Data transfer security assessments have long been a concern for multinational companies and organisations and with the introduction of new laws, they are becoming even more complex in numerous regions. Just days after the Cyberspace Administration of China (CAC) published the draft Standard Contract Provisions for the Export of Personal Information on June 30, the CAC unveiled the “Measures for Security Assessment of Data Exports (“the Measures”), which came into force on September 1.
Although China’s Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL) all outline different circumstances that require a security assessment for data export, the Measures provide the specific scope of the security assessment for the first time in its entirety. These Measures clarify the substantive requirements in terms of the scope of application, assessment process and timeline, assessment criteria and legal consequences of not conducting a security assessment prior to data export.
Scope of application
According to Article 4, an entity that exports personal information collected within the People’s Republic of China out of China must apply for a security assessment if any of the following thresholds are met:
Overseas transfer of “important data” which is data “that may endanger national security, economic operation, social stability, public health and safety, etc., once it is tampered with, destroyed, leaked or illegally obtained or used;”
Export of personal information by a critical information infrastructure (CII) operator;
A data processor who exports personal information (PI) of one million individuals or more;
A data processor who exports the personal information of more than 100,000 people since January 1 of the previous year;
A data processor who exports the sensitive personal information of more than 10,000 people since January 1 of the previous year; or
Other circumstances specified by the CAC – a catch-all provision.
Only a six-month grace period will be granted for cross-border data transfers that occurred before the September 1 activation date, leaving little time for companies to remediate their transfer operations.
Security assessment procedure
The Measures outline three key steps for data export: 1) self-assessment, 2) preliminary examination by a provincial-level CAC and 3) formal assessment procedures conducted by the CAC at the national level. The approval process is outlined below.
Simple: Complete the self-assessment, submit the self-assessment to the provincial CACs for a security assessment (typically five working days), security assessment reviewed by the CAC at the national level (typically seven working days), approved by the CAC at the national level (typically 45 working days from acceptance), export.
Complex: Complete the self-assessment, submit to the provincial CACs for a security assessment, reviewed by the CAC at the national level, if rejected by the CAC at the national level, re-assessment or request a re-review of the application with the national CAC within 15 days of receiving the assessment result, if approved by the national CAC, the data export may proceed; if rejected, data export activities should be aborted.
An approved security assessment is valid for two years from the date the assessment results were issued. If the validity period expires and the data export activities need to continue, the data processor must re-submit the assessment 60 working days before the expiration of the validity period.
Data processors that carried out export activities before these measures are implemented have six months (from the date of implementation of the Measures) to rectify the situation if their activities do not meet the requirements.
Security Assessment Timetable
Step | Items | Responsible Party | Timeline |
1 | Complete the self-assessment | Data Processor | At least 57 days prior to export |
2 | Confirm the adequacy of the security assessment application package | Provincial CACs | Typically five working days |
3 | Accept and review the security assessment application | National CAC | Typically seven working days |
4 | Conduct security assessment | National CAC | Typically 45 working days from acceptance (depending on the complexity of the application, this period might be extended if additional materials or modifications are needed) |
5 | If rejected by the CAC at the national level: a re-assessment or request a re-review of their application with the national CAC | Data Processor | within 15 days of receiving the assessment result |
6 | Validity of security assessment results | Data Processor | Two years |
7 | Re-assessment prior to approval expiration | Data Processor | 60 working days before the expiration |
8 | Remediate the current data export activities | Data Processor | Within six months of the enactment of the Measures |
Supporting materials required for a security assessment
According to Article 6, organisations will need to prepare the following documents as part of the self-assessment procedure:
A declaration form;
Self-assessment report for cross-border data transfers;
The agreement or other legally binding documents to be entered into between the data processor and the oversea recipient; and
Other materials required for the security assessment.
The term “other materials” is not currently defined but will likely be used by the CAC as another catch-all category that may include any relevant documentation to support the validity of the transfer, especially if this documentation is necessary to meet the assessment criteria outlined below.
