The Cyberspace Administration of China has released draft measures detailing requirements for security reviews for cross-border data transfer. Industry players have been waiting for such measures ever since China issued legislation subjecting companies that want to export certain types of data to a security assessment. The draft measures offer clarity on the governmental body responsible for overseeing security assessments and what procedures companies must undergo to get clearance to transfer data overseas.
On October 29, 2021, the Cyberspace Administration of China (CAC) released a draft version of the Measures for Data Export Security Assessment (the ‘assessment measures’) to solicit opinions from the public until November 28, 2021.
The document outlines specific requirements, steps, and procedures for companies to undergo a security assessment, a requisite for companies that handle a large volume of data from Chinese users, or whose data is categorized as ‘important’ or ‘sensitive’, for cross-border data transfer.
Many companies have been anxiously awaiting clarification on security assessment ever since China first put limits on the export of certain types of data in the Cybersecurity Law (CSL), released in 2017. The draft document offers a clear pathway for companies who need to send data overseas for their operations and clarifies which aspects of a company’s business the authorities will consider when evaluating a cross-border data transfer.
The new assessment measures are based on China’s three overarching data security laws, the CSL, Data Security Law (DSL), and the Personal Information Protection Law (PIPL), the latter of which came into effect as recently as November 1, 2021. According to the document, the assessment measures will aim to “standardize the export of data from China” and “protect personal information, safeguard national security, and public interest”.
The document will undergo another round of deliberation after gathering public opinions, after which a final draft of the document and effective date is expected to be announced.
Not all companies are required to undergo a security assessment before transferring data overseas. The assessment measures reiterate the requirements outlined in previous legislation, including the CSL and PIPL, which stipulated that companies such as ‘critical information infrastructure’ (CII) operators and state agencies that gather data from Chinese users must undergo a security assessment before being allowed to transfer data overseas.
WE HELP BUSINESSES SET UP COMPLIANT AND PERFORMANCE-ORIENTED IT SYSTEMS IN ASIA
The assessment measures provide more details on the circumstances under which a company will be required to undergo a security assessment. Companies must undergo a security assessment by the CAC if they wish to export data under any of the following scenarios:
If a company meets any of the criteria outlined above for transferring data outside of China, it must apply for a security assessment by CAC. The assessment measures provide a detailed description of the procedures and criteria companies must meet to pass a security assessment.
To apply for a security assessment, companies must first conduct a security risk self-assessment of the data it wishes to export. The self-assessment largely focuses on evaluating the risks the export of the data could pose to China’s national security, as well as the personal rights of the individuals or organizations in China that the data was collected from.
When conducting the self-assessment, companies must consider the below questions:
When applying for the data export security assessment, companies are required to submit the following materials:
The contract signed between the data processor and the overseas recipient must include (but is not limited to) the following duties and obligations:
After having submitted the requisite materials, the CAC will inform the applicant in writing of their decision to accept the application within seven days.
After the CAC has accepted the application, it will organize industry authorities, relevant State Council departments, provincial cybersecurity departments, and specialized agencies to conduct the security assessment.
The authorities will be taking the following criteria into consideration when conducting the security assessment:
The cybersecurity departments will carry out the security assessment within 15 working days of issuing the notice that the application was accepted. This procedure may be extended for complicated cases or where additional documentation is required, but normally should not exceed 60 working days. The results of the assessment will be provided to the applicant in writing.
The security assessment will be valid for a period of two years but can be revoked earlier than that if there is a substantive change to the circumstances under which the approval for cross-border data transfer was granted.
Companies will be required to reapply for a security assessment if any of the following situations occur:
Companies must re-apply for a security assessment 60 working days before the original assessment expires if it intends to continue processing or transferring data overseas. Companies that fail to re-apply for another assessment will be required to cease their cross-border data transfer activities.
The relevant authorities may also revoke the security assessment if the activity no longer meets the security management requirements while the data is being processed. They will then inform the company in writing of the revocation, after which the company will be required to terminate all cross-border data transfer activity. The company can then re-apply for a security assessment after having rectified the issues that caused it to lose its approval status.
Although the new assessment measures provide significant clarification and a tangible pathway for companies to export and process data overseas, some questions remain over how the regulations will be implemented.
These questions mainly arise from ambiguity over the definition of certain terms in the data security legislation that the assessment measures are based on. Most notable among these are the definitions of ‘important data’ and ‘CII operators’, which are not defined in the assessment measures and are only loosely defined in other legislation.
Despite this, there are some legislative documents that we can look at to get a general definition of these terms. Regulations on the security and protection of CII that took effect on September 1, 2021, offer some more clarity on which sectors will land a company with a CII seal – energy, transport, water, and national defense, among others – but still leave the door open to interpretation for some industries – notably digital platforms – and placed the final burden of designation on regulatory departments.
It is a similar story for the definition of ‘important data’. On September 30, 2021, the Ministry of Industry and Information Technology (MIIT) began soliciting public opinion on a set of draft regulations that classify data by level of sensitivity. The regulations divide data into three categories – ‘general data’, which is the least sensitive, ‘important data, which requires a security assessment before it can be transferred overseas, and ‘core data’, which poses a high risk to China’s national security and may not be transferred overseas.
In its classification, ‘important data’ is given a broad definition, and includes (but is not limited to) any data that poses a threat to core national interests, including China’s politics, territory, economy, society, internet, and resources, as well as data whose security could affect China’s national security in key fields such as “overseas interests, biology, space, polar regions, deep seas, and artificial intelligence.”
Notably, the above definition of ‘important data’ is very similar to the definition ‘core data’ in the document, with the only point of differentiation (in this definition) being that ‘core data’ poses a “serious“ threat to China’s national interests. And the regulation offers no details on how to define “serious”. This ambiguity makes it even more unclear how the regulations will be implemented in practice and will likely give authorities some leeway to interpret the regulations as they see fit.
Despite a lack of clarity for certain sectors, the new assessment measures are nonetheless an important step in building a robust regulatory environment for the export of data from China. When finalized and brought into effect, they will finally offer companies with overseas operations a means of seeking approval to transfer data overseas, while
As the possibility of additional requirements and irregular rulings remain, companies that are seeking to apply for a security assessment are advised to consult with the local CAC department to assess whether they need to apply for a security assessment and if any additional procedures are required.
In addition, qualified legal professionals can help to ensure contracts and other legally binding documents contain all the necessary stipulations to meet the requirements stipulated in the assessment measures.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at firstname.lastname@example.org.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
Previous Article « 2021 Data Shows Hong Kong Stands Firm as Vibrant Business and Financial Hub
Next Article Trading Opportunities Available Under the RCEP »
Dezan Shira & Associates´ brochure offers a comprehensive overview of the services provided by the firm. With...
As a legitimate tool for reasonable tax planning and cost saving, tax incentives play an important role. Compa...
A firm understanding of China’s laws and regulations related to human resources and payroll management is ab...
Over the last few months, China has been quickly expanding the pilot program on electronic special value-added...
An Introduction to Doing Business in Hong Kong 2021 is designed to introduce the fundamentals of investing in ...
Since the formulation of the GBA Initiative in 2017, business communities have placed high expectation on the ...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.