China has released measures detailing requirements for security reviews for cross-border data transfer. Foreign companies and large multinationals have been eagerly awaiting such measures ever since China issued legislation requiring companies that want to export certain types of data to undergo a security assessment by the cybersecurity authorities. The measures offer clarity on the governmental body responsible for overseeing security assessments and what procedures companies must undergo to get clearance to transfer data overseas.
China’s top cybersecurity authority, the Cyberspace Administration of China (CAC) has released the final measures on the requirements for a security review for data export. The document, titled Measures for Data Export Security Assessment (the “security assessment measures”), follows the release of the draft version for public comment in November 2021.
The final version remains mostly unchanged from the draft but makes a few key semantic changes to align the security assessment measures more closely with other regulations on data export. The document outlines specific requirements, steps, and procedures for companies to undergo a security assessment in order to transfer data or personal information (PI) overseas, a requisite for companies that handle a large volume of data from Chinese users, or whose data is categorized as ‘important’ or ‘sensitive’.
Many companies have been anxiously awaiting clarification on security assessment ever since China first put limits on the export of certain types of data in the Cybersecurity Law (CSL), released in 2017. The security assessment measures offer a clear pathway for companies who need to send data overseas for their operations and clarify which aspects of a company’s business the authorities will consider when evaluating a cross-border data transfer.
The new assessment measures are based on China’s three overarching data security laws, the CSL, Data Security Law (DSL), and the Personal Information Protection Law (PIPL), the latter of which came into effect on November 1, 2021. According to the document, the security assessment measures will aim to “standardize the export of data from China” and “protect personal information, safeguard national security, and public interest”.
The security assessment measures will go into effect on September 1, 2022. If a company has previously engaged in data export activities that do not comply with the provisions in these measures, it will be required to make the requisite changes to be compliant within six months of this date.
Not all companies are required to undergo a security assessment before transferring data overseas. The security assessment measures reiterate the requirements outlined in previous legislation, including the CSL and PIPL, which stipulated that companies such as ‘critical information infrastructure’ operators (CIIOs) and state agencies that gather data from Chinese users must undergo a security assessment before being allowed to transfer data overseas.
Meanwhile, Article 38 of the PIPL offers the following procedures for companies in order to get clearance to transfer the PI of subjects based in China overseas:
WE HELP BUSINESSES SET UP COMPLIANT AND PERFORMANCE-ORIENTED IT SYSTEMS IN ASIA
The security assessment measures specifically tackle the first of the procedures listed above, as well as requirements in other legislation, and clarify the circumstances under which a company will be required to take this route. Companies must undergo a security assessment by the CAC if they wish to export data under any of the following scenarios:
The final version of the security assessment measures adds a new article defining the scope of ‘important’ data as “data that may endanger national security, economic operation, social stability, or public health and safety once tampered with, destroyed, leaked, or illegally obtained or used”.
Meanwhile, ‘sensitive PI’ is defined in the PIPL includes (but is not limited to):
Finally, a CIIO is defined in the Regulations on the Security and Protection of Critical Information Infrastructure regulations as companies engaged in “important industries or fields”, including:
Companies that are not considered CIIOs or handle smaller volumes of data than the thresholds set above may be able to get clearance to transfer data or PI overseas by simply signing a ‘standard contract’ with the overseas recipient. This procedure is simpler than the CAC security review as it does not require an external audit. To see whether your company is eligible for this simplified procedure, see our article on standard contract requirements here.
If a company meets the criteria for a CIIO or handles data or PI in excess of the volumes outlined above, it must apply for a security assessment by CAC in order to get clearance to transfer the data outside of China. The security assessment measures provide a detailed description of the procedures and criteria companies must meet to pass a security assessment.
To apply for a security assessment, companies must first conduct a security risk self-assessment of the data it wishes to export. The self-assessment largely focuses on evaluating the risks the export of the data could pose to China’s national security, as well as the personal rights of the individuals or organizations in China from whom the data was collected.
When conducting the self-assessment, companies must consider the below questions:
When applying for the data export security assessment, companies are required to submit the following materials:
The legal documents signed between the data processor and the overseas recipient must include (but is not limited to) the following duties and obligations:
After the CAC has accepted the application, it will organize for the relevant State Council departments and government agencies to conduct the security assessment in accordance with the circumstances of the declaration.
The authorities will be taking the following criteria into consideration when conducting the security assessment:
The cybersecurity departments will carry out the security assessment within 45 working days of issuing the notice that the application was accepted. However, this procedure may be extended for complicated cases or where additional documentation or corrections are required. In this case, the data processor will be notified of the expected extended duration of the assessment. The results of the assessment will be provided to the applicant in writing.
If during the assessment period, the application materials are found to not meet the requirements, the authorities will request the data processor to make the required corrections or supplement the missing materials. If the data processor fails to provide the right materials and information without justifiable reasons, then the assessment may be terminated. Data processors are also legally liable for the authenticity of the materials provided and may face legal consequences if they are found to knowingly submit false materials or information.
