China Releases New Draft Rules on Security Assessment for Cross-Border Data Transfers

On 29 October 2021, the Cyberspace Administration of China (“CAC”) released a draft of the Measures concerning the Security Assessment for Cross-Border Data Transfer (“Draft SA Measures”); the public comment period is set to last until 28 November 2021. The four-year-old Cybersecurity Law heralded a requirement for at least certain parties who wished to transfer certain data outside China to first submit to unspecified “Security Assessment” (“SA”) procedures, and several draft sets of rules have been released since then to specify aspects of the requirement and process, but this latest reflects a harmonization with the recently promulgated Data Security Law and Personal Information Protection Law as well as a slight further refinement of all the above. In particular, the Draft SA Measures set out a relatively broad applicability of the SA requirement as well as several details about the SA process from start to finish. This Newsletter summarizes the key points of the Draft SA Measures.

Scope of Security Assessment

While the Cybersecurity Law indicated that only Critical Information Infrastructure Operators (“CIIOs”) would need, in certain circumstances, to carry out SAs, the Draft SA Measures would extend the requirement to any “data processor” who:

1. transfers “important data”[1] offshore;
2. processes “personal information”[2] (“PI”) of more than one million data subjects and transfers any PI offshore;
3. transfers abroad, on a cumulative basis, PI of more than 100,000 data subjects or “sensitive personal information”[3] (“SPI”) of more than 10,000 data subjects; or
4. other situations when the CAC deems an SA is needed.

The Data Security Law and Personal Information Protection Law already provide that cross-border transfers of “important data” and, in certain circumstances, PI require an SA. The Draft SA Measures would specify thresholds relating to PI and SPI (as set out in points 2 and 3 above).

The Draft SA Measures are silent on what constitutes “cross-border” transfers of data. Currently, the only guidance is provided by the draft Information Security Technology - Guidelines for Data Cross-Border Transfer Security Assessment, issued by the National Information Security Standardization Technical Committee on 25 August 2017:

• Any of the following constitutes a cross-border data transfer (in addition to a straightforward transfer of or from a medium physical located onshore to physically offshore):
  • transfer of the data to entities or individuals that are not subject to mainland China jurisdiction or not registered in mainland China;
  • access/viewing of the data by entities or individuals offshore, even if the data is otherwise not transferred or stored offshore; and
  • transfer of onshore data to any members of a corporate group located outside mainland China.
• The following do not constitute cross-border data transfers:
  • transfer of data through mainland China when the data has not been collected and generated onshore and is not amended or further processed onshore; and
  • transfer abroad of data stored but not collected or generated onshore, even if such data has also been processed in the PRC (as long as no data collected or generated onshore is contained in the cross-border transfer).

The Information Security Technology - Guidelines for Data Cross-Border Transfer Security Assessment is still in draft form, but in practice, the CAC may use it as a “reference” in its regulatory activities.

Procedure for Security Assessment

According to the Draft SA Measures, before undertaking any of the above-mentioned restricted cross-border data transfers, the relevant data processor must conduct a “self-assessment” covering the following:

• the legality, justifiability and necessity of the purpose, scope and methods of the transfer;
• the amount, scope, type and sensitivity of the data to be transferred;
• the risks arising from the transfer and concerning national security, public interest and legal interests of individuals or entities;
• whether the management and technical measures to be adopted during the transfer are able to prevent the data from leakage and damage;
• whether the responsibilities undertaken by the offshore data recipients, and management and technical measures adopted for performing such responsibilities, are able to ensure the security of the data transferred;
• the risks of leakage, damage, loss, falsification and abuse after the transfer;
• whether there are convenient and workable channels for data subjects to exercise their PI protection rights; and
• whether the transferor’s and recipient’s respective data protection responsibilities and obligations have been sufficiently provided for under an offshore data transfer agreement.[4]

The above need to be included in the “application” for an SA required to be submitted to the CAC before undertaking any of the above-mentioned restricted cross-border data transfers. The CAC has seven days from submission to notify the applicant in writing about whether the application is “accepted”, i.e., whether the CAC deems an SA is required and the CAC can initiate it based on the materials in the application. From then, the CAC should complete the SA within 45 working days, extendable to 60 working days if the situation is complex or supplementary documents are required.

