China’s Security Assessment for Cross-Border Data Transfers, Effective September 2022

On 7 July 2022, the Cyberspace Administration of China (CAC) finalised the Measures for Security Assessment for Cross-Border Data Transfers (Security Assessment Measures), more than 10 months after the People’s Republic of China (PRC) passed the Personal Information Protection Law (PIPL).

The Security Assessment Measures, first issued in draft form in October 2021 (Draft), will take effect on 1 September 2022.

Background

The Security Assessment Measures supplement Article 40 of the PIPL, which provides that Critical Information Infrastructure Operators (CIIO) and data controllers, who are handling personal information over a certain threshold, are to store domestically such personal information collected and produced within the PRC and must pass a security assessment by the CAC before exporting such personal information.

Application

The Security Assessment Measures specify that data controllers and/or CIIOs will be subject to security assessment if they reached the following thresholds:

1. Data controllers exporting important data;
2. CIIOs exporting personal information, or data controllers processing the personal information of one million people or more;
3. Data controllers who have exported:
   1. the personal information of 100,000 people; or
   2. the sensitive personal information of 10,000 people,

   since January 1 of the previous year; or

4. The catch-all provision of “other situations provided for by the CAC that require a security assessment”.¹

The provisions of the Security Assessment Measures - issued pursuant to the Cybersecurity Law (CSL), PIPL, and the Data Security Law (DSL) (together referred to as PRC Data Privacy Laws) - apply not just to "personal information" but also to "important data" (which is a broader category than personal data).

Furthermore, unlike the Draft issued in October 2021, the Security Assessment Measures now specify that the relevant date for determining when a data controller falls within "threshold 3" (see above) is January 1 of the previous year. Data controllers exporting data in the latter part of the year (e.g., December) are therefore more likely to be caught within this threshold, which potentially applies to the export of data for a period of up to two years.²

The Framework for Security Assessments

The Security Assessment Measures provide the framework for security assessments, which include :

1. Conducting a self-assessment of the impact of exporting the data (Article 5);
2. Submitting materials to support the data controller’s security assessment (Article 6);
3. Security assessment process and timelines (Article 7, 10 - 13);
4. Security assessment criteria (Article 8);
5. Requirements of data processing agreements (Article 9);
6. Validity of security assessments (Article 14);and
7. Consequences of breaching the Security Assessment Measures (Article 18).

Self-Assessment of Data Export Risks

The Security Assessment Measures require data controllers to carry out a self-assessment of data export risks prior to applying for a security assessment.³

The self-assessment is to focus on the following:

1. The legality, legitimacy, and necessity of the purpose, scope, and methods of data processing by the data controller and foreign recipients;
2. The scale, scope, type, and sensitivity of exported data, and the risks that data export may bring to national security, the public interest, or the lawful rights and interests of individuals or organizations;
3. The responsibilities and obligations undertaken by the foreign recipient, as well as whether the management, technical measures and capabilities to perform the responsibilities and obligations can ensure the security of exported data;
4. The risk that data will be tampered with, destroyed, leaked, lost, transferred, or illegally acquired or used during or after export, and whether channels have been established to safeguard data subjects’ rights and interests in their personal information rights;
5. Whether the data security protection responsibilities and obligations have been fully stipulated in the data export-related contracts or other legally effective documents formulated with the foreign recipient; and
6. Other matters that may affect the security of data exported.

This self-assessment is substantially similar to the self-assessment practices prescribed in the recently released Draft Provisions on the Standard Contract for Cross-Border Transfers of Personal Data (Draft Cross-Border Contract Provisions) and fulfils the requirement under Article 55 of the PIPL for data controllers to conduct a personal information protection impact assessment prior to the export of personal information.

Material Submission

The Security Assessment Measures require data controllers to submit:

1. A declaration;
2. Self-assessment report;
3. Data processing agreement between the data controller and the foreign recipient; and
4. Other materials required for safety assessment work.⁴

Data Processing Agreement

The data processing agreement is to contain provisions addressing the following:

1. The purpose, method, and scope of data exported, and the purpose and method of processing data by foreign recipients;
2. The place and period of data retention abroad, as well as measures to handle exported data after the retention period expires, the agreed purpose is completed, or the legal documents are terminated;
3. Binding requirements for overseas recipients to transfer outbound data to other organizations or individuals;
4. Security measures that the foreign recipient shall adopt when there is a substantial change in its actual control or business scope, or when the data security protection policies, regulations, and network security environment of the country or region where it is located changes, or other force majeure circumstances that make it difficult to ensure data security;
5. Remedies, liability for breach of contract, and dispute resolution methods for violating data security protection obligations stipulated in legal documents;
6. When outbound data is tampered with, destroyed, leaked, lost, transferred, or illegally acquired or illegally used, the requirements for properly carrying out emergency response and the ways and means for individuals to safeguard their personal information rights and interests are to be properly carried out.⁵

Unlike the CAC’s recently issued Draft Standard Contract, there are no provisions for data controllers to redact sensitive information in the data processing agreement between the data controller and the foreign recipient, which would subject the entire agreement to CAC scrutiny. Furthermore, the CAC retains a discretion to request “other materials required for safety assessment work”⁶, so data controllers should be mindful when making reference to sensitive extrinsic documents in the data transfer agreements with foreign recipients.

