Jul 11, 2022
On 7 July 2022, in the immediate wake of its issuance of the draft Standard Contract Provisions for the Exit of Personal Information and the draft Personal Information Export Standard Contract, the Cyberspace Administration of China (“CAC”) released the finalized version of its Measures concerning the Security Assessment for Cross-Border Data Transfer (“SA Measures”), which will enter into force in a little less than two months, on 1 September 2022. By finally resolving a major source of uncertainty that has marked the concept of “security assessments” since China’s first promulgation of the Cybersecurity Law of the People’s Republic of China back in 2016, the SA Measures now fill in another piece of China’s overall cybersecurity, data and personal information protection legislative puzzle, in a manner that is likely to impact many multinational companies that do business in China.
This Newsletter seeks to summarize the general framework and takeaways that business operators (i.e., data handlers hereinafter) should pay special attention to under the new SA Measures.
When must data handlers ensure compliance?
The SA Measures provide that any cross-border data transfers that have been carried out prior to the new legislation’s effective date, but which fail to meet the requirements specified under the SA Measures, should be rectified within six months from the date of the SA Measures’ implementation. This means that relevant data handlers who are required to perform security assessments under the SA Measures will need to ensure that their data handling practices are fully compliant with the new measures, even in the case of existing data transfer arrangements that were put into place prior to the new requirements becoming effective. Existing transfer arrangements that are not in compliance will not be grandfathered in or protected, but instead must be modified to ensure that they satisfy all requirements under the SA Measures. The deadline for implementing such rectification measures will be 1 March 2023.
In particular, any data handlers who regularly transfer relevant data offshore or who intend to so in the future and are required carry out security assessment under the SA Measures will now be required to complete and pass such security assessments prior to transmitting such cross-border data transfers. The CAC expressly suggests that data handlers satisfy such security assessment requirements before entering into binding contracts or other legal instruments with third parties regarding the export of data out of China (collectively, “Legal Instruments”). In cases where data handlers wish to enter into such Legal Instruments, the CAC suggests that data handlers incorporate the passing of all security assessment requirements as a condition precedent to such Legal Instruments becoming effective. In any event, it is clear that data handlers fall subject to security assessment under the terms of the SA Measures should not engage in the cross-border transfer of data unless and until they complete and pass such security assessments.
Who must apply for security assessments?
The following parties will need to carry out security assessments before transferring data offshore:
What constitutes a “cross-border or offshore transfer” of data?
Although the SA Measures themselves are silent on what constitutes a “cross-border” or “offshore” transfer of data, the CAC has clarified in its press release that the following activities will be covered:
How to apply for a security assessment?
The SA Measures specify that each of the steps below will be required in order to apply for a security assessment:
How are security assessments processed by the CAC?
Once the relevant provincial branch of the CAC receives a party’s security assessment application, the steps that will take place pursuant to the SA Measures are as follows:
It is worth noting that if at any time during the security assessment application process the applicant is asked to provide supplementary materials or to correct materials and fails to do so without legitimate reasons, the CAC may unilaterally terminate the applicant’s security assessment application.
What are the CAC’s assessment criteria?
The substantive nature of the CAC’s assessment process will be particularly focused on risks concerning national security, the public interest and legal interests of individuals or entities. The criteria of CAC’s assessment will specifically cover the following:
How long will a security assessment be valid?
Any approved security assessment will be valid for two years, i.e., the applicant may undertake one or more cross-border transfer(s) within the scope of the application materials reviewed by the CAC (including relevant Legal Instruments) for a period of two years from the time the CAC issues its final approval notice. That said, if any of the following situations occur, then a new security assessment will be required:
What are the consequences of breaching the SA Measures?
If a party is found to be in breach of the SA Measures, the CAC is entitled to issue penalties in accordance with relevant laws and administrative regulations.[4] Among currently binding laws and regulations, the Personal Information Protection Law includes the highest penalties: aside from the right to issue warnings, confiscate any unlawful income and order the suspension or cessation of wrongful activities, regulators are also authorized to issue fines up to RMB 50 million or five percent of the party’s total turnover in its previous year, and to fine directly responsible individuals up to RMB 100,000. On the other hand, the SA Measures themselves include a provision encouraging any party who becomes aware of a violation to report such shortcomings to the CAC and/or the relevant provincial branch of the CAC.
Furthermore, in cases where violations of the SA Measures also satisfy the requisite elements of a crime, the breaching party may also potentially face criminal liability.
Takeaways – Immediate action to be taken
Now that the SA Measures have finally addressed many of the uncertainties that have long been present under the PRC cybersecurity and data protection framework, relevant business operators that are covered by the SA Measures and required to conduct security assessments will now formally be required to actually do so, and can no longer rely on a lack of clarity of relevant laws and regulations to explain their failure to satisfy these requirements.
Notably, upon becoming effective, the SA Measures will not only impose a compliance burden on business operators intending to conduct future cross-border data transfers from China, but will even require operators who have carried out historical cross-border data transfers (prior to the SA Measures becoming effective) and who wish to continue doing so, to ensure that their practices comply with the requirements of the SA Measures within six months of the effective date of the same, and to undertake “rectification measures” where appropriate.
Subject to any further clarifications from the CAC, our view is that the most likely “rectification measures” that will be required in such instances will be for the transferring party to prepare a formal “self-assessment” report, and to then to take steps to rectify any non-compliant activities identified.
It is unclear whether a business operator who has conducted cross-border data transfers prior to the entry into force of the SA Measures, but who no longer wishes to do so, will nevertheless be required to apply to the CAC for a security assessment. This calls for further clarification with the CAC.
Subscribe to our newsletter.
Dec 6, 2024
Nov 22, 2024