Nov 3, 2021
On 29 October 2021, the Cyberspace Administration of China (“CAC”) released a draft of the Measures concerning the Security Assessment for Cross-Border Data Transfer (“Draft SA Measures”); the public comment period is set to last until 28 November 2021. The four-year-old Cybersecurity Law heralded a requirement for at least certain parties who wished to transfer certain data outside China to first submit to unspecified “Security Assessment” (“SA”) procedures, and several draft sets of rules have been released since then to specify aspects of the requirement and process, but this latest reflects a harmonization with the recently promulgated Data Security Law and Personal Information Protection Law as well as a slight further refinement of all the above. In particular, the Draft SA Measures set out a relatively broad applicability of the SA requirement as well as several details about the SA process from start to finish. This Newsletter summarizes the key points of the Draft SA Measures.
Scope of Security Assessment
While the Cybersecurity Law indicated that only Critical Information Infrastructure Operators (“CIIOs”) would need, in certain circumstances, to carry out SAs, the Draft SA Measures would extend the requirement to any “data processor” who:
The Data Security Law and Personal Information Protection Law already provide that cross-border transfers of “important data” and, in certain circumstances, PI require an SA. The Draft SA Measures would specify thresholds relating to PI and SPI (as set out in points 2 and 3 above).
The Draft SA Measures are silent on what constitutes “cross-border” transfers of data. Currently, the only guidance is provided by the draft Information Security Technology - Guidelines for Data Cross-Border Transfer Security Assessment, issued by the National Information Security Standardization Technical Committee on 25 August 2017:
The Information Security Technology - Guidelines for Data Cross-Border Transfer Security Assessment is still in draft form, but in practice, the CAC may use it as a “reference” in its regulatory activities.
Procedure for Security Assessment
According to the Draft SA Measures, before undertaking any of the above-mentioned restricted cross-border data transfers, the relevant data processor must conduct a “self-assessment” covering the following:
The above need to be included in the “application” for an SA required to be submitted to the CAC before undertaking any of the above-mentioned restricted cross-border data transfers. The CAC has seven days from submission to notify the applicant in writing about whether the application is “accepted”, i.e., whether the CAC deems an SA is required and the CAC can initiate it based on the materials in the application. From then, the CAC should complete the SA within 45 working days, extendable to 60 working days if the situation is complex or supplementary documents are required.
The Draft SA Measures indicate that the CAC’s assessment criteria are substantially the same as those under the above-mentioned “self-assessment”, with a focus particularly on risks concerning national security, public interest and legal interests of individuals or entities, but the Draft SA Measures also explicitly set out the following two factors:
Any approval is valid for two years, i.e., the applicant may undertake one or more cross-border transfer(s) for two years from the time the CAC approves the application, provided that any such transfer is of the type, manner, extent, etc. declared in the application. If any of the following aspects changes, a new SA is required:
Consequences of Violations
For penalties, e.g., for carrying out a cross-border data transfer without having applied for or without having passed an SA when it would be required, the Draft SA Measures only refer to existing laws and regulations. Among current laws, the Personal Information Protection Law indicates the highest penalties: aside from warnings, confiscation of illegal gains and orders to suspend or cease activities, regulators may fine an entity up to RMB 50 million or five percent of the previous year’s turnover and directly responsible individuals up to RMB 100,000. On the other hand, the Draft SA Measures include a provision encouraging any party who becomes aware of a violation to report it to the CAC.
Takeaways
China has for years been making a show of drafting, revising and re-drafting the prerequisites for certain transfers of data from inside to outside its borders. The Draft SA Measures are the latest instalment, and while it is impossible to tell whether it will be officially issued in more-or-less its present form and thus finally establish at least the basic framework for SAs, there are some indications of that eventuality: other than specifying three additional triggers for the requirement to undertake an SA, there are relatively few revisions from the previous version, and they primarily reflect harmonization with the recently promulgated Data Security Law and Personal Information Protection Law. As such, PRC parties who process PI of more than one million data subjects and transfer any PI abroad, as well as PRC parties who transfer abroad any “important data”, PI of more than 100,000 data subjects or SPI of more than 10,000 data subjects (on a cumulative basis), should consider how to accommodate the SA process in their operations. The most significant burden, if any, is likely to be producing a “self-assessment” report and waiting up to approximately three months for CAC approval.
[1] The definition of “important data” is not entirely set under current binding PRC law. However, pursuant to a draft “National Standard”, the Information Security Technology – Identification Guide of Key Data (Draft for Comments), issued by the State Administration for Market Regulation and the National Information Security Standardization Technical Committee on 23 September 2021, “important data” refers to data, in electronic form, which once tampered with, damaged, leaked or illegally accessed or used may endanger national security or public interest, not including state secrets and personal information (but potentially including statistical data and other data derived from a large amount of personal information). In addition, one piece of regulation pertaining to a specific industry sector, the Several Provisions on Vehicle Data Security Management (for Trial Implementation), issued by the CAC, National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security and Ministry of Transport on 16 August 2021 and effective as of 1 October 2021, has since elaborated on the definition of “important data” for purposes of that regulation/sector, and more such specific elaborations may be coming.
[2] “Personal information” is defined, in the Personal Information Protection Law as well as various regulations, as “all kinds of information recorded by electronic or other means related to identified or identifiable natural persons”, explicitly excluding anonymized information.
[3] “Sensitive personal information” is defined, in the Personal Information Protection Law as well as various regulations, as PI that, if leaked or illegally used, may cause individuals to suffer infringement of human dignity or serious harm to their security in their persons and property, e.g., health and medical information, religious beliefs, location information and PI of individuals under 14 years old.
[4] The offshore data transfer agreement must set out data security protection responsibilities and obligations, including but not limited to the following:
Subscribe to our newsletter.
Apr 11, 2024
Mar 12, 2024