China Releases Finalized Rules on Security Assessments for Cross-Border Data Transfers

On 7 July 2022, in the immediate wake of its issuance of the draft Standard Contract Provisions for the Exit of Personal Information and the draft Personal Information Export Standard Contract, the Cyberspace Administration of China (“CAC”) released the finalized version of its Measures concerning the Security Assessment for Cross-Border Data Transfer (“SA Measures”), which will enter into force in a little less than two months, on 1 September 2022. By finally resolving a major source of uncertainty that has marked the concept of “security assessments” since China’s first promulgation of the Cybersecurity Law of the People’s Republic of China back in 2016, the SA Measures now fill in another piece of China’s overall cybersecurity, data and personal information protection legislative puzzle, in a manner that is likely to impact many multinational companies that do business in China.

This Newsletter seeks to summarize the general framework and takeaways that business operators (i.e., data handlers hereinafter) should pay special attention to under the new SA Measures.

When must data handlers ensure compliance?

The SA Measures provide that any cross-border data transfers that have been carried out prior to the new legislation’s effective date, but which fail to meet the requirements specified under the SA Measures, should be rectified within six months from the date of the SA Measures’ implementation. This means that relevant data handlers who are required to perform security assessments under the SA Measures will need to ensure that their data handling practices are fully compliant with the new measures, even in the case of existing data transfer arrangements that were put into place prior to the new requirements becoming effective. Existing transfer arrangements that are not in compliance will not be grandfathered in or protected, but instead must be modified to ensure that they satisfy all requirements under the SA Measures. The deadline for implementing such rectification measures will be 1 March 2023.

In particular, any data handlers who regularly transfer relevant data offshore or who intend to so in the future and are required carry out security assessment under the SA Measures will now be required to complete and pass such security assessments prior to transmitting such cross-border data transfers. The CAC expressly suggests that data handlers satisfy such security assessment requirements before entering into binding contracts or other legal instruments with third parties regarding the export of data out of China (collectively, “Legal Instruments”). In cases where data handlers wish to enter into such Legal Instruments, the CAC suggests that data handlers incorporate the passing of all security assessment requirements as a condition precedent to such Legal Instruments becoming effective. In any event, it is clear that data handlers fall subject to security assessment under the terms of the SA Measures should not engage in the cross-border transfer of data unless and until they complete and pass such security assessments.

Who must apply for security assessments?

The following parties will need to carry out security assessments before transferring data offshore:

• Critical information infrastructure operators (“CIIOs”) seeking to transfer personal information (“PI”) offshore;
• Data handlers seeking to transfer “important data”[1] offshore;
• Data handlers who process the PI of more than one million data subjects and seek to transfer any PI offshore;
• Data handlers who transfer offshore, on a cumulative basis, the PI of more than 100,000 data subjects in the period since 1 January of the preceding year;
• Data handlers who transfer offshore, on a cumulative basis, the “sensitive personal information” (“SPI”) [2] of more than 10,000 data subjects in the period since 1 January of the preceding year; or
• Other parties that are subject circumstances deemed by the CAC to require the carrying out of a security assessment.

What constitutes a “cross-border or offshore transfer” of data?

Although the SA Measures themselves are silent on what constitutes a “cross-border” or “offshore” transfer of data, the CAC has clarified in its press release that the following activities will be covered:

• Transferring or storing data that is initially collected or generated during operations carried out within mainland China to any entities or individuals located outside of mainland China; and
• Accessing/viewing any data that is initially collected or generated and stored within mainland China by entities or individuals located outside of mainland China, even in cases where the data is otherwise not transferred or stored offshore.

How to apply for a security assessment?

The SA Measures specify that each of the steps below will be required in order to apply for a security assessment:

• Conducting a data security risk “self-assessment”, which should cover substantially the same points/criteria under the formal security assessment carried out with the CAC;
• Preparing relevant Legal Instruments intended to be concluded between the data handler and offshore data recipient, which sufficiently stipulate(s) the data security protection responsibility and obligations of the contracting parties; [3]
• Preparing a security assessment application letter, which is likely to be in the form of a standard-form document to be issued by CAC; and
• Submitting the above and any other materials necessary to the applicant’s competent CAC branch at provincial level.

How are security assessments processed by the CAC?

Once the relevant provincial branch of the CAC receives a party’s security assessment application, the steps that will take place pursuant to the SA Measures are as follows:

• Within five working days of the provincial branch of the CAC receiving the applicant’s application materials, the provincial branch of the CAC will review whether the security assessment application is complete:
  • If so, it will forward the materials on to the CAC for further handling;
  • If not, it will return the application materials to the applicant and issue a one-time notification for the provision of required supplementary materials.
• Within seven working days from the date that the CAC receives the security assessment application materials from the relevant provincial branch of the CAC, the CAC will then determine whether it will accept the application and perform the security assessment and will issue a written notice to the applicant regarding its decision.
• Within 45 working days from the date of issuing its written acceptance notice to the applicant, the CAC will complete the security assessment. However, the CAC also has the right to extend this timeline if the application is complex or if supplementary materials or corrections are ultimately required from the applicant. There is no maximum extension limit, but the CAC must inform the application of the expected period of the extension that will be needed. Upon completion of the CAC’s review, the result of its security assessment will be notified in writing to the applicant.
• Within 15 working days of receiving the final written assessment results from the CAC, applicants that are unsatisfied with their assessment results are entitled to apply for re-evaluation procedures, the results of which will be final. That said, the SA Measures do not specify what such re-evaluation process will look like.

