On the 7 July 2022, the Cyberspace Administration of China (“CAC“) promulgated the Measures for the Security Assessment of Outbound Data Transfers (“Measures“), which are due to take effect on 1 September 2022.
The Measures contain 20 Articles that we have grouped into the following 11 themes:
- Purpose and scope – Articles 1 & 2
- Important data – Article 19
- Security Assessment triggers – Article 4 & 14
- Data transfer legal documents – Article 9
- Ex-Ante Self-assessments – Article 5
- Security Assessment applications – Article 6
- Security Assessments – Article 3, 8, 10, 11 & 14
- Security Assessment timescales – Article 7, 12 & 13
- Confidentiality obligations – Article 15
- Liability – Article 16, 17 & 18
- Effective date and transitional period – Article 20
We explore each theme below before discussing some issues raised at a press conference held by the CAC on 7 July 2022.
Purpose and scope
Article 1 of the Measures states that their purpose is “to regulate outbound data transfer activities, protect personal information rights and interests, protect national security and social and public interests, and promote a safe and free flow of data across borders”
Article 2 then provides that the measures apply to Security Assessments of outbound data transfers involving important data and personal information collected and generated by data processors through their operations in China. Accordingly, it seems that the Measures do not apply extraterritorially to personal information collected and generated by data processors from outside of China.
Important data is presently an unclear legal concept with no overarching definition. At a conceptual level, it seems that the legal obligations relating to important data lie somewhere in the middle of a spectrum between personal information and state secrets.
The Measures define important data in the context of outbound data transfers only. At this time, only one other source of law defines important data, namely the Several Provisions on Vehicle Data Security Management (Trial) (“Trial Provisions“). We compare the definition in the Measures with that in the Trial Provisions, omitting its enumerated examples, below.
For the purposes of these Measures, the term “important data” means any data, the tampering, damage, leakage, or illegal acquisition or use of which, if it happens, may endanger national security, the operation of the economy, social stability, public health and security, etc.
The Trial Provisions:
The term “important data” refers to any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may lead to endangerment of national security or public interests, or infringement of the lawful rights and interests of an individual or organisation, including…
One might note that both definitions are risk-based but, except for endangering national security, the risks identified vary slightly. What this means in practice and how multiple definitions of important data will interact are unclear.
As the CAC was involved in the drafting of both regulations, the differences seem to highlight the following core definition:
Data that may harm the interests of the nation, public, or persons if breached.
Security Assessment triggers
A data processor must apply to provincial CACs for a Security Assessment in advance of outbound data transfers in the following circumstances:
- transfers of important data;
- it is a Critical Information Infrastructure operator (“CIIO“);
- it is a personal information processor that has processed the personal information of more than 1,000,000 individuals;
- it has made cumulative outbound transfers of the personal information of more than 100,000 individuals since 1 January of the previous year;
- it has made cumulative outbound transfers of the sensitive personal information of over 10,000 individuals since 1 January of the previous year; and
- the transfer falls within other situations prescribed by the CAC.
Whether a company might be identified as a CIIOs remain unclear in many industries. Nevertheless Article 10 of the Regulations on the Security Protection of Critical Information Infrastructure, states that the authorities will inform a company that it is CIIO once identification takes place. Therefore, for practical purposes, companies can consider themselves as not being CIIOs until the authorities tell them otherwise.
It is understood that many companies, and multinationals in particular, would prefer to see a rise in the transfer thresholds that trigger Security Assessments.
Data transfer contracts
The Measures state that contracts, which it refers to as legal documents, between the data exporter and data importer for outbound data transfers should cover:
- the purpose and method of the outbound data transfer, the data scope, and the data processing purpose and method;
- the data retention location and duration, and obligations when the data retention period expires, the transfer purpose completes, or the agreement ends;
- restrictions against onward data transfers to others;
- security measures to be adopted when a material change occurs concerning the overseas recipient, the destination country’s legal, regulatory and cybersecurity environment, or a force majeure event occurs which makes it difficult to ensure data security;
- remedial measures, liability for contractual breaches and dispute resolution mechanisms for breaching data security protection obligations; and
- requirements for proper emergency disposal and ensuring that individuals can safeguard their personal information rights and interests when their data is exposed to risks, such as being tampered with, damaged, leaked, lost, relocated, or illegally acquired or used.
