China’s new privacy regulations require certain enterprises that send or handle Chinese personal information outside of the nation to undergo a government-led security assessment. The regulations apply retroactively to cross-border data transfers made prior to September 1, 2022. Businesses have six months to correct any noncompliant data transfers out of China.
The Cyberspace Administration of China (CAC) Measures for Security Assessment of Cross-Border Data Transfer (Measures) went into effect on September 1, 2022. They were implemented under the Personal Information Protection Act (PIPL). In summary, the Measures provide a security evaluation process for cross-border data transfers including sensitive data and personal information, therefore substantiating the relevant requirements of the Cybersecurity Law, Data Security Law, and Personal Information Protection Law.
The Measures outline the exact requirements, stages, and procedures for organizations that need to transmit data abroad for their operations; consequently, it may have a substantial influence on multinational corporations’ cross-border data transfer activities and associated data compliance measures in China.
Who must have a security assessment conducted by the government?
Section 4 of the Evaluation Measures states that in the following four cases, a data handler must file with the CAC through local cyberspace administrations at the provincial level for security assessment:
- Outbound transfer of Important Data by data processors
- Outbound transfer of data by Critical Information Infrastructure Operators (“CIIOs”)
- Outbound transfer of data by Personal Information (“PI”) processors who process PI of 1 million or more persons;
- Outbound transfer of data by PI processors who have in aggregate transferred overseas PI of 100,000 or more persons or Sensitive PI of 10,000 persons or more since January 1 of the previous year.
The Data Security Law (“DSL”) and its implementing regulations define “Important Data” as “data that, if disclosed, may affect national security, economic security, social stability, or public health and safety, such as undisclosed government information, large-scale information relating to population, population genetics and health, geography and mineral resources, and so on.”
The Cybersecurity Law (“CSL”) and its implementing regulations define critical information infrastructure (“CII”) as industries and sectors such as public communications and information services; energy; transportation; water security; finance; public services; E-government; defense technology industry; and other important network facilities and information systems that, if damaged or disabled, or if data is disclosed, may severely thr
The Personal Information Protection Law (“PIPL”) defines “PI” or “Personal Information” as “all sorts of information relating to recognized or identifiable natural beings recorded by electronic or other means, except information handled anonymously.” “Sensitive PI” is defined as “PI that, if disclosed or illegally used, is likely to result in damage to personal dignity or the safety of persons or property of natural persons, including such information as biometric identification, religious belief, specific identity, medical and health conditions, financial accounts, location and tracking information, and PI of minors under 14.” Sensitive PI is a subset of PI that is subject to additional protection under the PIPL.
The Security Assessment Measures define “Outbound Activities” as: (1) the transfer (or storage) outside of China of relevant data collected or generated by data processors within the territory of China; and (2) data that, while collected or generated within the territory of China and stored in China, can be visited or accessed by overseas entities or persons. For the first time, the Security Assessment Measures recognize access to data held in China by foreign businesses or individuals as outbound data activity. In other words, for multinational corporations (“MNCs”) conducting business in China, if an overseas parent or affiliate accesses or views data that an MNC gathered or created in China, it will be considered “data outbound” activity, even if the MNC maintains the data in China.
It is crucial to remember that not every data export activities will be subject to a government-led security review. A government-led security assessment will be applied only if the data export activity fits one of the parameters specified above.
If a government-led assessment is required, companies must also conduct a self-assessment before applying for a government-led security assessment, with such self-assessment focusing on the following areas:
• The legality and necessity of the purpose, scope, and processing method.
• The volume, scope, type, and level of sensitivity of the data, as well as the potential risks to national security, public interest, and private person rights.
• Responsibilities of overseas recipients (whether relevant security measures are adequate).
• The risk of outbound data leakage, damage, tampering, abuse, and other threats.
• Whether the parties have entered into a security contract for outbound data that specifies comprehensive data protection responsibilities.
Procedures for a government-led security assessment include:
• Application to provincial-level CAC (application documents including application form, self-assessment report and data security contract, etc.)
• CAC at the provincial level to conduct initial review within 5 working days – if formal requirements are met, submit the application to CAC at the central government level for review.
• CAC at the central government level will decide whether to process an application within 7 working days and will notify the applicant in writing.
• If accepted for review, the review period will be 45 working days, subject to extension for complicated matters.
• Send the applicant a written assessment result.