Security assessment evaluation criteria
The Measures indicate that data processors must carry out a self-assessment of cross-border data transfer risks prior to applying for an official government security assessment. The self-assessment and the government review will focus on the legality, legitimacy and necessity of the transfer methods, as well as the scope and purpose of the data export. The criteria for self-assessment and government review are outlined below, as per Article 5 and Article 8 of the Measures.
Self-Assessment
The legality, legitimacy and necessity of the purpose, scope and methods of data processing by the data processor and overseas recipients;
The scale, scope, category and sensitivity of exported data and the risks that data export may pose to national security, the public interest or the lawful rights and interests of individuals or organisations;
During the cross-border data transfer process, the data processor’s administrative and technical measures, as well as their capabilities to prevent data breach or destruction;
The responsibilities and obligations undertaken by the foreign recipient, as well as whether the management, technical measures and capabilities to perform the responsibilities and obligations can ensure the security of exported data;
The risk that data will be leaked, destroyed, tampered with or illegally used during export or after re-transfer and whether mechanisms to safeguard data subjects’ rights and interests in their personal information rights have been established; and
Whether the data security protection responsibilities and obligations have been adequately stipulated in the data export-related agreements or other legal documents formulated with the oversea recipient.
Government assessment
The legality, legitimacy and necessity of the purpose, scope and methods of the data export.
How the overseas recipient's country or region of data security protection policies and regulations, as well as their cybersecurity environment might have an impact on the security of data exported; whether the foreign recipient's data protection standards meet the requirements under the laws of the People's Republic of China, administrative regulations and mandatory national standards.
The scale, scope, type and sensitivity of data exported; during and after data export, the risk that data will be leaked, tampered with, lost, transferred or illegally acquired or used.
Whether the data security and rights and interests of personal information can be adequately assured.
Whether the data security protection responsibilities and obligations have been adequately stipulated in the data export-related agreements or other legal documents formulated with the oversea recipient.
Compliance with Chinese laws, administrative regulations and departmental rules.
Other items that the CAC deems necessary to assess.
Legal consequences
Not only are transfer outcomes uncertain, but the submission process itself could trigger government scrutiny or legal liability if, for example, a data processor is found to “deliberately submit false materials,” in which case the data processor will be subject to a government investigation. In addition, any organisation or individual may report a data processor in violation of the measures to the CAC. Penalties for violations of the Measures are imposed in accordance with CSL, DSL and PIPL; and if the act constitutes a crime, criminal liability shall be investigated in accordance with the relevant criminal code.
How organisations can prepare
For multinational companies and Chinese companies with a high volume of overseas business, the following actions are key to operationalising the requirements in the Measures:
Continue to monitor the release of government directives and guidelines for data export activities;
Prepare or adjust operational protocols related to planned and existing data transfers by assessing their feasibility and impact on business continuity; be prepared to devise an alternative data transfer plan in the event that the security assessment fails;
Develop an internal protocol for self-assessment, including:
A checklist of items required for the assessment (including requirements for the data processor within China and requirements for offshore recipients);
A data export agreement covering the requirements outlined in the draft Standard Contract Provisions ;
A request to the offshore recipient(s) for cooperation in providing the information required for the self-assessment and the government assessment (e.g., security measures, description of offshore data protection capabilities, etc.);
Regularly identify and assess data export needs by analysing the data types and the scale of export;
Document the steps taken by the company in conducting the security assessment and related data categorisation and classification efforts.
While legality, legitimacy and necessity are prerequisites for data processing, many organisations tend to overlook these requirements when planning their data export compliance. Instead, the focus tends to be on obtaining the data subjects’ consent, the creation of assessment reports and the signing of cross-border data transfer agreements. While these are indeed important, the legality, legitimacy and necessity of data processing are not only part of the data export security assessment criteria, they are also the prerequisites for a valid consent, a complete self-assessment report and a legitimate cross-border transfer agreement. In other words, these elements are the foundation for the entire data export security assessment process.
It is therefore imperative that organisations give sufficient attention to these prerequisites for data processing. If an organisation only satisfies the procedural elements of the security assessment but neglects the substantive prerequisites for data processing, it is likely that the export will not be approved by the CAC. Organisations that act proactively to meet these requirements are less likely to suffer business disruptions as they navigate this new regulatory landscape.