Explanations to Measures for Security Assessment for Cross-border Transfer of Data

PrintMailRate-it

On 29 October 2021, the Cyberspace Administration of China (“CAC”) published the Measures for Security Assessment for Cross-border Transfer of Data (Exposure Draft) (“Exposure Draft”) , which further specifies the provisions on cross-border transfer of data in the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China and the Personal Information Protection Law of the People’s Republic of China. The Exposure Draft defines the situations in which prior security assessment must be performed upon the transfer of important data and personal information collected or generated in China to foreign countries.


Compared with the Measures for Security Assessment for Cross-border Transfer of Personal Information (Exposure Draft) issued by the CAC in June 2019, this new Exposure Draft stipulates clearer provisions on the scope of application, assessment methods and assessment institutions for security assessment for cross-border transfer of data.


Scope of Application

The Exposure Draft stipulates five circumstances that require the declaration to the CAC for security assessment for cross-border transfer of data by the competent Cyberspace Administration at the provincial level:

  • the cross-border transferred data is personal information or important data collected and generated by operators of critical information infrastructures;
  • the cross-border transferred data contains important data;
  • the transfer of personal information to foreign countries by a personal information processor who handles personal information of more than one million people;
  • the personal information of more than 100,000 people or sensitive personal information of more than 10,000 people are cross-border transferred accumulatively;
  • other circumstances under which security assessment for cross-border transfer of data is required as stipulated by the CAC.

 

In addition to the operators of critical information infrastructure above-mentioned in Point 1, operators of non-critical information infrastructure may also be involved in the collection and processing of important data as defined in Point 2. However, with the exception of the automotive industry where categories of important data are defined, in other industries and fields there is currently still a lack of a well-defined legal definition of the word “important data”.

 

In the absence of a definite legal regulation on calculating of the quantity of “personal information”, the Exposure Draft proposes two calculation standards, namely “quantity of processing” and “quantity of transfer”. In spite of these calculation standards, it also currently lacks an explicit legal definition of “transfer”. Data processors involved in data cross-border transfer should be cautious about opening access to data/personal information to organizations and individuals outside of China, and should also be cautious about “factual/indirect transfer” of data/information, such as enterprises in China directly using systems or service providers whose servers are located outside of China. It is noteworthy that both calculation standards set a relatively low threshold, which results in a proactive application for a security assessment when either of the two value is reached.


For data processors who are required to submit security assessments to CAC, a "self-assessment report" and "contracts or other legally binding documents, etc. (hereinafter collectively referred to as "Contracts") executed with the overseas recipient, will be the key materials to be submitted for assessment. In particular, the Contracts submitted for review should be fully agreed between data processors and recipients in the responsibility and obligation of data security protection. As regards the specific contents, the Exposure Draft sets out the corresponding requirements as well.

 

Assessment Methods and Assessment Institutions

The Exposure Draft stipulates that the data security assessment for cross-border transfer should combinate of prior assessment and continuous supervision, as well as combinate of risk self-assessment and security assessment. Before the data is cross-border transferred by data processors, the CAC added a pre-processing measure for enterprises to "prior conduct a risk self-assessment for data cross-border transfer and issue a risk self-assessment report on data cross-border transfer".


While emphasizing the "self-assessment" to promote enterprises' self-management of risks of data cross-border transfer, the Chinese government remains at the core of data security management. Data processors should apply for security assessment for cross-border transfer of data through the local Cyberspace Administration at the provincial level to the CAC. After receiving the application, the CAC will organize the competent industry departments, relevant departments of the State Council, provincial Cyberspace Administration and specialized agencies to conduct security assessment.


Liability and Consequences of Violation

According to the Exposure Draft, responsibilities are extended from network operators to data processor. Data processors shall be responsible for the authenticity of the submitted assessment materials. In addition, the data assessment results are valid for two years. If the original data cross-border activities need to be continued upon expiration of the validity period, the data processor shall re-apply the assessment 60 working days before expiration. However, in case of any changes in the activities of cross-border transfer of data during the validity period, the date processor shall re-apply the assessment.

 

In the case of cross-border transfer of personal information, if a data security assessment is not applied before cross-border transfer, or the security assessment is not conducted in accordance with the requirements of the assessment regulations, the operator will be subject to a maximum administrative penalty of 50 million RMB or 5 percent of the previous year’s turnover. It may also be ordered to suspend the relevant business completely, suspend the business for rectification or even revoke the business license. In the case of security assessment of important data cross-border transfer, operators in serious violations will be subject to administrative penalty of more than one million and less than ten million RMB.


In summary, according to the latest issued regulations related to data security and personal information protection, including the Exposure Draft, it is recommend that enterprises may consider i) conducting prior screening of important data before conducting data cross-border activities, ii) judging whether the cross-border transfer of personal information are in line with the circumstances that require security assessment, iii) conducting internal assessment of the possible data cross-border risks of the enterprise itself, and iv) starting to draft cross-border data transfer contracts which can meet the legal requirements, so as to better control the potential risks of corporate compliance.

From the Newsletter

Contact

Contact Person Picture

Shujie Zhao

+86 21 6163 5350

Send inquiry

How We Can Help

Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu