect the data security; |
whether the legal documents to be concluded by the data processor and the overseas recipient have fully agreed on the responsibilities and obligations of data security protection; |
|
compliance with Chinese laws, administrative regulations and departmental rules; and other matters that CAC considers necessary to assess. |
It should be noted that an impact assessment on personal information transferred overseas shall be conducted under PIPL. The assessment factors thereof are similar to the self-assessment factors, therefore a data processor is advised to take all factors into consideration.
4. Liabilities
Where CAC finds any violation of the Measures, the outbound data transfer shall be terminated until the data processor completes the rectification and passes a new security assessment.
Any violation of Measures is also subject to liabilities stipulated in the Cybersecurity Law, the Data Security Law and the PIPL. The legal liability thereby includes rectifications, warning, penalties up to 1 million RMB, revocation of business license, and criminal liability where a crime is committed.
5. Other Matters
The Measures provide for a six-month grace period to complete the rectification of the outbound data that has been transferred before the effectiveness of the Measures. In addition, CAC issued a draft standard contract on border data transfer so as to serve as a guide. If a data processor and overseas recipients of the data or information have signed a contract on border data transfer and this contract is in conflict with the draft standard contract issued by CAC, the standard contract will prevail. The parties shall launch negotiations as soon as possible in order to comply with the standard contract requirements.
By Sophie Chen / Grandway Law Offices (Shanghai)