On September 1, 2022, the Security Assessment Measures for Outbound Data Transfers (Measures) made by the Cyberspace Administration of China (CAC) came into effect. The Measures supplement the provisions on data security assessments as set forth in the Personal Information Protection Law and other relevant laws. The CAC also released the Guidelines for Declaration of Security Assessment for Data to Be Transmitted Abroad (Guidelines), first edition, on August 31, 2022; which also came into effect on September 1, 2022, and provided more guidance on the declaration for security assessment under the Measures.
Application Scope
The Measures apply to the security assessment of critical data and personal information collected and generated by a data processor in its operation within the territory of China. According to the Measures, a data processor is now required to declare the relevant information to the CAC for the security assessment of the outbound data transfer in the following circumstances:
- Where a data processor provides critical data abroad (the “critical data”, as defined in Article 19 of the Measurement, is data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, the economic operation, social stability, public health and security, etc.);
- Where a data processor is a key information infrastructure operator, or processes the personal information of more than 1,000,000 individuals;
- Where a data processor provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals in total abroad since January 1 of the previous year; and
- Other circumstances prescribed by the CAC for which a declaration for security assessment for outbound data transfer is required.
In addition to the activities as of the September 1, 2022 effective date, the Measures also apply retroactively to activities prior to September 1, 2022, and data processors are required to rectify any activities that are not in compliance with the Measures within the six-month period preceding September 1, 2022.
Outbound Data Transfers
The Guidelines define an outbound data transfer to be any of the following circumstances:
- Where a data processor transfers or stores abroad data collected or generated during its operation within the territory of China;
- Where the data collected and generated by a data processor is stored within the territory of China, but the overseas institutions, organizations or individuals are able to find, retrieve, download or export the data; and
- Any other activity of outbound data transfer as stipulated by the CAC.
Security Assessment Procedure
The procedure for conducting a data security assessment under the Measures includes the following:
- The data processor must conduct a self-assessment before declaring to the CAC for the security assessment. The self-assessment report is one of the required materials in the declaration to the CAC. A template of the self-assessment report can be found in the Guidelines.
- The data processor shall submit the following materials to the CAC via the cyberspace authority at the provincial level: (1) the declaration form, (2) the self-assessment report on the risks of the outbound data transfer, (3) underlying legal documents (relevant contract on the data or other legally binding documents) to be concluded by the data processor and the overseas recipient, and (4) other materials necessary for the security assessment.
- The cyberspace authority at the provincial level determines whether the materials are complete within five business days upon receiving the materials, and if the materials are complete, sends them to the CAC.
- The CAC notifies the data processor of whether the materials are accepted within seven business days upon receiving the materials, and if the materials are accepted, organizes the relevant departments of the State Council, the cyberspace administration at the provincial level and the specialized institutions to conduct the security assessment, which shall be completed within 45 business days after the CAC issues the written notification of acceptance. The 45 days’ reviewing period may be extended if the situations are complicated or if any supplementary or corrected materials are necessary.
Thus, the process is supposed to take no more than 57 business days in total upon the data processor’s submission of the materials, provided that the materials meet all requirements and the reviewing period in the CAC is not extended.
Key Points of Security Assessments
The self-assessment by the data processor and the assessment by the authorities under the Measures have a few key elements in common, including:
Self-assessment | Assessment by Authorities |
The legality, legitimacy and necessity of the purpose, scope and method of the outbound data transfer and the data processing by the overseas recipient. | The legality, legitimacy and necessity of the purpose, scope and method of the outbound data transfer. |
The scale, scope, type and sensitivity of the data to be transferred abroad, and the risks to the national security, public interests or the legitimate rights and interests of individuals or organizations caused by the outbound data transfer. | The scale, scope, type and sensitivity of the data to be transferred abroad. Whether data security and personal information rights and interests can be fully and effectively guaranteed. |
The duties and obligations that the overseas recipient commits to perform, and whether the overseas recipient’s management and technical measures, as well as capabilities for performing its duties and obligations can guarantee the security of the data to be transferred abroad. | The impact of the data security protection policies and regulations as well as the cybersecurity environment of the country or region where the overseas recipient is located on the security of the data to be transferred abroad, and whether the data protection level of the overseas recipient meets the requirements of the laws, administrative regulations and mandatory national standards of China. |
The risks of the data to be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the outbound data transfer. Whether there is a smooth channel for safeguarding personal information rights and interests. | The risks that the data may be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the outbound data transfer. |
Whether the duties and obligations for data security protection are stipulated sufficiently in the legal documents to be concluded with the overseas recipient. | Whether the duties and obligations for data security protection are stipulated sufficiently in the legal documents to be concluded by the data processor and the oversea recipient. |
N/A | Compliance with Chinese laws, administrative regulations and departmental rules. |
Other matters that may affect the security of the outbound data transfer. | Other matters that the CAC considers necessary to assess. |
Re-assessment
Data processors will be informed of the result of any security assessment in writing, and the result of passing the security assessment is valid for two years. Re-assessment is required when the result is to expire within 60 days, or in any of the following circumstances:
- The purpose, method, scope and type of the outbound data transfer, or the purpose and method of data processing by the overseas recipient have changed, affecting the security of the data provided abroad, or extending the period of storage of personal information and critical data abroad;
- The security of the data provided abroad is affected due to changes in the data security protection policies or regulations or the cybersecurity environment of the country or region where the overseas recipient is located, any other force majeure event, or any change in the actual control of the data processor or the overseas recipient, or any change in the legal documents between the data processor and the overseas recipient; and
- Any other circumstance affecting the security of the data provided abroad.
We are closely monitoring developments and assisting clients in their efforts to comply with the Measures and Guidelines.
This client alert is published by Fredrikson & Byron and does not constitute legal or professional advice. Please consult a Fredrikson attorney with any questions.