The Cyberspace Affairs Commission of China (“CAC”) promulgated the Measures on Security Assessment of Cross-Border Data Transfer (“Measures”) on 7 July 2022, which delineate the security assessment procedures required for cross-border data transfers. The Measures provide clarification on the overall requirement to conduct a security assessment before exporting data out of China as set out in Article 38 of the Personal Information Protection Law.
According to the Interpretation Guidelines that supplement the Measures, a cross-border data transfer is defined as an outward-bound transfer of data over the course of an enterprise’s operation in mainland China as well as the use of data, whether via remote access or otherwise, by individuals and organizations abroad.
A security assessment is mandatory if any of the following applies in respect of cross-border data transfers:
- The transfer involves data deemed “important”, which is defined as data that may constitute a threat to national security, economic and social stability, public health and safety if it is tampered with, destroyed, leaked or illegally obtained or used;
- The transfer of personal information by “critical information infrastructure operators”, which involve systems, infrastructures and services that are integral to the proper functioning of a nation’s economy and society, such as public communication and information services, energy, water and transport providers;
- The transfer of personal information by data processors that handle personal information of more than one million individuals;
- The transfer of personal information by data processors that have exported personal information of over 100,000 individuals or personal information deemed “sensitive” of more than 10,000 individuals since 1 January of the previous year;
- Other circumstances as stipulated by the CAC.
A self-assessment must be conducted prior to the application for a security assessment with the CAC, which should include findings in respect of the following:
- The purpose, scope and means of the data transfer;
- The level of sensitivity of the data and the risks posed to national interest and individuals’ rights;
- Whether the overseas user of the data has adequately considered their obligations and responsibilities relating to data protection in the contract concluded;
- The risk of the data being tampered with, leaked, illegally obtained or used during and after the transfer.
In order to apply for a security assessment with the CAC, the data processor must submit, together with their application letter, the self-assessment and contractual documents between the parties in respect of data security protection. Drawing on factors that are not dissimilar from those that form the self-assessment, the CAC can take up to 45 working days to conduct the security assessment. Without the CAC’s approval, cross-border data transfer shall not be permitted. Once approved, the data processor can proceed to exporting data in compliance with relevant rules and regulations. The security assessment is generally valid for two years, after which approval must be sought again.
Coming into effect on 1 September 2022, the Measures are expected to have extensive implications for overseas companies operating in China that have a legitimate need to export data out of China, whether to their subsidiaries or other affiliated parties.
Furthermore, the retrospective effect of the Measures calls for a systematic review of current as well as past data transfer arrangements to ensure compliance and an uninterrupted continuation of data-sharing activities.