September 2022
Joyce Wen and Teresa Huang
In recent years, the digital economy has been booming and data cross-border activities are frequent, while the cross-border flow of data not only affects personal information rights and interests, but also relates to national security and social public interests. Up to now, the laws relating to data cross-border activities promulgated in the Chinese Mainland include the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law. On July 7, 2022, the Cyberspace Administration of China also issued the Measures for the Security Assessment of Outbound Data Transfer (hereinafter referred to as the “Measures”) to further stipulate and implement the provisions of the aforementioned laws regarding outbound data transfer. The Measures clarify the objects, procedures, requirements, deadlines and other main factors for security assessment of outbound data transfer, and provide specific guidelines for security assessment of outbound data transfer so as to prevent security risks arising from outbound data transfer and ensure the orderly and free flow of data in accordance with the law.
The Measures clarify the concept of outbound data transfer activities[1], including: (1) the transfer (or storage) outside of China of relevant data collected or generated by data processors in their operations within the territory of China; and (2) data that, while collected or generated within the territory of China and stored in China, can be visited or accessed by overseas entities or persons. It should be noted that in the second case above, the data that, while stored in China, can be visited or accessed by overseas entities or persons is still considered as outbound data transfer activities.
The Measures stipulate the specific circumstances under which a data processor shall apply for the security assessment of outbound data transfer with a miscellaneous provision, including: (1) the data processor provides important data abroad; (2) the critical information infrastructure operator or the data processor that has processed the personal information of over one million people provides personal information abroad; (3) the data processor that has provided the personal information of over 100,000 people or the sensitive personal information of over 10,000 people cumulatively since January 1 of the previous year provides personal information abroad; and (4) any other circumstance where an application for the security assessment of outbound data transfer is required by the national cyberspace administration. It is worth noting that the above-mentioned circumstance (3) increased the time span as compared to the Measures (Draft for Comments)[2]. to clarify that taking January 1 of the previous year as the starting point, only a data processor that has provided the personal information of over 100,000 people or the sensitive personal information of over 10,000 people aboard cumulatively is required to apply for security assessment of outbound data transfer. This is actually a more favorable provision for small and medium enterprises with a small number of users and a low frequency of outbound data transfer, because as long as they meet the conditions, they can be exempted from the security assessment obligation.
The Measures clarify the principle of conducting a self-assessment of the risks in the outbound data transfer before applying for the security assessment. The applicable scope of the mandatory application for security assessment of outbound data transfer is based on the premise of meeting the above-mentioned specific circumstances, but the risk self-assessment is a necessary procedure for all data processors before providing data abroad, and should be paid special attention to by enterprises. Enterprises are reminded to pay attention to the matters which are the focus of the risk self-assessment, including: the legality, legitimacy and necessity of the purpose, scope, and method, among others, of the outbound data transfer and data processing by the overseas recipient; the size, scope, type, and sensitivity of the data to be transferred abroad, and the risks that the outbound data transfer may endanger national security, public interest, or the lawful rights and interests of individuals or organizations; the responsibilities and obligations that the overseas recipient undertakes to assume, and whether the overseas recipient’s management and technical measures and capabilities, among others, to perform its responsibilities and obligations can ensure the security of the data to be transferred abroad; whether data security protection responsibilities and obligations are fully agreed upon in the legal documents to be executed between the data processor and the overseas recipient in relation to the outbound data transfer; and whether data security and personal information rights and interests can be fully and effectively protected, etc.
After receiving the application materials of the data processor, the national cyberspace administration shall complete the security assessment of outbound data transfer within 45 working days from the date of issuance of the written acceptance notice; if the situation is complicated or supplementary or corrected materials are needed, the period may be appropriately extended, with the expected extended period of time being informed to the data processor. The result of passing the security assessment of outbound data transfer is effective for 2 years from the date of issuance of the assessment result.
The Measures came into effect on September 1, 2022. Enterprises are reminded that outbound data transfer must not be carried out on an as-is basis without any supporting measures. It is recommended that in addition to understanding the above-mentioned Cybersecurity Law, Data Security Law and Personal Information Protection Law, enterprises should also carefully study the recently released Practice Guidelines for Cybersecurity Standards – Security Certification Specifications for Cross-Border Processing of Personal Information and Standard Contract for Cross-Border Transfer of Personal Information to ensure legal compliance for the outbound transfer of enterprises’ data.
(The authors’ opinions do not represent the position of this law firm.)
[1] Q&A About the Measures for the Security Assessment of Outbound Data Transfer – Cyberspace Administration of China (cac.gov.cn), http://www.cac.gov.cn/2022-07/07/c_1658811536800962.htm
[2] Article 4 of the Measures for the Security Assessment of Outbound Data Transfer (Draft for Comments): To provide data abroad under any of the following circumstances, a data processor shall apply to the national cyberspace administration for the security assessment of the outbound data transfer through the local provincial cyberspace administration: (1) the personal information and important data collected and generated by the critical information infrastructure operator; (2) the outbound data containing important data; (3) the data processor that has processed the personal information of over one million people provides personal information abroad; (4) the cumulative provision of the personal information of over 100,000 people or the sensitive personal information of over 10,000 people abroad; or (5) any other circumstance where an application for the security assessment of outbound data transfer is required by the national cyberspace administration.