New guidance on the CAC security assessment for cross-border data transfer

On 31 August 2022, the Cyberspace Administration of China ("CAC") published the Guidelines on the Application of Security Assessment of Cross-border Transfer of Data ("Guidelines") to clarify how organisations in China can apply to CAC for a security assessment for cross-order data transfer, a requirement stipulated under the Measures for Security Assessment of Cross-border Transfer of Data ("Measures") which became effective on 1 September 2022.

The Guidelines provide clarity on when such security assessment is applicable, and how data processors in China can apply to CAC for a security assessment for cross-border data transfer.

The CAC security assessment is a requirement under the Personal Information Protection Law, the Data Security Law and the Cybersecurity Law in China.  Please see our previous articles Important Updates On Cross-border Data Transfer In China and Proposed security assessment mechanism for transferring data outside of China for details. A data processor is required to apply to CAC for a security assessment for cross-border data transfer if the proposed data transfer meets any of the thresholds specified under the Measures[1].

The Guidelines clarify that the following circumstances constitute cross-border data transfer:

1. A data processor transfers data collected and generated in China to an overseas jurisdiction;
2. remote access to, retrieval, downloading or export of data stored in China by an overseas institution, organisation or individual; and
3. other cross-border data transfers as may be specified by CAC from time to time.

The Guidelines also set out five key steps in the security assessment application process.

• Step1: Submission of application documents to the provincial-level cyberspace administration at the place where the data processor is located.
• Step 2: The provincial-level cyberspace administration shall check the completeness of the application materials within 5 working days upon receipt of application. Incomplete applications would be rejected.
• Step 3: CAC shall decide whether to process the application and notify the data processor in writing of its decision within 7 working days after receiving the application materials forwarded by the provincial-level cyberspace administration.
• Step 4: The data processor may be notified to supplement or correct its application materials within a prescribed time limit, failing which the application will be terminated. Time extension may be allowed in complicated cases.
• Step 5: After the security assessment is completed, the data processor will receive a notification of the assessment results. The data processor may submit is appeal to the CAC within 15 working days after receiving the assessment results for a re-assessment, and the re-assessment result is final.

Finally, the Guidelines also set out a list of application documents, including templates for (1) an authorisation letter; (2) an application form for cross-border data transfer security assessment; and (3) a self-assessment report for cross-border data transfer.

[1] Data processors must file a security assessment for cross-border data transfer with CAC through the provincial cyberspace administration where the data processer is located if:

1. important data will be transferred;
2. personal information will be transferred by critical information infrastructure operators or data processors processing personal information of over 1,000,000 individuals in China;
3. personal information will be transferred by data processors who have either accumulatively transferred (i) personal information of more than 100,000 individuals; or (ii) sensitive personal information of more than 10,000 individuals outside of China since 1 January of the previous year; or
4. other situations set out by CAC that require a filing under the security assessment regime.

In particular, the self-assessment report shall contain the following details:

• a brief description of the self-assessment, including the start date and end date, descriptions on the assessment design and its implementation processes and methods;
• an overview of the cross-border transfer activities, including detailed descriptions of the agreed legal documents and information on the data processor, the business and information systems involved in the cross-border data transfer, the data to be exported, the capability of the data transferor and the data recipient to ensure security of the data transferred;
• a risk assessment on any contemplated cross-border transfer activities, which shall be conducted in accordance with Article 5 of the Measures and focus on the issues and potential risks discovered during the assessment, the corresponding rectification measures and results; and
• a conclusion for the self-assessment based on the risk assessment conducted and the corresponding rectification actions.

Our observations:

Depending on the complexity of the proposed cross-border data transfer, preparing the self-assessment report requires data privacy expertise and could be a time-consuming process. Data processors in China which are subject to the CAC security assessment may require professional assistance in this process.

Key contacts