The Draft SA Measures indicate that the CAC’s assessment criteria are substantially the same as those under the above-mentioned “self-assessment”, with a focus particularly on risks concerning national security, public interest and legal interests of individuals or entities, but the Draft SA Measures also explicitly set out the following two factors:

• the impact of the recipient’s jurisdiction’s security policies/regulations and cybersecurity environment on the security of the data to be transferred offshore; and
• whether the data protection measures and other aspects of the offshore data recipient meet the requirements under PRC laws, regulations and mandatory standards.

Any approval is valid for two years, i.e., the applicant may undertake one or more cross-border transfer(s) for two years from the time the CAC approves the application, provided that any such transfer is of the type, manner, extent, etc. declared in the application. If any of the following aspects changes, a new SA is required:

• the purpose, method, scope, data types or storage term (the latter only if it is extended);
• the regulatory or legal environment of the recipient’s jurisdiction;
• the transferor, recipient or a controller thereof; or
• the offshore data transfer agreement.

Consequences of Violations

For penalties, e.g., for carrying out a cross-border data transfer without having applied for or without having passed an SA when it would be required, the Draft SA Measures only refer to existing laws and regulations. Among current laws, the Personal Information Protection Law indicates the highest penalties: aside from warnings, confiscation of illegal gains and orders to suspend or cease activities, regulators may fine an entity up to RMB 50 million or five percent of the previous year’s turnover and directly responsible individuals up to RMB 100,000. On the other hand, the Draft SA Measures include a provision encouraging any party who becomes aware of a violation to report it to the CAC.

Takeaways

China has for years been making a show of drafting, revising and re-drafting the prerequisites for certain transfers of data from inside to outside its borders. The Draft SA Measures are the latest instalment, and while it is impossible to tell whether it will be officially issued in more-or-less its present form and thus finally establish at least the basic framework for SAs, there are some indications of that eventuality: other than specifying three additional triggers for the requirement to undertake an SA, there are relatively few revisions from the previous version, and they primarily reflect harmonization with the recently promulgated Data Security Law and Personal Information Protection Law. As such, PRC parties who process PI of more than one million data subjects and transfer any PI abroad, as well as PRC parties who transfer abroad any “important data”, PI of more than 100,000 data subjects or SPI of more than 10,000 data subjects (on a cumulative basis), should consider how to accommodate the SA process in their operations. The most significant burden, if any, is likely to be producing a “self-assessment” report and waiting up to approximately three months for CAC approval.

[1] The definition of “important data” is not entirely set under current binding PRC law. However, pursuant to a draft “National Standard”, the Information Security Technology – Identification Guide of Key Data (Draft for Comments), issued by the State Administration for Market Regulation and the National Information Security Standardization Technical Committee on 23 September 2021, “important data” refers to data, in electronic form, which once tampered with, damaged, leaked or illegally accessed or used may endanger national security or public interest, not including state secrets and personal information (but potentially including statistical data and other data derived from a large amount of personal information). In addition, one piece of regulation pertaining to a specific industry sector, the Several Provisions on Vehicle Data Security Management (for Trial Implementation), issued by the CAC, National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security and Ministry of Transport on 16 August 2021 and effective as of 1 October 2021, has since elaborated on the definition of “important data” for purposes of that regulation/sector, and more such specific elaborations may be coming.

[2] “Personal information” is defined, in the Personal Information Protection Law as well as various regulations, as “all kinds of information recorded by electronic or other means related to identified or identifiable natural persons”, explicitly excluding anonymized information.

[3] “Sensitive personal information” is defined, in the Personal Information Protection Law as well as various regulations, as PI that, if leaked or illegally used, may cause individuals to suffer infringement of human dignity or serious harm to their security in their persons and property, e.g., health and medical information, religious beliefs, location information and PI of individuals under 14 years old.

[4] The offshore data transfer agreement must set out data security protection responsibilities and obligations, including but not limited to the following:

• the purpose, manner and data scope of the transfer, the use and manner of data processing by the recipient, etc.
• the location and duration of data storage offshore, as well as the measures to deal with the cross-border transferred data after such period expires, the agreed purpose is completed or the agreement is terminated;
• the binding provision which restricts the recipient from re-transferring such data to other entities or individuals;
• the security measures to be taken by the recipient in the event of a material change in the control or scope of business or change in the legal environment of the country or region that make it difficult to ensure data security;
• the provisions of liability for breach of data security protection obligations and binding and enforceable dispute resolution; and
• smooth channels to properly carry out emergency responses and protect the rights and interests of individuals to safeguard PI in the event of a data breach or other risks.