Legal Updates from some of our members
Security Assessment Of Cross-Border Data Transfer To Take Effect In September 2022
Entities who want to provide data abroad should be subject to a governmental security assessment on some occasions according to the Measures for the Security Assessment of Cross-border Data Transfer (the “Measures”) released by the Cyberspace Administration of China (“CAC”) on July 7, 2022. The Measures will take effect on September 1, 2022.
The Measures is the latest effort of CAC in respect of supervision over cross-border transfer of data and personal information and will set additional regulatory compliance foundation fo;pr cross-border data transfer.
CAC formulates the Measures based on the Personal Information Protection Law (“PIPL”) effective on November 1, 2021, the Data Security Law (“DSL”) effective on June 1, 2021, and the Cybersecurity Law (“CSL”) effective on June 1, 2017.
- What is cross-border data transfer
The relevant laws and the Measures provide that to provide data and personal information abroad must go through security assessment upon certain thresholds met and fulfil other conditions as specified in PIPL, DSL and CSL; however, they keep silent on what cross-border data transfer means.
The overwhelming view is that cross-border data transfer normally includes the following situations:
- Data processor provides personal information and data directly to recipients located overseas;
- Overseas entities, organizations and individuals have remote access to data and personal information stored within the territory of China;
- Multi-national companies transmit, from China to overseas, personal information and data they generate or collect in their operations within China;
- Data processor provides data to entities that are located within China but not subject to Chinese jurisdiction or not registered within China.
- Governmental security review – CAC-led security assessment for cross-border data transfer
The Measures requires data processors to go through a security assessment organized by CAC before transferring abroad important data and personal information collected and generated during their operations within the territory of China.
Specifically, data processors are required to apply for a CAC-led security assessment through provincial cyberspace administration authorities under any of the following circumstances:
- A data processor transfers important data abroad;
- A critical information infrastructure operator (as defined in the CSL) or a data processor who processes over one million individuals’ personal information transfers personal information abroad;
- A data processor who has accumulatively transferred personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals since January 1 of the preceding year transfers personal information abroad; or
- Other circumstances to be specified by the CAC.
The Measures for the first time defines the important data, which generally refers to any data that, once it is falsified, damaged, leaked, or unlawfully acquired or used, may endanger national security, economical operation, social stability or public health and security. It fails to set out any specific categories of important data, which leads to the definition of important data rather broad and vague.
The quantitative threshold of transferring personal information abroad is noteworthy. Particularly, the accumulative transfer threshold would mean that any processor may fall into such mandatory security assessment if its processing reaches the quantitative threshold within the given period and such threshold is not high in a country as populous as China.
CAC will focus its assessment on potential risks to national security, public interest, and legitimate rights and interests of individuals or organizations, especially the following:
- whether the purpose, scope and means of cross-border data transfer are lawful, fair and necessary;
- the impact on the security of the transferred data by the data security protection policies and laws and cybersecurity environment in the country/region of the overseas recipient; whether the data protection level of the overseas recipient meets the requirements of the laws, administrative regulations and mandatory national standards of China;
- the quantity, scope, catagories and sensitivity of the transferred data and the risks of falsification, damage, leakage, loss, transfer or illegal acquisition or exploitation during and after cross-border transfer;
- whether data security and personal information rights can be fully and effectively protected;
- whether the data processor and overseas recipient have made clear their respective responsibilities and obligations in terms of data security protection in their data export contract or other legally binding documents (collectively “Data Export Contract”) to be concluded;
- compliance with Chinese laws, regulations and ministry regulations; and
- other items that CAC deems relevant and necessary for such security assessment.
- Internal security review – self-assessment of risk for cross-border data transfer
Data processors are required to conduct an internal risk assessment before applying to CAC for government security assessment.
The self-assessment focuses on the following:
- whether the purpose, scope and means of cross-border data transfer and data processing of overseas recipient are lawful, fair and necessary;
- the quantity, scope, categories and sensitivity of data to be transferred abroad, and risks to national security, public interests, legitimate rights and interests of individuals and organizations;
- responsibilities and obligations that overseas recipient undertakes to perform; whether managerial and technical measures and capability for performing such responsibilities and obligations can ensure the security of data to be transferred abroad;
- risks of data falsification, damage, leakage, loss, transfer or illegal acquisition or exploitation during and after cross-border transfer; whether individuals may easily defend their rights and interests with respect to their personal information; and
- whether Data Export Contract to be concluded by and between data processor and overseas recipient clearly defines the responsibilities and obligations for data security protection; and
- other matters that may affect the security of the data transferred abroad.
- Flowchart of self-assessment of risk and CAC-led security assessment
5. Validity term of security assessment and reassessment
Security assessment result would be valid for a term of two years after the date of issuance and data processors should apply for reassessment sixty working days before the expiration of validity term if they intend to continue the original data transfer.
In addition, reassessment is needed in the event that any of the following circumstances occurs during the validity term:
- changes to the purpose, means, scope, categories of the cross-border data transfer or changes to use and means of processing of data by overseas recipient, which may affect security of data transferred abroad; extension of overseas retention period of personal information and important data;
- changes to data security protection policies and laws and cybersecurity environment of the country or region where overseas recipient is located, or occurrence of other force majeure events in such country or region, or changes to the actual control of data processor or overseas recipient, or changes to the Data Export Contract, which may affect the security of the transferred data;
- Other circumstances that might affect the security of transferred data.
6. Data Export Contract
The Measures requires a Data Export Contract between data processor and overseas recipient to clearly specify the responsibilities and obligations for data security protection which shall at least include the key terms and conditions as listed in the Measures.
- Purpose, means and scope of the cross-border data transfer; means and purpose of processing by the overseas recipient;
- Location where the data will be stored outside of China and the data retention period (as well as the measures to be taken upon expiration of the retention period, termination of the Data Export Contract, or otherwise when the purpose of processing has been achieved);
- Provisions restricting re-transfer of the data by the overseas recipient to other individuals or entities;
- Security measures to be taken in the event of a material change to the overseas recipient’s actual control or business scope, or changes to the data security protection policies and laws and cybersecurity environment in the country/region where the overseas recipient is located, or occurrence of other force majeure events in such country/region, which lead to that the overseas recipient cannot ensure the security of the data;
- Remedial measures, liability for breach of contract and method of dispute resolution for violations of contractual data security responsibilities as set forth in the Data Export Contract; and
- Provisions requiring the overseas recipient to respond appropriately and approaches and means to safeguard the individuals’ rights and interests in personal information, in the event of any falsification, damage, leakage, loss, transfer or illegal acquisition or exploitation of data transferred abroad.
7. 6-month grace period
The Measures require data processors to correct any incompliance in their cross-border data transfer prior to the Measures within 6 months after the effectiveness of the Measures (September 1, 2022).
This Newsletter is only offered for the purpose of sharing information. It discusses legal developments and should not be regarded as legal advice for specific situations. If you wish to obtain more information, please contact us at .
Other Legal Updates from some of our members
The Law Firm Network is a network of independent law firms originated in 1989. Our members are not affiliated in the joint practice of law; each member firm is an independent law firm and renders professional services on an individual and separate basis.