On 31 August 2022, the Cyberspace Administration of China ("CAC") published the Guidelines on the Application of Security Assessment of Cross-border Transfer of Data ("Guidelines") to clarify how organisations in China can apply to CAC for a security assessment for cross-order data transfer, a requirement stipulated under the Measures for Security Assessment of Cross-border Transfer of Data ("Measures") which became effective on 1 September 2022.
The Guidelines provide clarity on when such security assessment is applicable, and how data processors in China can apply to CAC for a security assessment for cross-border data transfer.
The CAC security assessment is a requirement under the Personal Information Protection Law, the Data Security Law and the Cybersecurity Law in China. Please see our previous articles Important Updates On Cross-border Data Transfer In China and Proposed security assessment mechanism for transferring data outside of China for details. A data processor is required to apply to CAC for a security assessment for cross-border data transfer if the proposed data transfer meets any of the thresholds specified under the Measures[1].
The Guidelines clarify that the following circumstances constitute cross-border data transfer:
- A data processor transfers data collected and generated in China to an overseas jurisdiction;
- remote access to, retrieval, downloading or export of data stored in China by an overseas institution, organisation or individual; and
- other cross-border data transfers as may be specified by CAC from time to time.
The Guidelines also set out five key steps in the security assessment application process.
- Step1: Submission of application documents to the provincial-level cyberspace administration at the place where the data processor is located.
- Step 2: The provincial-level cyberspace administration shall check the completeness of the application materials within 5 working days upon receipt of application. Incomplete applications would be rejected.
- Step 3: CAC shall decide whether to process the application and notify the data processor in writing of its decision within 7 working days after receiving the application materials forwarded by the provincial-level cyberspace administration.
- Step 4: The data processor may be notified to supplement or correct its application materials within a prescribed time limit, failing which the application will be terminated. Time extension may be allowed in complicated cases.
- Step 5: After the security assessment is completed, the data processor will receive a notification of the assessment results. The data processor may submit is appeal to the CAC within 15 working days after receiving the assessment results for a re-assessment, and the re-assessment result is final.
Finally, the Guidelines also set out a list of application documents, including templates for (1) an authorisation letter; (2) an application form for cross-border data transfer security assessment; and (3) a self-assessment report for cross-border data transfer.
[1] Data processors must file a security assessment for cross-border data transfer with CAC through the provincial cyberspace administration where the data processer is located if:
- important data will be transferred;
- personal information will be transferred by critical information infrastructure operators or data processors processing personal information of over 1,000,000 individuals in China;
- personal information will be transferred by data processors who have either accumulatively transferred (i) personal information of more than 100,000 individuals; or (ii) sensitive personal information of more than 10,000 individuals outside of China since 1 January of the previous year; or
- other situations set out by CAC that require a filing under the security assessment regime.
In particular, the self-assessment report shall contain the following details:
- a brief description of the self-assessment, including the start date and end date, descriptions on the assessment design and its implementation processes and methods;
- an overview of the cross-border transfer activities, including detailed descriptions of the agreed legal documents and information on the data processor, the business and information systems involved in the cross-border data transfer, the data to be exported, the capability of the data transferor and the data recipient to ensure security of the data transferred;
- a risk assessment on any contemplated cross-border transfer activities, which shall be conducted in accordance with Article 5 of the Measures and focus on the issues and potential risks discovered during the assessment, the corresponding rectification measures and results; and
- a conclusion for the self-assessment based on the risk assessment conducted and the corresponding rectification actions.
Our observations:
Depending on the complexity of the proposed cross-border data transfer, preparing the self-assessment report requires data privacy expertise and could be a time-consuming process. Data processors in China which are subject to the CAC security assessment may require professional assistance in this process.
Key contacts
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.