Cross-Border Data Transfer
The Cyberspace Administration of China has released draft measures detailing requirements for security reviews for cross-border data transfer. Industry players have been waiting for such measures ever since China issued legislation subjecting companies that want to export certain types of data to a security assessment. The draft measures offer clarity on the governmental body responsible for overseeing security assessments and what procedures companies must undergo to get clearance to transfer data overseas. On October 29, 2021, the Cyberspace Administration of China (CAC) released a draft version of the Measures for Data Export Security Assessment (the ‘assessment measures’) to solicit opinions from the public until November 28, 2021.
The document outlines specific requirements, steps, and procedures for companies to undergo a security assessment, a requisite for companies that handle a large volume of data from Chinese users, or whose data is categorized as ‘important’ or ‘sensitive’, for cross-border data transfer. Many companies have been anxiously awaiting clarification on security assessment ever since China first put limits on the export of certain types of data in the Cybersecurity Law (CSL), released in 2017. The draft document offers a clear pathway for companies who need to send data overseas for their operations and clarifies which aspects of a company’s business the authorities will consider when evaluating a cross-border data transfer.
The new assessment measures are based on China’s three overarching data security laws, the CSL, Data Security Law (DSL), and the Personal Information Protection Law (PIPL), the latter of which came into effect as recently as November 1, 2021. According to the document, the assessment measures will aim to “standardize the export of data from China” and “protect personal information, safeguard national security, and public interest”. The document will undergo another round of deliberation after gathering public opinions, after which a final draft of the document and effective date is expected to be announced.
Who must undergo a security assessment for cross-border data transfer?
Not all companies are required to undergo a security assessment before transferring data overseas.
The assessment measures reiterate the requirements outlined in previous legislation, including the CSL and PIPL, which stipulated that companies such as ‘critical information infrastructure’ (CII) operators and state agencies that gather data from Chinese users must undergo a security assessment before being allowed to transfer data overseas.
The assessment measures provide more details on the circumstances under which a company will be required to undergo a security assessment. Companies must undergo a security assessment by the CAC if they wish to export data under any of the following scenarios:
- The data for export is personal information or important data collected and generated by CII operators
- The data for export contains important data
- The data processor collects and processes personal information from one million users in China
- The data processor is transferring the personal information of more than 100,000 users or the sensitive personal information of more than 10,000 users in China abroad
- Other situations stipulated by the CAC.
Applying for a data export security assessment
If a company meets any of the criteria outlined above for transferring data outside of China, it must apply for a security assessment by CAC. The assessment measures provide a detailed description of the procedures and criteria companies must meet to pass a security assessment.
Conducting a self-assessment
To apply for a security assessment, companies must first conduct a security risk self-assessment of the data it wishes to export.
The self-assessment largely focuses on evaluating the risks the export of the data could pose to China’s national security, as well as the personal rights of the individuals or organizations in China that the data was collected from. When conducting the self-assessment, companies must consider the below questions:
- The legality, legitimacy, and necessity of the purpose, scope, and method of the cross-border data transfer, and the processing of the data by the overseas recipient.
- The volume, scope, type, and sensitivity of the data being transferred, and the possible risks that the cross-border data transfer could pose to China’s national security, public interest, and the legal rights of individuals and organizations.
- Whether or not the data processor has the management and technological means and capabilities to prevent data leaks, damage, and other risks during the transfer process.
- Whether or not the overseas recipient has committed to the responsibility and duty of guaranteeing the security of the exported data, and whether the overseas recipient has the management and technological means and capabilities to fulfill these duties.
- The possible risks, such as leakage, damage, tampering, and misuse of the data, after export or re-transfer, and whether there is a clear channel through which individuals can protect their personal information rights.
- Whether or not the contracts related to the data export signed with the overseas recipient sufficiently stipulate the duties and responsibilities of the recipient for data protection.
Applying for the security assessment
When applying for the data export security assessment, companies are required to submit the following materials:
- A declaration
- Cross-border data transfer risk self-evaluation report
- Contracts or other legally binding documents drawn up between the data processor and the overseas recipient
- Other materials required for security assessment work
The contract signed between the data processor and the overseas recipient must include (but is not limited to) the following duties and obligations:
- The purpose and method for the data transfer and the scope of data being transferred; what the overseas recipient needs the data for and the methods they will use to process it.
- Where and for how long the data will be stored overseas; the processing measures for the exported data after the data storage time limit is up, the stipulated objectives have been achieved, or the contract has been terminated.
- Clauses restricting the overseas recipient from transferring the data to another organization or individual.
- The measures that should be taken if there is a substantive change in the overseas recipient’s control or operating scope, or if there is a change to the regulatory environment in the country or region where the data is stored that makes it difficult to guarantee the security of the data.
- Clauses outlining the responsibilities for breach of data security protection obligations and a binding and enforceable dispute resolution mechanism.
- An appropriate emergency response mechanism and unobstructed means for individuals to protect their legal personal information rights in the event of a data leak or other security breach.
After having submitted the requisite materials, the CAC will inform the applicant in writing of their decision to accept the application within seven days.