Timeline of Approval Process

The approval process will take up to 57 working days from submission of the documents, provided there are no deficiencies in the materials submitted, or no requirement for the data controller to supplement such materials.⁷

Security Assessment and Re-Assessment

In addition to the self-assessment, the security assessment by the CAC will also take into account the following:

1. The impact of data security protection policies and regulations and the network security environment of the country or region where the foreign recipient is located;
2. Whether the level of data protection of the foreign recipient meets the requirements of the laws and administrative regulations of the PRC and mandatory national standards;
3. Compliance with PRC laws, administrative regulations, and departmental rules;
4. Other matters that the CAC deems necessary to be assessed.⁸

In the event a refusal is received from the CAC, data controllers may apply to the CAC for a re-assessment within 15 working days of receiving the assessment result but the re-assessment will be a final determination and not subject to further appeal.⁹

Validity of Security Assessments

Security assessments are valid for a period of two years. Data exporters are required to notify the authorities where there are:

1. Changes to the purpose, methods, scope, and types of data exported, as well as the purposes and methods for which foreign recipients process data, that affect the security of exported data, or extending the period of overseas retention of personal information and/or important data;
2. Changes in the data security protection policies, regulations, and network security environment of the country or region where the foreign recipient is located, as well as other force majeure circumstances such as changes in the actual control of the data controller or the foreign recipient, changes in the legal documents of the data controller and the foreign recipient, and other changes that affect the security of exported data;
3. Other circumstances that affect the security of exported data.¹⁰

While it is not clear whether in such scenarios the entire assessment process must be reinitiated, the Security Assessment Measures seem to suggest this – data exporters who need to export data after the expiry of their first security assessment are required to “re-declare” the assessment 60 working days before the expiration of the first security assessment. ¹¹

Consequences of Breaching the Security Assessment Measures

Violations of the Security Assessment Measures are deemed to be violations of the relevant provisions of the PRC Data Privacy Laws and/or relevant criminal code.¹²

Other Observations

The Security Assessment Measures define “Important Data” as “data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and safety, and so forth.”¹³ Interestingly enough, this is substantially similar to the definition of “Important Data” featured in the Draft Measures for Data Security Management issued in May 2019, as opposed to the more detailed definition featured in Article 73 of the more recent Draft Online Data Security Management Regulations issued in November 2021. This hints at the CAC’s intention to define “Important Data” more vaguely, and in doing so, retain a greater degree of discretion to pronounce data “Important Data”.

The Security Assessments are meant to be a more stringent assessment of data exports that cross a certain threshold. Accordingly, while the requirements of the data processing agreement may seem relatively straightforward, it may be prudent for data controllers to consider adopting the recently released Draft Standard Contract for the purposes of data processing agreements in order to reduce the likelihood of the CAC rejecting a data controller’s security assessment, especially since the assessment may take 57 working days or more.

Conclusion

The finalisation of the Security Assessment Measures comes hot on the heels of: a.) the CAC’s issuance of the Draft Standard Contract Provisions on 30 June 2022, and b.) the National Information Security Standardisation Technical Committee’s issuance of the Draft Standards for Privacy Policies of Internet Platforms, Products and Services issued on 26 May 2022, and the Draft Technical Specifications for Certification of Personal Information Cross-Border Processing Activities on 24 June 2022. The blistering pace at which the various PRC government bodies have been issuing policies strongly suggests that the PRC government is intensifying efforts to ensure that data controllers in the PRC are compliant with the various PRC data laws. At the same time, the release of these measures and regulations, while imposing onerous conditions, do provide businesses with a greater degree of certainty as to the boundaries of their compliance obligations.

Given the rapidly changing landscape of PRC data privacy laws and regulations, companies which have business interests in China or a local presence there are advised to be alive to the issuance of new regulations that may impact their compliance obligations.

¹ Article 4 of the Security Assessment Measures.

² Based on the current wording, if a data controller wishes to export data on 31 December 2022, it would have to conduct a self-assessment to determine if it would need to apply for a security assessment – this would involve an assessment of whether it’s data exporting activities from 1 Jan of the previous year (almost 24 months prior) would have crossed the relevant thresholds.

³ Article 5 of the Security Assessment Measures.

⁴ Article 6 of the Security Assessment Measures.

⁵ Article 9 of the Security Assessment Measures.

⁶ Article 6 of the Security Assessment Measures.

⁷ Article 7 read with Article 12 of the Security Assessment Measures.

⁸ Article 8 of the Security Assessment Measures.

⁹ Article 13 of the Security Assessment Measures.

¹⁰ Article 14 of the Security Assessment Measures.

¹¹ ibid.

¹² Article 18 of the Security Assessment Measures.

¹³ Article 19 of the Security Assessment Measures.