Proposed security assessment mechanism for transferring data outside of China

New security assessment rules, which are applicable to the transfer of both important data and personal information outside of China, have been issued for public consultation.

The Cybersecurity Administration of China ("CAC") released a draft of the Measures for Security Assessment of Cross-border Transfer of Data ("Draft Measures") for public consultation on 29 October 2021. The deadline for the public to submit comments on the Draft Measures is 28 November 2021.

The Draft Measures are important because they help clarify certain cross-border data transfer restrictions under the Cybersecurity Law ("CSL"), Data Security Law ("DSL") and Personal Information Protection Law ("PIPL"), as discussed in our previous e-bulletin China's New Laws Inhibit Data Transfers.  Cross-border data transfers in China (for both important data and personal information) have always been a top concern for multi-national corporations operating in China.

In summary, under these three laws, a CAC security assessment must be passed before:

1. important data or personal information can be exported by critical information infrastructure operators ("CIIO") under the CSL (in addition to the data localisation requirement);
2. important data can be exported by any company handling such data in China under the DSL; and
3. personal information can be exported by CIIO, or personal information processors handling a large amount of personal information under PIPL.

Previously, the Chinese authorities have issued draft regulations to regulate the cross-border transfer of data and personal information but those drafts[1] were issued before the DSL and PIPL came into force on 1 September 2021 and 1 November 2021, respectively. To date, these draft regulations have never been finalised.

The CSL, DSL and PIPL make reference to the CAC security assessment as a mandatory safeguard to be taken for any cross-border transfer of data in the circumstances set out in (i) to (iii) above. We have highlighted some key terms of the Draft Measures and our observations below:

Who is required to comply with the security assessment regime?

The Draft Measures apply to all data transferors of important data or personal information in China, i.e. CIIOs or non-CIIOs which handle important data or a large amount of personal information in China (as specified under the CSL, DSL and PIPL).  They must conduct a security assessment before transferring important data and personal information outside of China.

Two types of assessments are required under the Draft Measures, namely (i) the security assessment by the CAC (which is applicable in the situations as described above); or (ii) self-assessment (which is applicable every time data is to be exported outside of China).

When is a security assessment filing required?

The Draft Measures have introduced a mechanism combining cross-border risk self-assessments by data transferors and assessment filings with the CAC.

A data transferor must file a security assessment for cross-border data transfer with the CAC through the provincial cyberspace authority where the data processer is located if:

• it is a CIIO and the data to be transferred outside of China consists of personal information and/or important data collected and generated by the CIIO in China;
• the transfer involves important data;
• the proposed data transferor processes personal information of over one million people in China;
• the proposed data transferor has either accumulatively transferred (i) personal information of more than 100,000 people; or (ii) sensitive personal information of over 10,000 people outside of China; or
• other situations set out by the CAC that require a filing under the security assessment regime.

In this regard, the proposed review period of the security assessment by the CAC would consist of: (i) 7 working days for the pre-acceptance review upon receiving the filing submission; and (ii) 45 working days upon acceptance of the filing submission (or no longer than 60 working days for a more complicated case). Once the proposed data transferor obtains clearance from the CAC, the clearance status will be effective for two years, which means that the filing obligation needs to be updated and resubmitted every two years.

What are the CAC's considerations in reviewing a security assessment filing?

The CAC's main concern is whether the proposed cross-border data transfer may present any risk to national security, public interest as well as the legitimate rights and interests of individuals or organisations, of which the key considerations are set out below:

• the legality, legitimacy, and necessity of the purpose, scope, means, and other aspects of data transfer;
• the impact of data security protection policies and regulations as well as the cybersecurity environment of the country or region where the overseas recipient is located on the security of transferred data;
• whether the data protection capacity of the overseas recipient meets the requirements of Chinese laws, administrative regulations and mandatory national standards;
• the volume, scope, type, and sensitivity of transferred data, and the risks of a data breach, tampering, loss, destruction, transfer, and illegal acquisition or use during and after the "data export" process;
• whether data security and the rights and interests pertaining to personal information can be fully and effectively protected;
• whether the contract between the data transferor and the overseas data recipient has fully stipulated the responsibilities and obligations regarding data security protection;
• compliance with Chinese laws, administrative regulations, and departmental rules; and
• other matters deemed necessary by the CAC.

