China Passes Long-Awaited Measures on Security Assessment for Data Export

Security assessment for data export, which has been addressed in high-level detail in the Cybersecurity Law (effective from June 1, 2017, see our previous alert), the Data Security Law (effective from September 1, 2021, see our previous alert) and the Personal Information Protection Law (effective from November 1, 2021 see our previous alert), requires that Critical Information Infrastructure (CII) operators and data processors who are handling personal information exceeding a certain threshold must pass a security assessment by the CAC before exporting certain data and personal information. The Measures establish the legal regime on security assessment for data export and will have significant impact on business operators in China that process and export important data or certain quantities of personal information overseas.

1. Scope of Application of the Measures

A security assessment is required before a data processor exports data overseas if it has any of the following circumstances:

View the chart.

Please note that data export not only includes the scenario where data collected and generated within the PRC is transferred and stored outside of the PRC but also includes the scenario where a foreign entity or individual is granted the authority to access or use any data stored within the PRC.

II. Procedures for Security Assessment

1. Self-assessment

Before a data processor applies with the CAC for security assessment on data export, it is required to conduct a self-assessment with a focus on the following aspects:

1. the legality, legitimacy and necessity of the purpose, scope and methods of the data export, and the processing of the data by the overseas recipient;
2. the scale, scope, type and sensitivity of the data export, and the risks to national security, public interest or the legitimate rights and interests of individuals or organizations, caused by such data export;
3. the duties and obligations which the foreign recipient commits to perform, and whether the foreign recipient’s organizational and technical measures and capabilities can guarantee the security of the data export;
4. the risks of the data being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the data export, and whether there is a smooth channel for safeguarding personal information rights and interests;
5. whether the responsibilities and obligations for data security protection are fully agreed in the relevant contracts or other legally binding documents to be concluded with the foreign recipient (Legal Instrument); and
6. other matters that may affect the security of the data export.

2. Government Assessment Requirements and Timeline

a. Submission of Materials
After a data processor completes the self-assessment and before it enters into any formal Legal Instrument with the overseas recipient, if it determines that the proposed data export meets any of the thresholds summarized in Section I above, it shall submit (i) an application letter, (ii) the self-assessment report, (iii) the proposed Legal Instrument, and (iv) any other materials necessary for the security assessment to the relevant provincial level of the CAC (Provincial CAC).

b. Timeline
The Provincial CAC has up to five working days to review the application documents and determine if the application documents are complete. Once approved, the Provincial CAC will forward the application documents to the national-level CAC. The CAC has up to seven working days to review the application documents to determine whether to accept the application and will issue a written notice to the data processor. The CAC will, within 45 working days from the date of issuing the written notice of acceptance to the data processor, complete the security assessment.

As such, the total government security assessment reviewing period is 57 working days if the application documents are complete and acceptable to the CAC. However, the government assessment period may be extended for a reasonable period of time if there are complications or supplementary or corrected materials are needed. Due to the lack of an explicit limit on the extended period, the CAC has discretion to extend its review and assessment for as long as it believes necessary.

If a data processor disagrees with the assessment results, it may, within 15 working days after receipt of the assessment results, apply to the CAC for re-assessment, and the re-assessment results will be final.

c. Focus of Review
The key factors that will be considered by the CAC in conducting the security assessment is similar to and broader than those for the self-assessment as described above, including the impact of the data security protection policies and regulations, as well as network security environment of the country or region where the foreign recipient is located and the security of the data to be exported.

3. Other Notable Requirements

The security assessment result is valid for two years. A data processor is also required to re-submit an application for government security assessment in certain circumstances, such as where the cross-border data transfer purpose has changed.

III. Our Observations and Recommendations

The Measures equally apply to not only domestic Chinese companies who export data outside China during cross-border transactions but also the transfer/share of data by the Chinese subsidiaries of multinational corporations (MNCs) to their overseas headquarters and affiliate(s) within the same MNC group. This happens on a daily basis, as sensitive personal information of employees of the China operations of foreign companies or organizations is transferred to overseas headquarters for HR management purposes or where information of China-based customers/vendors/distributors is exported for business purposes. MNCs with presences in China should take the Measures seriously and start to review their cross-border data transfer practices as soon as possible with guidance from counsel.

The Measures grant a grace period of six months from the effective date of the Measures (September 1, 2022) for a data processor to rectify data exports that occurred prior to September 1, 2022, but not in compliance with the requirements of the Measures. We suggest that MNCs that have operations and subsidiaries in China and that have obtained or have access to important data and/or personal information from China that will cause each of its affiliates in China to evaluate, with guidance from counsel, as to whether its cross-border data transfer is subject to the Measures and the CAC government security assessment review the following key elements:

• whether it is a Critical Information Infrastructure (CII) operator;
• whether it is processing and exporting important data;
• whether it is processing personal information of one million or more individuals;
• whether it has transferred personal information of 100,000 individuals or more on a cumulative basis since January 1 of the previous year; and
• whether it has transferred sensitive personal information of 10,000 or more individuals on a cumulative basis since January 1 of the previous year.

If the data processor in China meets any of the above thresholds, the cross-border transfer of data will be subject to the self-assessment and the CAC government security assessment before the data is transferred outside China in a cross-border transfer.

On the other hand, if and only if none of the thresholds listed above is met, the data processor in China may rely on a data sharing/transfer agreement with the foreign recipient without the CAC government security assessment. Notably, on June 30, 2022, the CAC published the draft Provisions on the Standard Contract for the Cross-border Transfers of Personal Information (Draft Provisions, “《个人信息出境标准合同规定（征求意见稿）》” in Chinese). According to the Draft Provisions, a standard data-sharing/transferring contract can be relied upon for cross-border transfer of data only if a data processor in China does not meet any of the thresholds listed above (as discussed in more details in Section I in this article). The Draft Provisions and an attached draft standard contract set forth the key provisions that must be contained in the standard contract for cross-border data sharing. In addition, the Draft Provisions require a data processor to conduct a personal information protection impact assessment (which is a self-assessment) before it transfers personal information overseas. The Draft Provisions also require the data processor to file both the standard contract and the report of its personal information protection impact assessment with the relevant provincial-level CAC within 10 working days after the standard contract comes into effect. Unlike the government security assessment described in Section II of this alert, this is a filing rather than an approval process with the government authority.

Furthermore, on June 24, 2022, China’s National Information Security Standardization Technical Committee published the Practical Guidelines for Cybersecurity Standards - Specification for Security Certification of Cross-Border Processing of Personal Information (Certification Specification, “《网络安全标准实践指南- 个人信息跨境处理活动安全认证规范》” in Chinese), which takes effect on the same date. According to the Certification Specification, which is a national standard rather than a mandatory law or regulation, a certification can be obtained for the (i) the cross-border processing of personal information among subsidiaries or affiliates of a MNC or the same economic entity; or (ii) analysis and evaluation of the behavior of Chinese domestic natural persons outside the PRC. As such, if the PRC subsidiary of a MNC in China does not meet any of the thresholds listed above (Section I of this article), the Chinese subsidiary of the MNC might also apply to obtain security certification from a certification unit in China for the cross-border transfer of data with its overseas’ affiliates according to the requirements of the Certification Specifications. However, neither the Certification Specification nor any other published regulations have identified any specific institution that is qualified to conduct such certification.

We will monitor the developments of regulations, implementation rules and guidelines regarding the cross-border data transfer in China, and keep you updated.