On Oct. 29, 2021, the Cyberspace Administration of China (CAC) published the “Draft Measures on Security Assessment of Cross-Border Data Transfer” (Draft Measures) for comment through Nov. 28. The Draft Measures follow and are based on China’s Cybersecurity Law (CSL), Data Security Law (DSL), Personal Information Protection Law (PIPL) and related regulations. These measures appear intended to replace those previously published by the CAC and, once promulgated, will give effect to key requirements in the PIPL that came into effect on Nov. 1.
If made final, the Draft Measures will require data processors to conduct a security assessment before conducting any cross-border transfers of “important data” and personal information collected and produced in China. While not explicitly defined in the CSL or DSL, the draft Data Security Management Measures published on May 28, 2019 and the recent draft Information Security Technology – Guidelines on Identification of Important Data have defined “important data” as data that, if disclosed, may affect national security, economic security, social stability or public health, safety and interest, such as undisclosed government information, information relating to large-scale population, population genetics and health, geography and mineral resources.
Article 4 of the Draft Measures would require data processors to apply for a CAC-led security assessment in any of the following circumstances:
- Transfer of personal information and important data collected and generated by critical information infrastructure (CII) operators (as defined in the CSL).
- Transfer of important data.
- Transfer of personal information by data handlers who process over one million individuals’ personal information.
- Cumulative transfer of personal information of more than 100,000 individuals or “sensitive” personal information of more than 10,000 individuals.
- Other circumstances to be specified by the CAC.
Data processors that do not meet the foregoing criteria are not required to submit to a CAC-led security assessment but are still required to conduct an internally led risk assessment before transferring data outside China. This self-assessment requires focus on the following criteria:
- Whether the purpose, scope and means of cross-border transfer and data processing of overseas data recipients are legal, proper and essential.
- The volume, scope, type and sensitivity of the data to be transferred outside China, and the potential risks to national security, public interests and the legitimate interests of individuals and entities.
- Whether the data exporter has implemented adequate management and technical measures, and whether the overseas data importer has adopted similar measures to ensure the security of the data.
- The risk of data leakage, falsification, loss or abuse after the data has been transferred, and whether affected individuals may easily defend their rights with respect to their personal information.
- Whether the data transfer agreement clearly defines the data exporter’s and importer’s respective responsibilities for data protection.
Data processes that meet the requirements set forth in Article 4 of the Draft Measures for the mandatory CAC-led security assessment would be required to submit an application form, the data processor’s self-led security assessment and the relevant data transfer agreement. In evaluating a data handler’s mandatory security assessment, the CAC would review the following:
- Whether the purpose, scope and means of the cross-border transfer are legal, proper and essential.
- The data protection laws and regulations of the data recipient’s jurisdiction, the impact of the security of the data being transferred, and whether the protections provided by the data recipient meet the requirements of Chinese laws and regulations and mandatory national standards.
- The quantity, scope, type and sensitivity of the data being transferred and the risk of leakage, damage, corruption, loss and misuse.
- Whether the data transfer agreement clearly defines each party’s responsibilities for data protection.
- Compliance with Chinese laws, administrative regulations and ministry regulations.
- Other matters that are deemed necessary by the CAC.
Requirements of the Data Transfer Agreement
The data transfer agreement between the data processor and data recipient would need to include the following content:
- The purpose, method and scope of the cross-border transfer, and the method and purpose of processing by the data recipient.
- The location where the data will be stored outside of China and the data retention period (as well as the measures to be taken upon expiration of the retention period, termination of the data transfer agreement, or otherwise when the purpose of processing has been met).
- Provisions restricting re-transfer of the data to other individuals or entities.
- The security measures to be taken in the event of a material change to the data recipient’s business or relevant legal requirements or if the recipient otherwise cannot ensure the security of the data.
- Liability for violations of contractual data security responsibilities, as well as binding and enforceable dispute resolution provisions.
- In the event of a data leak or other breach, provisions requiring the data recipient to respond appropriately and safeguard the rights and interests of individuals’ personal information.
Government Review Procedure
The CAC would be required to decide within seven business days after receiving application for a data security assessment whether it will be accepted. After issuing the notice of acceptance, the CAC would have 45 business days to complete the assessment. This period could be extended to 60 business days in complex cases. An approved transfer assessment would be valid for two years but is subject to re-assessment under any of the following circumstances:
- Changes to the purpose, means, scope and type of the cross-border transfer or processing of personal information and/or important data by the data recipient.
- An extension of the retention period for the personal information and/or important data.
- Changes to laws applicable to the data recipient, material changes to the recipient’s business or amendments to the data transfer agreement that might affect the security of the transferred data.
- Other circumstances that might affect the security of transferred data.
The Draft Measures make clear that the CAC’s bias is against overseas transfer and underscore the burdensome nature and extent of the required security assessments. Nonetheless, organizations that may be subject to these requirements should prepare for the final version of these Draft Measures and ensure they initiate procedures to address compliance with cross-border transfer requirements.