Cross-Border Data Transfer – New Measures Clarify Security Review Requirements
China has released measures detailing requirements for security reviews for cross-border data transfer. Foreign companies and large multinationals have been eagerly awaiting such measures ever since China issued legislation requiring companies that want to export certain types of data to undergo a security assessment by the cybersecurity authorities. The measures offer clarity on the governmental body responsible for overseeing security assessments and what procedures companies must undergo to get clearance to transfer data overseas.
UPDATE: On March 22, 2024, China’s cybersecurity regulator adopted new regulations to ease the compliance requirements for cross-border data transfer. The new regulations increase the thresholds of personal information volume that a company can handle before having to sign a standard contract with the overseas recipient of the personal information and stipulate scenarios in which a company may be exempted from undergoing a security review. The security assessment mechanism discussed in this article was subsequently amended to align with the new regulations.
China’s top cybersecurity authority, the Cyberspace Administration of China (CAC) has released the final measures on the requirements for a security review for data export. The document, titled Measures for Data Export Security Assessment (the “security assessment measures”), follows the release of the draft version for public comment in November 2021.
The final version remains mostly unchanged from the draft but makes a few key semantic changes to align the security assessment measures more closely with other regulations on data export. The document outlines specific requirements, steps, and procedures for companies to undergo a security assessment in order to transfer data or personal information (PI) overseas, a requisite for companies that handle a large volume of data from Chinese users, or whose data is categorized as ‘important’ or ‘sensitive’.
Many companies have been anxiously awaiting clarification on security assessment ever since China first put limits on the export of certain types of data in the Cybersecurity Law (CSL), released in 2017. The security assessment measures offer a clear pathway for companies who need to send data overseas for their operations and clarify which aspects of a company’s business the authorities will consider when evaluating a cross-border data transfer.
The new assessment measures are based on China’s three overarching data security laws, the CSL, Data Security Law (DSL), and the Personal Information Protection Law (PIPL), the latter of which came into effect on November 1, 2021. According to the document, the security assessment measures will aim to “standardize the export of data from China” and “protect personal information, safeguard national security, and public interest”.
The security assessment measures will go into effect on September 1, 2022. If a company has previously engaged in data export activities that do not comply with the provisions in these measures, it will be required to make the requisite changes to be compliant within six months of this date.
Who must undergo a security assessment for cross-border data transfer?
Not all companies are required to undergo a security assessment before transferring data overseas. The security assessment measures reiterate the requirements outlined in previous legislation, including the CSL and PIPL, which stipulated that companies such as ‘critical information infrastructure’ operators (CIIOs) and state agencies that gather data from Chinese users must undergo a security assessment before being allowed to transfer data overseas.
Meanwhile, Article 38 of the PIPL offers the following procedures for companies in order to get clearance to transfer the PI of subjects based in China overseas:
- Undergo a security review organized by the CAC, except where exempted by relevant laws and regulations.
- Undergo PI protection certification by a professional institution in accordance with the regulations of the CAC.
- Sign a contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC.
- Meet other conditions set by the CAC or relevant laws and regulations.
The security assessment measures specifically tackle the first of the procedures listed above, as well as requirements in other legislation, and clarify the circumstances under which a company will be required to take this route. Companies must undergo a security assessment by the CAC if they wish to export data under any of the following scenarios:
- The company is a CIIO;
- The company exports important data overseas;
- The company has provided the PI (excluding sensitive PI) of over 1 million people to overseas parties since January 1 of the current year;
- The company has provided the sensitive PI of over 10,000 people to overseas parties since January 1 of the current year; or
- Other situations required to declare data export security assessment as stipulated by the CAC.
The final version of the security assessment measures adds a new article defining the scope of ‘important’ data as “data that may endanger national security, economic operation, social stability, or public health and safety once tampered with, destroyed, leaked, or illegally obtained or used”.
Meanwhile, ‘sensitive PI’ is defined in the PIPL includes (but is not limited to):
- Biometric data (such as fingerprints, iris and facial recognition information, and DNA)
- Data pertaining to religious beliefs or “specific identities”
- Medical history
- Financial accounts
- Location and whereabouts
- Any PI of minors under the age of 14
Finally, a CIIO is defined in the Regulations on the Security and Protection of Critical Information Infrastructure regulations as companies engaged in “important industries or fields”, including:
- Public communication and information services;
- Energy;
- Transport;
- Water;
- Finance;
- Public services;
- E-government services;
- National defense; and
- Any other important network facilities or information systems that may seriously harm national security, the national economy and people’s livelihoods, or public interest in the event of incapacitation, damage, or data leaks.
Companies that are not considered CIIOs or handle smaller volumes of data than the thresholds set above may be able to get clearance to transfer data or PI overseas by simply signing a ‘standard contract’ with the overseas recipient. This procedure is simpler than the CAC security review as it does not require an external audit. To see whether your company is eligible for this simplified procedure, see our article on standard contract requirements here.