If CAC determines that relevant data outbound activities are not subject to a government-led security assessment, it has the authority to refuse to process an application. In such cases, data processors may engage in data outbound activity via other legal means. If CAC decides to process an application and the application passes the data security assessment, data processors are permitted to engage in outbound data activity related to the application. If an application fails the data security assessment, data processors may not engage in data outbound activity with respect to the underlying data.
The government-led security assessment will focus on areas similar to the self-assessment, as well as the impact of data protection regulations and the network security environment in the data recipient’s home country, and whether data protection regulations in the overseas data recipient’s home jurisdiction have requirements comparable to those in China. This may indicate a higher tolerance for data transfer to European Union member states than to the United States.
Once completed, security assessments are valid for two years. If there is a change in the purpose, scope, processing method, or data retention period that affects the security conditions of the outbound data, a change in the control of the data processor or the data recipient, a change in the regulations or network security conditions of the data recipient’s home country, or a change in the legal documentation between the data processor and the data recipient that affects the security conditions of the outbound data, a re-application for a security assessment is required.
If a data processor intends to continue exporting data, a renewal application must be submitted 60 days before the expiration of the 2-year term of validity.
The Security Assessment Measures outline relevant scenarios in which a government-led security assessment will be required. MNCs should be aware that only data outbound activities that meet the conditions outlined in the Security Assessment Measures will be subject to a government-led security assessment. Outbound transfers of ordinary commercial and business data relating to MNCs’ business operations in China are unlikely to trigger a government-led security assessment.
Having said that, while MNCs are unlikely to be viewed as CIIOs, they should be aware of the requirements when processing and engaging in outbound data transfer from Chinese business counterparts who are CIIOs. MNCs must also pay attention to the type of data they receive from Chinese customers in regulated industries or who are likely to possess Important Data. MNCs engaged in B2C or online platform businesses should be aware of PI volume thresholds (i.e., the 1 million/100,000/10,000 rule). If a government-led security assessment cannot be avoided, companies should consider having the assessment cover a broad range of business needs to avoid the need for re-application during the 2-year validity period.
Standard Contract Provisions
CAC issued the draft Standard Contract Provisions on the Outbound Transfer of Personal Information (the “Standard Contract Provisions”) and the Standard Contract Template for public comment through July 29, 2022 on June 30, 2022.
The draft Standard Contract Provisions address the requirements of a standard contract as one of the alternatives for conducting outbound PI transfers under Article 38 of the PIPL.
According to the draft Provisions, PI processors who meet all of the following criteria are eligible to use a standard contract to conduct outbound PI transfers:
• not a CIIO;
• processing personal information for fewer than one million people;
• transferring overseas PI of fewer than 100,000 people since January 1 of the previous year; and
• transferring overseas Sensitive PI of fewer than 10,000 people since January 1 of the previous year.
A Standard Contract must include the following items: basic information about the parties; the purpose, scope, and method of PI processing; the type, sensitivity, quantity, retention period, and storage location of the PI; the responsibilities of the PI processor and overseas recipients, as well as technological and administrative measures to prevent security risks; and the impact that PI protection regulations in the country of the overseas recipient may have on compliance with the te
The standard contract template attached to the draft Provisions clarifies contract terms further. The standard contract template would explicitly require foreign enterprises to accept the jurisdiction of Chinese law, directly addressing the issue of application of law between the two parties in the negotiation process. Such extraterritorial application of Chinese law may discourage outbound data transfers.
In addition to signing standard contracts, PI processors must conduct a PI protection impact self-assessment in advance, with a focus on the following:
• The legality and necessity of the purpose, scope, and processing method of the PI processor [in China] and the overseas recipient.
• The amount, scope, type, and sensitivity level of the outbound PI, as well as the potential risks to the rights of the PI subjects.
• The overseas recipient’s responsibilities, including whether adequate management and technical safeguards are in place.
• The risk of leakage, damage, tampering, abuse, and other risks to the PI after export.
• The impact that PI protection regulations in the overseas recipient’s country may have on the fulfillment of the standard contract.
PI processors must file the standard contract with their provincial-level CAC within 10 working days of the contract’s effective date. The standard contract and the PI protection impact assessment report must be included in the filing.
The use of a standard contract to engage in outbound PI transfer will primarily apply to small and medium-sized enterprises that do not constitute a CIIO and process PI below the statutory volume thresholds. The draft Provisions do not appear to include an exception for MNCs to transfer employee data for the purposes of centralized business, human resources, and compliance management. It is also unclear whether a standard contract and government filing are required each time an outbound transfer occurs, which would otherwise impose onerous compliance burdens on businesses. The standard contract’s Chinese law requirement would also subject foreign enterprises to Chinese law.