The Measures on Security Assessment for Data Exports (the Measures) was promulgated on 7 July by the CAC and shall take effect from 1 September 2022.

The Measures on Security Assessment for Data Exports (the Measures) was promulgated on 7 July by the Cyberspace Administration of China (CAC) and shall take effect from 1 September 2022, setting out detailed provisions regarding the “security assessment” required under China’s Personal Information Protection Law (PIPL), Cybersecurity Law and Data Security Law.

Among others, international players with a larger client/user base in China are likely subject to the “security assessment” requirement and shall take prompt compliance actions, given the comparatively short grace period.

Data transfers that require Security Assessment

Under China’s data protection laws, a data processor (ie equivalent to a “data controller” under the GDPR) may transfer data out of mainland China following different routes, depending on the nature of the data processor and the volume of data processed. Such routes include completing the security assessment for cross-border data transfers (Security Assessment), obtaining the personal information protection certification from the professional institution designated by the CAC (Certification), or entering into the standard format data transfer agreement with the overseas recipient (Standard Contract).

The Measures clarify the scenarios where a mandatory Security Assessment is required, including:

• where any “important data” is to be transferred out of mainland China (the “important data” means such data of which the alteration, damage, leakage, illegal acquisition or use may harm the national security or public interests. Catalogues of Important Data are to be formulated and published by sectoral and regional regulators);
• where a critical information infrastructure operator is to transfer personal information out of mainland China;
• where a data processor that processes personal information of more than 1 million individuals is to transfer personal information out of mainland China; or
• where a data processor that has transferred personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals out of mainland China since 1 January of the previous year is to transfer personal information out of mainland China.

If none of the aforesaid scenarios apply, data exporters may choose the Certification route or the Standard Contract route to transfer personal information out of mainland China, please refer to our article Chinese regulator publishes the draft China SCC featured on the Edition 131 of the AIMA Journal for more details.

How to complete the Security Assessment?

To complete the Security Assessment, the relevant data exporter shall submit an application letter, a self-assessment report as well as the legal document to be signed with the overseas recipient to the CAC for approval. The CAC may have up to 57 working days to decide whether to approve an application (which however can be extended for exceptionally complex cases at the discretion of the CAC).

The self-assessment shall focus on evaluating the lawfulness, legitimacy and necessity of the intended transfer, the relevant risks, the overseas recipient’s capacity to safeguard data security, whether the data subjects have convenient channels to exercise their rights as provided under the PIPL, and whether the “legal document” to be signed between the data exporter and the overseas recipient has fully specified the data protection responsibilities and obligations of each party.

The Measures have not restricted the form of the required “legal document” (which can be either a contract or other binding documents). Such a legal document must set out: (i) the purpose, manner and scope of the intended transfer; (ii) the purpose and manner of the overseas recipient’s processing; (iii) the storage location and retention period of the data to be transferred as well as how such data shall be dealt with upon expiration of the retention period, completion of the relevant processing purpose or termination of the legal document; (iv) restrictions on onward transfers; (v) measures to be taken in case of substantial changes of control or business scope of the overseas recipient, of the data protection laws / policies or cybersecurity environment of the destination jurisdiction, or force majeure events causing difficulties to protect the relevant data; (vi) remedies, liabilities and dispute resolution methods when breaching the legal document; and (vii) emergency response arrangements and channels for data subjects to exercise their personal information rights.

Period of validity

Security Assessment decisions are valid for two years. That said, before the expiration of the two years validity, data exporter will have to apply for a re-assessment in the event of: (i) any change of the purpose, manner or scope of the transfer or the purpose or manner of the overseas recipient’s processing, which may affect the security of the transferred data; (ii) data will be retained outside of mainland China for a period longer than that previously approved; (iii) any change of the data protection laws / policies or cybersecurity environment of the destination jurisdiction, force majeure events, change of actual control of the data exporter or overseas recipient, or change of the legal document, which may affect the security of the transferred data; and (iv) other situations that may affect the security of the transferred data.

The clock is ticking

The Measures provide a six-month grace period that any cross-border transfers subject to its scope and already in existence must be rectified before 28 February 2023. That said, six months remain fairly short for especially those that have not completed a proper PIPL compliance project.

We recommend market players work on identifying whether Security Assessment requirements apply to you first and make preparation accordingly, including without limitation mapping the existing and intended cross-border data transfer flows, conducting self-assessment and discussing with overseas recipients re formulating and signing the appropriate legal documents.