Applying for a data export security assessment
If a company meets the criteria for a CIIO or handles data or PI in excess of the volumes outlined above, it must apply for a security assessment by CAC in order to get clearance to transfer the data outside of China. The security assessment measures provide a detailed description of the procedures and criteria companies must meet to pass a security assessment.
Conducting a self-assessment
To apply for a security assessment, companies must first conduct a security risk self-assessment of the data it wishes to export. The self-assessment largely focuses on evaluating the risks the export of the data could pose to China’s national security, as well as the personal rights of the individuals or organizations in China from whom the data was collected.
When conducting the self-assessment, companies must consider the below questions:
- The legality, legitimacy, and necessity of the purpose, scope, and method of the cross-border data transfer, and the processing of the data by the overseas recipient.
- The scale, scope, type, and sensitivity of the data being transferred, and the possible risks that the cross-border data transfer could pose to China’s national security, public interests, and the legal rights of individuals and organizations.
- The responsibilities and obligations undertaken by the overseas recipient [of the data], and whether the management and technical measures and capabilities for fulfilling the responsibilities and obligations can ensure the security of outbound data.
- The risk of the data being tampered with, destroyed, leaked, lost, transferred, or illegally obtained or used during the overseas transfer or after it exits the country, and whether the channels for safeguarding the rights and interests of the PI [subjects] are unobstructed.
- Whether or not the data export-related contracts or other legally binding documents (hereinafter collectively referred to as “legal documents”) that are entered into with the overseas recipient fully stipulate the responsibility and obligations of data protection.
- Other matters that may affect the security of data export.
Applying for the security assessment
When applying for the data export security assessment, companies are required to submit the following materials:
- A declaration
- Cross-border data transfer risk self-evaluation report
- Legal documents to be signed between the data processor and the overseas recipient;
- Other materials required for security assessment work
The legal documents signed between the data processor and the overseas recipient must include (but is not limited to) the following duties and obligations:
- The purpose and method for the data transfer and the scope of data being transferred; what the overseas recipient needs the data for and the methods they will use to process it.
- Where and for how long the data will be stored overseas; the processing measures for the exported data after the data storage time limit is up, the stipulated objectives have been achieved, or the legal documents have been terminated.
- Binding requirements for the overseas recipient to transfer the data to another organization or individual.
- The security measures that will be taken in the event that there is a substantive change in the overseas recipient’s control or operating scope, or if there is a change to the security protection policies and regulations of the region where the data is being transferred to, a change to the network security environment, or other force majeure circumstances that make it difficult to guarantee the security of the data.
- Remedial measures, liabilities for breach of contract, and dispute resolution methods for breaching data security protection obligations stipulated in legal documents.
- Requirements for proper emergency response and the channels and methods to protect individuals’ rights to safeguard their PI in the event that the outbound data is at risk of being tampered with, destroyed, leaked, lost, transferred, or illegally obtained or used.
- After having submitted the requisite materials, the CAC will inform the applicant in writing of their decision to accept the application within seven days.
Undergoing the security assessment
After the CAC has accepted the application, it will organize for the relevant State Council departments and government agencies to conduct the security assessment in accordance with the circumstances of the declaration.
The authorities will be taking the following criteria into consideration when conducting the security assessment:
- The legality, legitimacy, and necessity of the methods, scope, and purpose of the data export.
- The impact that the data security protection policies, regulations, and general cybersecurity environment of the country or region in which the data recipient is located may have on the security of the data, whether the overseas recipient’s data protection standards are compliant with China’s laws, administrative rules and regulations, and requirements for mandatory national standards.
- The scale, scope, type, and sensitivity of the outbound data, and the possible risks posed to the data during and after the transfer, such as leakage, tampering, loss, damage, or illegal acquisition or use of the data.
- Whether or not data security and personal information rights can be fully and effectively protected.
- Whether or not the legal documents to be signed between the data processor and the overseas recipient has sufficiently stipulated the data security protection responsibilities and obligations.
- [The data processor’s] compliance with Chinese laws, administrative regulations, and departmental rules.
- Other matters deemed necessary by the CAC.
The cybersecurity departments will carry out the security assessment within 45 working days of issuing the notice that the application was accepted. However, this procedure may be extended for complicated cases or where additional documentation or corrections are required. In this case, the data processor will be notified of the expected extended duration of the assessment. The results of the assessment will be provided to the applicant in writing.
If during the assessment period, the application materials are found to not meet the requirements, the authorities will request the data processor to make the required corrections or supplement the missing materials. If the data processor fails to provide the right materials and information without justifiable reasons, then the assessment may be terminated. Data processors are also legally liable for the authenticity of the materials provided and may face legal consequences if they are found to knowingly submit false materials or information.
