China issues measures setting out requirements and process for security assessment of cross-border data transfer

1 August 2022

On 7 July 2022, the Cyberspace Administration of China (“CAC”), China’s main watchdog for data compliance, released the final version of the Measures on Security Assessment for Cross-border Data Transfer (《数据出境安全评估办法》) (“Measures”) detailing, inter alia, the scope, requirements and process for the security assessment of cross-border data transfer (“Security Assessment”) in China. The Measures were officially released eight months after the draft for public comments was published by CAC at the end of October 2021. We provided a brief overview of the draft for public comments in our article titled “New Legal Framework for Cross-border Data Transfer in China” published in December 2021.

The Measures will take effect on 1 September 2022.

This article discusses some of the key highlights of the Measures.

Scope of the Measures

The Measures shall apply to cross-border data transfer activities involving the provision of critical data and personal information by a data processor based in China (“Data Processor”) to entities or individuals outside the country, where the data and personal information to be provided is collected and generated during the Data Processor’s domestic operations.

CAC, in a meeting with the press, shed light on the cross-border data transfer activities referred to in the Measures, which mainly include the following:

• Data Processors transferring and/or storing data, collected and generated during the Data Processor’s operations in China, outside China; and
• Institutions, organisations or individuals outside China accessing and/or retrieving data that is stored in China and collected and generated by the Data Processor.

The Measures do not clarify whether an entity based outside China collecting data directly from China is required to undergo the Security Assessment - for example, a website hosted completely offshore collecting personal information from its users who are based in China.

Applying for a Security Assessment

A Data Processor intending to provide data out of China must apply for a Security Assessment before providing the data where:

• the data to be provided is critical data;
• a critical information infrastructure operator is providing personal information outside China, or a Data Processor processing personal information of more than one million people is providing personal information outside China;
• a Data Processor, who has provided personal information of 100,000 people or sensitive personal information of 10,000 people collectively overseas since 1 January of the previous year, provides personal information out of China; or
• other circumstances as stipulated by CAC.

The term “critical data” is defined in the Measures as any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may endanger national security, economic operations, social stability, or public health and safety. In January 2022, the National Information Security Standardisation Technical Committee (also known as TC260) issued a draft of a guideline titled “Information Security Technology - Guideline for Identification of Critical Data” which sets out what constitutes “critical data”. Please refer to our article titled “China clarifies scope of ‘critical data’ in cross-border data protection regime” for more information.

“Critical information infrastructure operator” is defined in the Regulation on the Security and Protection of Critical Information Infrastructure as operators of information infrastructure in important industries and sectors, such as public communication and information services, energy, transport, water conservancy, finance, public services, e-government services, and national defence.

Materials to be submitted for a Security Assessment

The following materials must be submitted to request a Security Assessment:

• Application form;
• Self-assessment report for cross-border data transfer;
• Legal documents, including relevant contracts and/or other legally binding documents regarding cross-border data transfer, to be entered into between the Data Processor and the overseas recipient; and
• Other materials required by CAC for a Security Assessment.

The Measures provide that the self-assessment report mentioned above should focus on the following:

• Legality, legitimacy and necessity of the purpose, scope and manner of the cross-border data transfer and of the purpose, scope and manner of data processing by the overseas recipient;
• Scale, scope, type and sensitivity of the data to be provided overseas, and the risks that the cross-border data transfer may pose to national security, public interests, and the legitimate rights and interests of individuals or organisations;
• Responsibilities and obligations the overseas recipient undertakes and whether the management, technical measures, and capacity of the overseas recipient to fulfil the responsibilities and obligations can guarantee the security of the data;
• Risk of data being tampered with, sabotaged, leaked, lost, transferred, or illegally obtained or used during or after the cross-border data transfer, and whether the channels for safeguarding the data subject’s rights and interests work smoothly;
• Whether the responsibilities and obligations of data security protection have been adequately stipulated in the legal documents to be entered into between the Data Processor and the overseas recipient; and
• Other matters that may affect the security of the cross-border data transfer.

The Measures also sets out the information to be included in the legal documents concluded between the Data Processor and the overseas recipient:

• Purpose, manner and scope of the cross-border data transfer, and the usage and manner of data processing by the overseas recipient;
• Location where the data will be retained overseas, the retention duration, and the measures for handling the data after the expiry of the retention duration, completion of the agreed purpose or termination of the legal documents;
• Binding requirements for the overseas recipient where the data received is further transferred to other organisations or individuals;
• Security measures to be taken by the overseas recipient in the event of substantial changes in its actual control or scope of business, changes in data security protection policies, legal framework and the cybersecurity environment in the country or region where the overseas recipient is located, or other force majeure circumstances that make it difficult to ensure data security;
• Remedial measures, liability for breach of contract and dispute resolution for breach of the data security protection obligations agreed in the legal documents; and
• Requirements for proper emergency handling and how affected individuals can safeguard their rights and interests in relation to their personal information where the data has been tampered with, sabotaged, leaked, lost, transferred or illegally obtained or used.

Security Assessment process and timeline

The Data Processor should submit the required materials to a CAC provincial department to apply for a Security Assessment. The provincial department will then forward the materials to CAC within five working days or, if any supplement is needed, return the materials and inform the Data Processor to provide the necessary supplementary documents. Upon receiving the required materials forwarded by the provincial department, CAC should determine within seven days whether a Security Assessment will begin and notify the Data Processor of its decision in writing (“written notice”).

Generally, CAC will determine the result of its Security Assessment within 45 working days of the written notice, and inform the Data Processor the result in writing. If the Data Processor disagrees with the result, it can apply to CAC for a re-assessment within 15 working days of receipt of the result. The result of a re-assessment will be final.

The CAC is able to extend, on an appropriate basis, the time needed to complete a Security Assessment where it finds that the circumstances of the particular matter are complex or that the materials provided require supplementation or revision, The CAC should inform the Data Processor of such an extension. The Measures do not provide a maximum time limit for extensions.

Validity of Security Assessment result

The result of passing a Security Assessment is valid for two years from the date when CAC makes its decision. If the Data Processor would like to continue the cross-border data transfer at the end of this period, it should apply for another Security Assessment 60 working days before the expiry date of the previous passing result.

It should be noted that a Data Processor should apply for another Security Assessment, even where it holds a passing result with remaining validity period of more than 60 working days, if any of the following occurs:

• Changes in the purpose, manner, scope and type of data provided outside China and the usage and manner of data processing by the overseas recipient affecting the security of data, or extension of the overseas retention duration of personal information and critical data;
• Changes that affect the security of data, including changes in data security protection policies and legal framework and the network security environment in the country or region where the overseas recipient is located, as well as other force majeure circumstances, changes in the actual control of the Data Processor or the overseas recipient, or changes in legal documents between the Data Processor and the overseas recipient; or
• Other changes that affect the security of data.

Additionally, if CAC finds that the cross-border data transfer activity that has passed the Security Assessment no longer meets the security management requirements, it has the power to require the relevant Data Processor to terminate the cross-border data transfer activity. This should be communicated to the Data Processor in writing. The Data Processor must then apply for another Security Assessment if the Data Processor would like to continue to carry out the cross-border data transfer activity.

Transition period

Data Processors will have six months from 1 September 2022 to ensure its cross-border data transfer activities comply with the Measures. However, the Measures do not clarify whether any cross-border transfer of data undertaken by the Data Processor that has not passed a Security Assessment should be paused during the transition period. It is advisable for a Data Processor who will be affected by the Measures to apply for a Security Assessment as soon as possible once the Measures become effective.