The security assessment will be valid for a period of two years from the date that the assessment results are issued. The assessment can however be revoked earlier if there is a substantive change to the circumstances under which the approval for cross-border data transfer was granted.
If the data processor objects to any of the results of the assessment, it may apply to the relevant authorities for re-evaluation within 15 working days of receiving the results. The results of the re-assessment will however be final.
Companies will be required to reapply for a security assessment if any of the following situations occur during the assessment’s validity period:
Companies must re-apply for a security assessment 60 working days before the assessment expires if it intends to continue processing or transferring data overseas.
The relevant authorities may also revoke the security assessment if the activity no longer meets the security management requirements while the data is being processed. They will then inform the company in writing of the revocation, after which the company will be required to terminate all cross-border data transfer activity. The company can then re-apply for a security assessment after having rectified the issues that caused it to lose its approval status.
Although the new security assessment measures provide significant clarification and a tangible pathway for companies to export and process data overseas, some questions remain over how the regulations will be implemented.
These questions mainly arise from ambiguity over the definition of certain terms in the data security legislation that the security assessment measures are based on. Most notable among these are the definitions of ‘important data’ and ‘CIIOs’, which are currently still only loosely defined in other legislation.
IDENTIFY BUSINESS THREATS BEFORE THEY HAPPEN WITH OUR CHINA-FOCUSED RISK MANAGEMENT SERVICES
Despite this, there are some legislative documents that we can look at to get a general definition of these terms. Regulations on the security and protection of critical information infrastructure (CII) that took effect on September 1, 2021, offer some more clarity on which sectors will land a company with a CII seal – energy, transport, water, and national defense, among others – but still leave the door open to interpretation for some industries – notably digital platforms – and placed the final burden of designation on regulatory departments.
It is a similar story for the definition of ‘important data’. On September 30, 2021, the Ministry of Industry and Information Technology (MIIT) began soliciting public opinion on a set of draft regulations that classify data by level of sensitivity. The regulations divide data into three categories – ‘general data’, which is the least sensitive, ‘important data, which requires a security assessment before it can be transferred overseas, and ‘core data’, which poses a high risk to China’s national security and may not be transferred overseas.
In its classification, ‘important data’ is given a broad definition, and includes (but is not limited to) any data that poses a threat to core national interests, including China’s politics, territory, economy, society, internet, and resources, as well as data whose security could affect China’s national security in key fields such as “overseas interests, biology, space, polar regions, deep seas, and artificial intelligence.”
Notably, the above definition of ‘important data’ is very similar to the definition ‘core data’ in the document, with the only point of differentiation (in this definition) being that ‘core data’ poses a “serious“ threat to China’s national interests. The regulation currently offers no details on how to define “serious”. This ambiguity makes it even more unclear how the regulations will be implemented in practice and will likely give authorities some leeway to interpret the regulations as they see fit.
Finally, the security assessment measures do not clarify how data export activities carried out prior to the implementation of these measures will be handled by the authorities. As mentioned above, companies that have engaged in data export activity before these measures take effect will be required to take the necessary steps to ensure the activity is compliant with the regulations within six months (if it is not already compliant), that is, by March 1, 2023. However, they do not define a time frame for the activity that has to be rectified. That means it is uncertain whether any export activity carried out before September 1, 2022 will have to undergo a retroactive security review by March 1, 2023, or whether the export activity that was carried out many months or years ago can be exempted. This is an issue that will likely have to be considered in during the implementation, and it is unclear how – and how consistently – the authorities will enforce this provision.
Despite a lack of clarity for certain sectors, the new security assessment measures are nonetheless an important step toward building a robust regulatory environment for the export of data outside of China, finally offering companies with overseas operations a means of seeking approval to transfer data overseas.
As the possibility of additional requirements and irregular rulings remain, companies that are seeking to apply for a security assessment are advised to consult with the local CAC department to assess whether they need to apply for a security assessment and if any additional procedures are required.
In addition, qualified legal professionals can help to ensure contracts and other legally binding documents contain all the necessary stipulations to meet the requirements stipulated in the security assessment measures.
This article was originally published on November 4, 2021 and last updated on July 11, 2022 to reflect the latest updates.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at firstname.lastname@example.org.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
Previous Article « What Has Changed in China’s Amended Anti-Monopoly Law?
Next Article Britain And China’s Competition For Asian Trade & Investment – New Complimentary Issue Of Asia Investment Research Out Now »
Dezan Shira & Associates´ brochure offers a comprehensive overview of the services provided by the firm. With...
A firm understanding of China’s laws and regulations related to human resources and payroll management is ab...
Doing Business in China 2022 is designed to introduce the fundamentals of investing in China. Compiled by the ...
With the scope and penalties of China’s social credit system being further clarified in 2021, legal and regu...
As a legitimate tool for reasonable tax planning and cost saving, tax incentives play an important role. Compa...
Over the last few months, China has been quickly expanding the pilot program on electronic special value-added...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.