On a related note, on 30 July 2022, the CAC issued the Draft Provisions on Standard Contracts for the Export of Personal Information, which also deal with outbound data transfers and contain a draft Standard Contract for use in situations that would not trigger a Security Assessment under the Measures. While contracts drafted under Article 9 may have some similar features to the draft Standard contract, companies should not automatically assume that signing a Standard Contract would meet the requirements of the Measures or vice versa.
Please see China Releases Draft Standard Contract for Cross-border Data Transfers by Samuel Yang and Cross-Border Data Transfers: A Comparison of the EU And Chinese Standard Contractual Clauses by Samuel Yang and Chris Fung for more information about the draft Standard Contract.
After a Security Assessment is triggered, but before a Security Assessment application occurs, a data processor is obliged to conduct a Ex-Ante Self-assessment. Data processors are required to address the following matters during Ex-Ante Self-assessments:
- the legality, legitimacy, and necessity of the outbound data transfer and the overseas recipient’s data processing in relation to the purpose, scope, method, etc.;
- the outbound data’s quantity, scope, type and sensitivity, and the risk the outbound data might pose to national security, public interests, and the lawful rights and interests of individuals and organisations;
- whether the overseas recipient’s responsibilities and obligations, and their management measures, technical measures and capabilities to perform such responsibilities and obligations can ensure the security of the outbound data;
- the risk of the outbound data suffering data breaches, including unauthorised onward transfers, during and after the outbound data transfer, and whether individuals have unobstructed channels to safeguard their rights and interests in their personal information and other data;
- whether the data security protection responsibilities and obligations are sufficiently stipulated in the data transfer contract or other documents; and
- any other matters that might affect the security of the outbound data.
Some of the factors described above are also covered by personal information protection impact assessments (“PIPIAs“) required under the Personal Information Protection Law (“PIPL“). We believe it would be cheaper and more efficient for companies to combine all assessment factors under both the PIPL and the Measures within a single consolidated Ex-Ante Self-assessment.
Security Assessment applications
Applications for Security Assessments should contain:
- a completed Security Assessment application form;
- a copy of the Ex-Ante Self-assessment report;
- a copy of the outbound data transfer contract; and
- any other materials the CAC requires.
Article 3 of the Measures provide that Security Assessments of outbound data transfers should combine ex-ante assessments and ongoing supervision, and Ex-Ante Self-assessment and Security Assessment.
The substantive content of CAC Security Assessments overlap significantly with Ex-Ante Self-assessments, except in relation to the following:
- the impact of data security protection policies, legislation and the cybersecurity environment of the country or region where the overseas recipient is located in relation to the security of the outbound data, and whether the overseas recipient’s data protection level meets the requirements of Chinese laws, administrative regulations and mandatory national standards;
- compliance with Chinese laws, administrative regulations and departmental rules; and
- other matters the CAC deems necessary to assessed.
We note that item 1) above seems to describe something like transfer impact assessments under the EU’s GDPR and that data processors are not required to cover such things in their Ex-Ante Self-assessment report.
Given the limited resources of government departments, it is doubtful that they would make such assessments on a case-by-case basis. Therefore, we wonder how such assessments are made, whether a central transfer impact assessment list exists at this time (which one might regard as China’s answer to adequacy decisions), whether such a list will become publicly accessible, and how it will be managed and updated.
The CAC may terminate Security Assessments if it requires additional materials, and a data processor refuses to submit them.
Article 14 of the Measures states that the results of a Security Assessment are valid for two years unless retriggered by any of the following situations:
- any change to the outbound data transfer’s purpose, method or scope, the data type, or the overseas recipient’s data processing purpose or method which will affect the security of the outbound data or extend retention periods;
- any change to data security protection policies, legislation, the cybersecurity environment or any other force majeure event where the overseas recipient is located,
- any change in the actual control of the data processor or overseas recipient or any change to the data transfer agreement affecting the security of the outbound data; or
- any other circumstances that may affect the security of the data.
Data processors will need to apply for a reassessment after expiration. The CAC have stated that: “When the validity period expires and it is necessary to continue to carry out data export activities, the data processor shall re-apply for evaluation 60 working days before the validity period expires.”
