The “Security Assessment Measures for Outbound Data Transfers” will come into force on Sep. 1, 2022
The “Security Assessment Measures for Outbound Data Transfers” (hereinafter referred to as the “Measures”) has been promulgated on May 19, 2022, and will come into force on Sep. 1, 2022. Foreign invested enterprises exchanges data with overseas affiliates occasionally, so it is highly recommended to pay attention to relevant requirements as stipulated in the “Measures”. The following is a brief introduction to the main provisions of the “Measures”.
- Evaluation object
Article 2 of the “Measures” stipulates that this “Measures” applies to the security assessment of critical data and personal information collected and generated by a data processor in its operation in the People’s Republic of China, which are to be provided abroad; and where it is otherwise provided for in laws and administrative regulations, such provisions shall prevail.
According to the above provision, critical data and personal information could be provided abroad only after a security assessment has been applied by the company or the competent authorities. Regarding the phase, in practice, the following occasions would be deemed as “provided aboard”: (a) to store relevant data overseas → transmitting or reading via internet; and (b) to provide the access information or ports of domestic database to overseas entities →searching or downloading functions.
- Self-assessment on the risks of the outbound data transfer
According to Article 5 of the “Measures”, prior to declaring security assessment for an outbound data transfer, a data processor shall conduct self-assessment on the risks of the outbound data transfer, with focus on the assessment of the following matters:
(I) the legality, legitimacy and necessity of the purpose, scope and method of the outbound data transfer and data processing by the overseas recipient;
(II) the scale, scope, type and sensitivity of the data to be provided abroad, and the risks to national security, public interests or the legitimate rights and interests of individuals or organizations caused by the outbound data transfer;
(III) the responsibilities and obligations that the overseas recipient promises to undertake, and whether the overseas recipient’s management and technical measures and capabilities for performing its responsibilities and obligations can guarantee the security of the outbound data transfer;
(IV) risks of the data to be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the outbound data transfer; whether the channel for the maintenance of personal information rights and interests is smooth;
(V) whether the relevant contracts on the data to be concluded with the overseas recipient or other legally binding documents (hereinafter referred to collectively as the “legal documents”) have fully agreed on the responsibilities and obligations to protect the data security; and
(VI) other matters that may affect the security of the outbound data transfer.
Since there is no definition for the “data processor”, we believe that a data processor refers to the entity who plans to transfer critical data and personal information overseas. Therefore, even though an entity is not dealing with personal information of clients or users, if it sends employees’ personal information to the headquarters in Japan, it shall conduct the security assessment.
- To declare security assessment for its outbound data transfer to the Cyberspace Administration of China
According to Article 4 of the “Measures”, to provide data abroad under any of the following circumstances, a data processor shall declare security assessment for its outbound data transfer to the Cyberspace Administration of China (“CAC”) through the local cyberspace administration at the provincial level:
(I) where a data processor provides critical data abroad;
(II) where a key information infrastructure operator or a data processor processing the personal information of more than one million individuals provides personal information abroad;
(III) where a data processor has provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals in total abroad since January 1 of the previous year; and
(IV) other circumstances prescribed by the CAC for which declaration for security assessment for outbound data transfers is required.
In view of the above provision, only when certain conditions are met, the company has to declare security assessment for its outbound data transfer to CAC. The local legal entity shall declare security assessment to CAC through provincial cyberspace department.
- The process for the declaration ofsecurity assessment for an outbound data transfer,
According to Article 6 of the “Measures”, to declare security assessment for an outbound data transfer, the data process shall submit the following materials: (I) a declaration form;(II) self- assessment report on the risks of the outbound data transfer;(III) the legal documents to be concluded by the data processor and the overseas recipient; and (IV) other materials necessary for security assessment.
Regarding the due period, according to Article 12, the CAC shall, within 45 working days of issuing a written notice of acceptance to the data processor, complete the security assessment for the outbound data transfer; if the situation is complicated or supplementary or corrected materials are needed, the assessment may be extended appropriately, and the data processor shall be notified of the expected extension period. The data processor shall be informed of the assessment results in writing.
According to Article 13, where a data processor has any objection to the assessment results, it may, within 15 working days of receiving the results, apply to the CAC for a re-assessment, and the re-assessment results are final.
- The key assessment items
Article 8 stipulates that the assessment of the risks to national security, public interests, or the legitimate rights and interests of individuals or organizations that may be caused by the activity of the outbound data transfer, mainly including the following matters:
(I) the legality, legitimacy and necessity of the purpose, scope, and method of the outbound data transfer;
(II) the impact of the data security protection policies and regulations and the cybersecurity environment of the country or region where the overseas recipient is located on the security of data to be provided abroad, and whether the data protection level of the overseas recipient meets the requirements of the laws and administrative regulations of the People’s Republic of China and mandatory national standards;
(III) the size, scope, types and sensitivity of data to be provided abroad, and the risks that the data may be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the data is provided abroad;
(IV) whether data security and personal information rights and interests can be fully and effectively guaranteed;
(V) whether the legal documents to be concluded by the data processor and the overseas recipient have fully agreed on the responsibilities and obligations of data security protection;
(VI) compliance with Chinese laws, administrative regulations and departmental rules; and
(VII) other matters that the CAC considers necessary to assess.
6. Validity period of the security assessment results
According to Article 14, the results of security assessment for an outbound data transfer are valid for two years, commencing from the date when the results are issued. The data processor shall re-apply for assessment if any of the following circumstances occurs within the valid period of time:
(I) the purpose, method, scope and type of the outbound data transfer, or the purpose and method of data processing by the overseas recipient have changed, affecting the security of the data provided abroad, or extending the period of storage of personal information and critical data abroad;
(II) the security of the data provided abroad is affected due to changes in the data security protection policies or regulations or the cybersecurity environment of the country or region where the overseas recipient is located, any other force majeure event, or any change in the actual control of the data processor or the overseas recipient, or any change in the legal documents between the data processor and the overseas recipient; and
(III) any other circumstance affecting the security of the data provided abroad.
If it is necessary to continue outbound data transfers after the expiration of the period of validity, the data processor shall declare anew assessment 60 working days before the expiration of the period of validity.
- Contracts and other legal documents signed with overseas recipient s
According to Article 9, a data processor shall expressly agree on the responsibilities and obligations of data security protection in the legal documents concluded with the overseas recipient, which shall at least include the following contents:
(I) the purpose and method of the outbound data transfer and the scope of the data, and the purpose and method, etc. for processing the data by the overseas recipient;
(II) the location and duration of storage of the data abroad, as well as the handling measures for the outbound data transfer after the storage period expires, the agreed purpose is completed, or the legal documents are terminated;
(III) restrictive requirements on the overseas recipient’s re-transfer of the outbound transferred data to other organizations and individuals;
(IV) the security measures to be taken by an overseas recipient when actual control or business scope has changed substantially, data security protection policies and regulations and cybersecurity environment of the country or region where the overseas recipient is located have changed, or the occurrence of any other force majeure event, under which data security cannot be ensured;
(V) remedial measures, liability for breach of contract and dispute resolution in the event of violation of data security protection obligations agreed in legal documents; and
(VI) the requirements to property carry out emergency response when the data provided abroad is at risk of being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used, as well as the ways and methods to protect individuals’ personal information rights and interests.