
Knowledge Highlights 13 September 2023
Knowledge Highlights 1 August 2022
On 7 July 2022, the Cyberspace Administration of China (“CAC”), China’s main watchdog for data compliance, released the final version of the Measures on Security Assessment for Cross-border Data Transfer (《数据出境安全评估办法》) (“Measures”) detailing, inter alia, the scope, requirements and process for the security assessment of cross-border data transfer (“Security Assessment”) in China. The Measures were officially released eight months after the draft for public comments was published by CAC at the end of October 2021. We provided a brief overview of the draft for public comments in our article titled “New Legal Framework for Cross-border Data Transfer in China” published in December 2021.
The Measures will take effect on 1 September 2022.
This article discusses some of the key highlights of the Measures.
Scope of the Measures
The Measures shall apply to cross-border data transfer activities involving the provision of critical data and personal information by a data processor based in China (“Data Processor”) to entities or individuals outside the country, where the data and personal information to be provided is collected and generated during the Data Processor’s domestic operations.
CAC, in a meeting with the press, shed light on the cross-border data transfer activities referred to in the Measures, which mainly include the following:
The Measures do not clarify whether an entity based outside China collecting data directly from China is required to undergo the Security Assessment - for example, a website hosted completely offshore collecting personal information from its users who are based in China.
Applying for a Security Assessment
A Data Processor intending to provide data out of China must apply for a Security Assessment before providing the data where:
The term “critical data” is defined in the Measures as any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may endanger national security, economic operations, social stability, or public health and safety. In January 2022, the National Information Security Standardisation Technical Committee (also known as TC260) issued a draft of a guideline titled “Information Security Technology - Guideline for Identification of Critical Data” which sets out what constitutes “critical data”. Please refer to our article titled “China clarifies scope of ‘critical data’ in cross-border data protection regime” for more information.
“Critical information infrastructure operator” is defined in the Regulation on the Security and Protection of Critical Information Infrastructure as operators of information infrastructure in important industries and sectors, such as public communication and information services, energy, transport, water conservancy, finance, public services, e-government services, and national defence.
Materials to be submitted for a Security Assessment
The following materials must be submitted to request a Security Assessment:
The Measures provide that the self-assessment report mentioned above should focus on the following:
The Measures also sets out the information to be included in the legal documents concluded between the Data Processor and the overseas recipient:
Security Assessment process and timeline
The Data Processor should submit the required materials to a CAC provincial department to apply for a Security Assessment. The provincial department will then forward the materials to CAC within five working days or, if any supplement is needed, return the materials and inform the Data Processor to provide the necessary supplementary documents. Upon receiving the required materials forwarded by the provincial department, CAC should determine within seven days whether a Security Assessment will begin and notify the Data Processor of its decision in writing (“written notice”).
Generally, CAC will determine the result of its Security Assessment within 45 working days of the written notice, and inform the Data Processor the result in writing. If the Data Processor disagrees with the result, it can apply to CAC for a re-assessment within 15 working days of receipt of the result. The result of a re-assessment will be final.
The CAC is able to extend, on an appropriate basis, the time needed to complete a Security Assessment where it finds that the circumstances of the particular matter are complex or that the materials provided require supplementation or revision, The CAC should inform the Data Processor of such an extension. The Measures do not provide a maximum time limit for extensions.
Validity of Security Assessment result
The result of passing a Security Assessment is valid for two years from the date when CAC makes its decision. If the Data Processor would like to continue the cross-border data transfer at the end of this period, it should apply for another Security Assessment 60 working days before the expiry date of the previous passing result.
It should be noted that a Data Processor should apply for another Security Assessment, even where it holds a passing result with remaining validity period of more than 60 working days, if any of the following occurs:
Additionally, if CAC finds that the cross-border data transfer activity that has passed the Security Assessment no longer meets the security management requirements, it has the power to require the relevant Data Processor to terminate the cross-border data transfer activity. This should be communicated to the Data Processor in writing. The Data Processor must then apply for another Security Assessment if the Data Processor would like to continue to carry out the cross-border data transfer activity.
Transition period
Data Processors will have six months from 1 September 2022 to ensure its cross-border data transfer activities comply with the Measures. However, the Measures do not clarify whether any cross-border transfer of data undertaken by the Data Processor that has not passed a Security Assessment should be paused during the transition period. It is advisable for a Data Processor who will be affected by the Measures to apply for a Security Assessment as soon as possible once the Measures become effective.