When is self-assessment required and what are the considerations?

In addition to the security assessment filing with the CAC, the Draft Measures also require a self-assessment to be conducted before data is transferred outside of China.

This general requirement goes beyond the current requirements under the CSL, DSL and PIPL. The self-assessment under the Draft Measures appears to be an additional requirement to the personal information protection impact assessment on cross-border transfer of personal information under PIPL.

The Draft Measures set out the following items for self-assessment:

• whether the purpose, scope and means of the cross-border transfer and the processing by the overseas data recipient are lawful, legitimate and necessary;
• the quantity, scope, category and sensitivity of the data to be transferred outside of China, as well as the risks of that cross-border transfer to China's national security, public interest and the legitimate rights and interests of individuals and organisations;
• whether the data transferor is capable of ensuring security of the data transfer, and whether there are sufficient security measures (administrative and technical) to prevent data breaches;
• whether the overseas data recipient is capable of performing its data security responsibilities and obligations, and whether the data security measures (administrative and technical) taken by the overseas data recipient are sufficient to ensure security of the data;
• whether the data may be compromised, leaked, damaged, tampered with or subject to other risks after the overseas transfer or any onward transfer outside of China, and whether the data subjects have any means to protect their personal information; and
• whether the data transfer contract between the data transferor and the oversea data recipient comprehensively sets out the parties' responsibilities and obligations to protect the data.

What shall be included in a data transfer contract?

The Draft Measures require the data transferor and the overseas data recipient to enter into a data transfer contract. The data transfer contract shall be submitted to the CAC as part of the security assessment filing.

The data transfer contract must include the following clauses addressing:

• the purpose, means and scope of the cross-border data transfer, as well as the purpose, means and other aspects of the data processing activities to be conducted by the overseas data recipient;
• the location and retention period for the transferred data, and the treatment for such data upon expiry of the retention period, when the data is no longer required for the intended purpose or upon termination of the data transfer contract;
• restrictions on the overseas data recipient to onward-transfer the data to other organisations and individuals;
• the security measures to be adopted in the event of a change of control or any material change to the business scope of the overseas data recipient, or when the data privacy legal framework of the country or region where the overseas data recipient is located has changed to increase the difficulty in safeguarding data security;
• the liability of the parties in the event of any breach of the data security protection obligations, and a legally binding and enforceable dispute resolution clause; and
• the contingency response measures to be adopted in the event of any data breach, and the means for data subjects to enforce their rights and interests in respect of their personal information.

It is important to note that the data transfer contract applies to both important data and personal information, whereas the standard contract contemplated under the PIPL only applies to personal information. It is not clear to what extent the two contracts will overlap or operate in parallel.

No transition period

The security assessment contemplated under the CSL, DSL and PIPL is mandatory before any important data or personal information can be transferred outside of China (whether by CIIOs, or non-CIIOs which handle important data or a large amount of personal information in China).

Notably, there is no transition period contemplated in the Draft Measures, which has the potential to be highly disruptive to existing business operations.

Our China data and cyber law offering

We are an award-winning data and cybersecurity team globally and in China.

We have extensive experience assisting companies in complying with data and cybersecurity laws in China, across Asia Pacific and the world.

We have been helping clients understand how the new laws in China impact their businesses, identify key risk areas and gaps, and make recommendations on their data strategy and action plans.

We are also partnering with clients in this evolving area to anticipate and support their needs.

Our Joint Operation, Herbert Smith Freehills Kewei, enables us to provide an end-to-end legal service integrating PRC law and international law and legal service standards. It also gives us a deeper understanding of Chinese business methods and corporate culture, and an in-depth knowledge of China’s complex regulatory and political environment.

[1] These drafts are: (i) draft Measures for Security Assessment of the Exit of Personal Information issued on 13 June 2019; and (ii) draft Measures for Security Assessment of the Exit of Personal Information and Important Data issued on 11 April 2017. Both drafts were issued by CAC for public consultation.