Security Assessment timescales
Security Assessment applications should be submitted to provincial CAC offices, which should conduct a completeness check of the application documents within 5 working days. Thereafter, the national CAC will then review the application documents and decide whether to accept the application within 7 working days, after which the central CAC will begin a substantive review, which should take a maximum of 45 working days from the date of issuing a written acceptance of the application. Accordingly, in normal circumstances, the entire process of applying for and undergoing a Security Assessment might take up to 57 working days (approximately 2.5 months).
However, the Measures allow the CAC to extend the deadline for completing a Security Assessment “as appropriate” if the “case is complicated or there are materials to be supplemented or corrected…” This power to extend deadlines has not explicit upper limit.
Should a data processor object to Security Assessment results, it must apply for a reassessment within 14 working days of receiving the assessment results. Article 15 provides that the results of a reassessment are final.
Institutions and staff that participate in Security Assessments are legally bound to keep confidential any information that they learn during their Security Assessment work. This includes state secrets, personal privacy, personal information, trade secrets, confidential business information, and other data.
Where any organization or individual discovers that a data processor has conducted any outbound data transfer in violation of the Measures, they may report it to the CAC.
In the event that the CAC finds out that an outbound data transfer which passed a Security Assessment no longer comply with the Measures while implementing data transfers, it has the power to notify the data processor to stop making such transfers. Should the data processor need to continue making such transfers, it should make “rectification as required” before applying for a reassessment.
The implications of the CAC’s ability to stop previously approved transfers for non-compliance with the measures are unclear at this time. However, it may be the case that the CAC has an implied power of interpretation and construction in relation to data transfer contracts and can determine whether they are being correctly performed.
Violations of the Measures are punishable under the Cybersecurity Law, the Data Security Law, the PIPL, and other laws and regulations depending on the data processor, the data types and the nature of the violation. We note that violations of the PIPL attract the highest penalties, specifically, up to CNY 50 million or 5% of the violator’s revenue in the previous year. We note that on 21 July 2022, DiDi Global was fined CNY 8 billion for various data security violations. This suggests that the CAC is willing to issue large fines for violations of data laws.
Effective date and transitional period
The Measures will come into force on September 1, 2022. Data processors may only make relevant outbound transfers from 1 September 2022 after passing a Security Assessment. More specifically the CAC has stated: “The data processor can carry out data export activities in strict accordance with the declared items after receiving the written notification of passing the assessment.”
First, the application will not be accepted. For those that do not fall within the scope of the security assessment, after receiving a written notification from the national cybersecurity and informatization department, the data processor may carry out data export activities through other legal channels prescribed by law. The second is to pass the safety assessment. The data processor can carry out data export activities in strict accordance with the declared items after receiving the written notification of passing the assessment. The third is failing to pass the safety assessment. If the data export security assessment is not passed, the data processor shall not carry out the declared data export activities.
For outbound data transfers carried out before 1 September 2022, “rectification” shall be completed within 6 months after 1 September 2022. It is unclear if this means that the data processor must pass the Security Assessment within this 6-month grace period, or perhaps the submission of an application for Security Assessment within this period would be sufficient. Nevertheless, given these deadlines, possible delays, the 2022 spring festival holidays and other factors, we recommend that data processors should endeavour to submit their applications for Security Assessments as soon as possible.
The requirements for Security Assessment apparently add a layer of onerous compliance burdens to the operations of many businesses. The various thresholds of personal information that trigger Security Assessments are low and may affect many multinational companies doing business in China. These new requirements also create some uncertainty, particularly among entities that depend on cross-border transfers of data to conduct business. This uncertainty will not be resolved until the Measures take full effect and the processing of Security Assessments becomes standardised in practice.
Businesses that will likely be subject to the Security Assessment regime should act now – take stock of their data flows, renegotiate their cross-border data transfer contracts and ensure that their data protection practices align with the requirements of the Measures and other Chinese laws and regulations. Businesses that operate in areas of higher risk may also wish to begin creating contingency plans in case they are prohibited from transferring certain data out of China.
Nothing in this article is intended to be legal advice to its readers. This article was written for the purposes of academic discussion only. The views of its authors do not reflect the views of regulators.