Jingyuan Shi and Yuchen Lai discuss how security assessments should be completed under China’s latest rules on cross-border data transfers.
On 7 July, China’s Cyberspace Administration of China (CAC) promulgated Measures on Security Assessment for Data Exports (the Measures), which shall take effect from 1 September 2022.
The Measures set out detailed provisions regarding the “security assessment” required under China’s Personal Information Protection Law (PIPL), Cybersecurity Law and Data Security Law.
Among others, international players with a larger client/user base in China are likely to be subject to the “security assessment” requirement and will need to take prompt compliance actions, given the relatively short grace period.
Data transfers that require Security Assessment
Under China’s data protection laws, a data processor (i.e. equivalent to a “data controller” under the GDPR) may transfer data out of mainland China following different routes, depending on the nature of the data processor and the volume of data processed.
Such routes include completing a security assessment for cross-border data transfers (Security Assessment), obtaining a personal information protection certification from a professional institution designated by the CAC (Certification), or entering into a standard format data transfer agreement with the overseas recipient (Standard Contract).
The Measures clarify the scenarios where a mandatory Security Assessment is required, including:
- where any “Important Data” is to be transferred out of mainland China (“Important Data” refers to data that may harm national security or public interests if altered, damaged, leaked, or illegally acquired or used. Catalogues of Important Data are to be formulated and published by sectoral and regional regulators);
- where a critical information infrastructure operator is to transfer personal information out of mainland China;
- where a data processor that processes personal information of more than 1 million individuals is to transfer personal information out of mainland China; or
- where a data processor that has transferred personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals out of mainland China since 1 January of the previous year is to transfer personal information out of mainland China.
If none of the aforesaid scenarios apply, data exporters may choose the Certification route or the Standard Contract route to transfer personal information out of mainland China
How to complete the Security Assessment?
To complete the Security Assessment, the relevant data exporter shall submit an application letter, a self-assessment report as well as the legal document to be signed with the overseas recipient to the CAC for approval.
The CAC may have up to 57 working days to decide whether to approve an application (however this can be extended for exceptionally complex cases at the discretion of the CAC).
The self-assessment shall focus on evaluating the lawfulness, legitimacy and necessity of the intended transfer, the relevant risks, the overseas recipient’s capacity to safeguard data security, whether the data subjects have convenient channels to exercise their rights as provided under the PIPL, and whether the “legal document” to be signed between the data exporter and the overseas recipient has fully specified the data protection responsibilities and obligations of each party.
The Measures have not restricted the form of the required “legal document” (which can be either a contract or other binding documents). Such a legal document must set out:
- the purpose, manner and scope of the intended transfer;
- the purpose and manner of the overseas recipient’s processing;
- the storage location and retention period of the data to be transferred as well as how such data shall be dealt with upon expiration of the retention period, completion of the relevant processing purpose or termination of the legal document;
- restrictions on onward transfers;
- measures to be taken in case of substantial changes of control or business scope of the overseas recipient, of the data protection laws / policies or cybersecurity environment of the destination jurisdiction, or force majeure events causing difficulties to protect the relevant data;
- remedies, liabilities and dispute resolution methods when breaching the legal document; and
- emergency response arrangements and channels for data subjects to exercise their personal information rights.
Period of validity
Security Assessment decisions are valid for two years. That said, before the expiration of the two years validity, the data exporter will have to apply for a re-assessment in the event of:
- any change of the purpose, manner or scope of the transfer or the purpose or manner of the overseas recipient’s processing, which may affect the security of the transferred data;
- data will be retained outside of mainland China for a period longer than the previously approved timeframe;
- any change of the data protection laws / policies or cybersecurity environment of the destination jurisdiction, force majeure events, change of actual control of the data exporter or overseas recipient, or change of the legal document, which may affect the security of the transferred data; and
- other situations that may affect the security of the transferred data.
The clock is ticking
The Measures provide a six-month grace period that any cross-border transfers subject to its scope and already in existence must be rectified before 28 February 2023. That said, six months is considered fairly short especially for those that have not completed a proper PIPL compliance project.
Preparations for the new rules should include mapping existing and intended cross-border data transfer flows, conducting self-assessments, and discussing with overseas recipients the reformulation and signing of appropriate legal documents.
We recommend market players first work on identifying whether Security Assessment requirements apply to their firms, and then make preparations accordingly.
The authors are Jingyuan Shi, partner at Simmons & Simmons, and Yuchen Lai, legal executive at Simmons & Simmons.