It is worth noting that if at any time during the security assessment application process the applicant is asked to provide supplementary materials or to correct materials and fails to do so without legitimate reasons, the CAC may unilaterally terminate the applicant’s security assessment application.

What are the CAC’s assessment criteria?

The substantive nature of the CAC’s assessment process will be particularly focused on risks concerning national security, the public interest and legal interests of individuals or entities. The criteria of CAC’s assessment will specifically cover the following:

• The legality, justifiability and necessity of the purpose, scope and methods of the cross-border transfer of relevant data;
• The impact of the security policies/regulations and cybersecurity environment in the jurisdiction of the data recipient, with respect to the security of the data that is transferred offshore, and whether the data protection measures, and other aspects of the offshore data recipient meet the requirements under PRC laws, regulations and mandatory standards;
• The risks of data being tampered with, destroyed, leaked, lost, transferred, illegally obtained or used, etc., during and after its transfer abroad;
• Whether the data handler and foreign data recipient’s respective data protection responsibilities and obligations have been sufficiently specified under an acceptable Legal Instrument;
• Whether the data security and interests of data subjects have been sufficiently protected.

How long will a security assessment be valid?

Any approved security assessment will be valid for two years, i.e., the applicant may undertake one or more cross-border transfer(s) within the scope of the application materials reviewed by the CAC (including relevant Legal Instruments) for a period of two years from the time the CAC issues its final approval notice. That said, if any of the following situations occur, then a new security assessment will be required:

• The approval term of two years expires;
• There is change on the purpose, method, scope, and data types of the data that will be transferred offshore, and such change will impact data security;
• The storage term of transferred important data or PI is extended;
• The regulatory or legal environment of the recipient’s jurisdiction changes in a manner that impacts data security;
• There is change of control of the data handler or the offshore recipient, and such change of control will impact data security;
• There is change to any relevant Legal Instrument in a manner that impacts data security;
• The occurrence of any other events which the CAC believes will impact data security.

What are the consequences of breaching the SA Measures?

If a party is found to be in breach of the SA Measures, the CAC is entitled to issue penalties in accordance with relevant laws and administrative regulations.[4] Among currently binding laws and regulations, the Personal Information Protection Law includes the highest penalties: aside from the right to issue warnings, confiscate any unlawful income and order the suspension or cessation of wrongful activities, regulators are also authorized to issue fines up to RMB 50 million or five percent of the party’s total turnover in its previous year, and to fine directly responsible individuals up to RMB 100,000. On the other hand, the SA Measures themselves include a provision encouraging any party who becomes aware of a violation to report such shortcomings to the CAC and/or the relevant provincial branch of the CAC.

Furthermore, in cases where violations of the SA Measures also satisfy the requisite elements of a crime, the breaching party may also potentially face criminal liability.

Takeaways – Immediate action to be taken

Now that the SA Measures have finally addressed many of the uncertainties that have long been present under the PRC cybersecurity and data protection framework, relevant business operators that are covered by the SA Measures and required to conduct security assessments will now formally be required to actually do so, and can no longer rely on a lack of clarity of relevant laws and regulations to explain their failure to satisfy these requirements.

Notably, upon becoming effective, the SA Measures will not only impose a compliance burden on business operators intending to conduct future cross-border data transfers from China, but will even require operators who have carried out historical cross-border data transfers (prior to the SA Measures becoming effective) and who wish to continue doing so, to ensure that their practices comply with the requirements of the SA Measures within six months of the effective date of the same, and to undertake “rectification measures” where appropriate.

Subject to any further clarifications from the CAC, our view is that the most likely “rectification measures” that will be required in such instances will be for the transferring party to prepare a formal “self-assessment” report, and to then to take steps to rectify any non-compliant activities identified.

It is unclear whether a business operator who has conducted cross-border data transfers prior to the entry into force of the SA Measures, but who no longer wishes to do so, will nevertheless be required to apply to the CAC for a security assessment. This calls for further clarification with the CAC.

1. Under the SA Measures, “important data” is defined as any data that, once tampered with, damaged, leaked, illegally accessed or used, etc., may endanger national security, economic operation, social stability, or public health and safety.
2. “Sensitive personal information” is defined in the Personal Information Protection Law as well as various regulations to mean any PI that, if leaked or illegally used, may cause individuals to suffer infringement of human dignity or serious harm to their security in their persons and property (e.g., health and medical information, religious beliefs, location information and the PI of individuals under 14 years old.
3. The Legal Instruments to be concluded between the data handler and offshore data recipient must clearly set out the data security protection responsibilities and obligations of the parties. The key terms that have to be covered by such Legal Instruments are specified under Article 9 of the SA Measures.
4. Such as the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, and the Personal Information Protection Law of the People’s Republic of China. See Article 18 of the SA Measures.