Undergoing the security assessment
After the CAC has accepted the application, it will organize industry authorities, relevant State Council departments, provincial cybersecurity departments, and specialized agencies to conduct the security assessment. The authorities will be taking the following criteria into consideration when conducting the security assessment:
- The legality, legitimacy, and necessity of the methods, scope, and purpose of the data export.
- The impact that the data security protection policies, regulations, and general cybersecurity environment of the country or region in which the data recipient is located may have on the security of the data, whether the overseas recipient’s data protection standards are compliant with China’s laws, administrative rules and regulations, and requirements for mandatory national standards.
- The volume, scope, type, and sensitivity of the outbound data, and the possible risks posed to the data during and after the transfer, such as leakage, tampering, loss, damage, or illegal acquisition or use of the data.
- Whether or not data security and personal information rights can be fully and effectively protected.
- Whether or not the contract signed between the data processor and the overseas recipient has sufficiently stipulated the data security protection responsibilities and obligations.
- [The data processor’s] compliance with Chinese laws, administrative regulations, and departmental rules.
- Other matters deemed necessary by the CAC.
The cybersecurity departments will carry out the security assessment within 15 working days of issuing the notice that the application was accepted.
This procedure may be extended for complicated cases or where additional documentation is required, but normally should not exceed 60 working days. The results of the assessment will be provided to the applicant in writing. The security assessment will be valid for a period of two years but can be revoked earlier than that if there is a substantive change to the circumstances under which the approval for cross-border data transfer was granted.
Companies will be required to reapply for a security assessment if any of the following situations occur:
- A change in the purpose, method, scope, or type of data provided overseas, the use and method for data processing by the overseas recipients has changed, or there is an extension in the overseas retention period for the personal information or important data.
- Changes in the legal environment of the country or region where the overseas recipient is located, changes to the controlling rights of the data processor or the overseas receiver, changes to the contract between the data processor and the overseas receiver, or other circumstances that may affect the security of the outbound data.
- Other situations that may impact the security of outbound data.
Companies must re-apply for a security assessment 60 working days before the original assessment expires if it intends to continue processing or transferring data overseas. Companies that fail to re-apply for another assessment will be required to cease their cross-border data transfer activities. The relevant authorities may also revoke the security assessment if the activity no longer meets the security management requirements while the data is being processed.
They will then inform the company in writing of the revocation, after which the company will be required to terminate all cross-border data transfer activity. The company can then re-apply for a security assessment after having rectified the issues that caused it to lose its approval status.
Limitations to the assessment measures
Although the new assessment measures provide significant clarification and a tangible pathway for companies to export and process data overseas, some questions remain over how the regulations will be implemented. These questions mainly arise from ambiguity over the definition of certain terms in the data security legislation that the assessment measures are based on.
Most notable among these are the definitions of ‘important data’ and ‘CII operators’, which are not defined in the assessment measures and are only loosely defined in other legislation. Despite this, there are some legislative documents that we can look at to get a general definition of these terms. Regulations on the security and protection of CII that took effect on September 1, 2021, offer some more clarity on which sectors will land a company with a CII seal – energy, transport, water, and national defense, among others – but still leave the door open to interpretation for some industries – notably digital platforms – and placed the final burden of designation on regulatory departments.
It is a similar story for the definition of ‘important data’. On September 30, 2021, the Ministry of Industry and Information Technology (MIIT) began soliciting public opinion on a set of draft regulations that classify data by level of sensitivity. The regulations divide data into three categories – ‘general data’, which is the least sensitive, ‘important data, which requires a security assessment before it can be transferred overseas, and ‘core data’, which poses a high risk to China’s national security and may not be transferred overseas.
In its classification, ‘important data’ is given a broad definition, and includes (but is not limited to) any data that poses a threat to core national interests, including China’s politics, territory, economy, society, internet, and resources, as well as data whose security could affect China’s national security in key fields such as “overseas interests, biology, space, polar regions, deep seas, and artificial intelligence.” Notably, the above definition of ‘important data’ is very similar to the definition ‘core data’ in the document, with the only point of differentiation (in this definition) being that ‘core data’ poses a “serious“ threat to China’s national interests. And the regulation offers no details on how to define “serious”. This ambiguity makes it even more unclear how the regulations will be implemented in practice and will likely give authorities some leeway to interpret the regulations as they see fit.
A legal way forward for companies handling sensitive data
Despite a lack of clarity for certain sectors, the new assessment measures are nonetheless an important step in building a robust regulatory environment for the export of data from China. When finalized and brought into effect, they will finally offer companies with overseas operations a means of seeking approval to transfer data overseas, while
As the possibility of additional requirements and irregular rulings remain, companies that are seeking to apply for a security assessment are advised to consult with the local CAC department to assess whether they need to apply for a security assessment and if any additional procedures are required. In addition, qualified legal professionals can help to ensure contracts and other legally binding documents contain all the necessary stipulations to meet the requirements stipulated in the assessment measures.
About Us China Briefing is written and produced by Dezan Shira & Associates.
The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong.
Please contact the firm for assistance in China at firstname.lastname@example.org.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.