The security assessment will be valid for a period of two years from the date that the assessment results are issued. The assessment can however be revoked earlier if there is a substantive change to the circumstances under which the approval for cross-border data transfer was granted.
Objections to assessment results and requests for re-assessment
If the data processor objects to any of the results of the assessment, it may apply to the relevant authorities for re-evaluation within 15 working days of receiving the results. The results of the re-assessment will however be final.
Companies will be required to reapply for a security assessment if any of the following situations occur during the assessment’s validity period:
- A change in the purpose, method, scope, or type of data provided overseas, the use and method for data processing by the overseas recipients has changed, or there is an extension in the overseas retention period for the personal information or important data.
- There are any changes to:
- The data security protection policies, regulations, and cybersecurity environment of the country or region where the overseas recipient is located.
- The actual control of the data processor or overseas recipient.
- The legal documents between the data processor and the overseas recipient that may affect the security of outbound data.
- Other force majeure situations.
- Other situations that may impact the security of outbound data.
Companies must re-apply for a security assessment 60 working days before the assessment expires if it intends to continue processing or transferring data overseas.
The relevant authorities may also revoke the security assessment if the activity no longer meets the security management requirements while the data is being processed. They will then inform the company in writing of the revocation, after which the company will be required to terminate all cross-border data transfer activity. The company can then re-apply for a security assessment after having rectified the issues that caused it to lose its approval status.
Limitations to the security assessment measures
Although the new security assessment measures provide significant clarification and a tangible pathway for companies to export and process data overseas, some questions remain over how the regulations will be implemented.
These questions mainly arise from ambiguity over the definition of certain terms in the data security legislation that the security assessment measures are based on. Most notable among these are the definitions of ‘important data’ and ‘CIIOs’, which are currently still only loosely defined in other legislation.
Despite this, there are some legislative documents that we can look at to get a general definition of these terms. Regulations on the security and protection of critical information infrastructure (CII) that took effect on September 1, 2021, offer some more clarity on which sectors will land a company with a CII seal – energy, transport, water, and national defense, among others – but still leave the door open to interpretation for some industries – notably digital platforms – and placed the final burden of designation on regulatory departments.
It is a similar story for the definition of ‘important data’. On September 30, 2021, the Ministry of Industry and Information Technology (MIIT) began soliciting public opinion on a set of draft regulations that classify data by level of sensitivity. The regulations divide data into three categories – ‘general data’, which is the least sensitive, ‘important data, which requires a security assessment before it can be transferred overseas, and ‘core data’, which poses a high risk to China’s national security and may not be transferred overseas.
In its classification, ‘important data’ is given a broad definition, and includes (but is not limited to) any data that poses a threat to core national interests, including China’s politics, territory, economy, society, internet, and resources, as well as data whose security could affect China’s national security in key fields such as “overseas interests, biology, space, polar regions, deep seas, and artificial intelligence.”
Notably, the above definition of ‘important data’ is very similar to the definition ‘core data’ in the document, with the only point of differentiation (in this definition) being that ‘core data’ poses a “serious“ threat to China’s national interests. The regulation currently offers no details on how to define “serious”. This ambiguity makes it even more unclear how the regulations will be implemented in practice and will likely give authorities some leeway to interpret the regulations as they see fit.
Finally, the security assessment measures do not clarify how data export activities carried out prior to the implementation of these measures will be handled by the authorities. As mentioned above, companies that have engaged in data export activity before these measures take effect will be required to take the necessary steps to ensure the activity is compliant with the regulations within six months (if it is not already compliant), that is, by March 1, 2023. However, they do not define a time frame for the activity that has to be rectified. That means it is uncertain whether any export activity carried out before September 1, 2022 will have to undergo a retroactive security review by March 1, 2023, or whether the export activity that was carried out many months or years ago can be exempted. This is an issue that will likely have to be considered in during the implementation, and it is unclear how – and how consistently – the authorities will enforce this provision.
A legal way forward for companies handling sensitive or large volumes of data
Despite a lack of clarity for certain sectors, the new security assessment measures are nonetheless an important step toward building a robust regulatory environment for the export of data outside of China, finally offering companies with overseas operations a means of seeking approval to transfer data overseas.
As the possibility of additional requirements and irregular rulings remain, companies that are seeking to apply for a security assessment are advised to consult with the local CAC department to assess whether they need to apply for a security assessment and if any additional procedures are required.
In addition, qualified legal professionals can help to ensure contracts and other legally binding documents contain all the necessary stipulations to meet the requirements stipulated in the security assessment measures.
This article was originally published on November 4, 2021 and last updated on July 11, 2022 to reflect the latest updates.
About Us
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
- Previous Article China’s Standard Contract Measures for Personal Information Export – Additional Guidelines Released
- Next Article China’s Draft Certification Standards for Cross-Border Personal Information Transfer (Updated)