Reed Smith In-depth

China has witnessed the digitisation of its society at an extremely fast pace over the past five years. In the era of big data, data has become a strategic asset for international and domestic companies in China, and this presents both opportunities and compliance challenges for business organisations. China’s Cybersecurity Law, Data Security Law and Personal Information Protection Law constitute China’s comprehensive legal regime for data protection and cybersecurity and provide specific requirements for data localisation and cross-border data transfers.

Since June 2022, China’s data regulators have issued a series of wide-ranging laws and regulations to provide more details and guidance on the implementation of cross-border data transfer mechanisms. The current available mechanisms for transferring data out of China are:  

  • Security certification
  • China standard contractual clauses (SCCs)
  • Cyberspace Administration of China (CAC) security assessment

This article outlines the above three approaches, compares the different application scenarios and discusses what compliance actions companies should consider from a practical perspective.

CAC security assessment

CAC released the Measures for Security Assessment of Cross-Border Data Transfer (Security Assessment Measures) on 7 July 2022 and the Guidelines on Application for Security Assessment of Cross-Border Data Transfers (1st Edition) (Security Assessment Guidelines) on 31 August 2022. Both came into effect on 1 September 2022. According to the Security Assessment Measures and Security Assessment Guidelines, a CAC security assessment is required for cross-border data transfers in any of the following circumstances:

  • Cross-border transfers of important data
  • Cross-border transfers of personal data by critical information infrastructure (CII) operators
  • Cross-border transfers by data exporter processing the personal data of 1 million or more individuals
  • Any transfer (in aggregate) of the personal data of more than 100,000 individuals or the sensitive personal data of more than 10,000 individuals that has occurred since 1 January of the preceding year
  • Other situations requiring security assessment in accordance with PRC laws and regulations

In practice, the following issues should be taken into consideration for the purpose of security assessment:

1) Important data

“Important data” is defined as any data which may endanger China’s national security, economic operation, social stability, public health or public security, if it is tampered with, destroyed, leaked, or illegally acquired or used. The general principle for identifying important data is expected to be industry specific, department specific or region specific and will be further detailed by industry regulators and local authorities.

2) CII

CII is defined as “important network facilities and information systems” in the areas of public communication and information services, energy, transport, water conservation, finance, public services, e-government, national defence, and science and technology, as well as industries in which any damage, loss of function or data leakage may seriously endanger national security, the national economy and people’s livelihoods, or the public interest.

In practice, for those entities which have not been notified by the industry regulator as CII operator, it is highly likely that it will not be perceived as CII. However, it is still necessary to keep abreast of any changes to the definition of CII and communicate with the industry regulator from time to time on the current status.

Please note that Chinese regulators are in the process of finalising the regulations on determining important data and CII, and the final version is likely to be issued in the near future.

3) International data transfers

The Security Assessment Guidelines clarify that international data transfers from China include the following scenarios:

  • An entity collects or generates data during its day-to-day operations in China and stores the data or transfers it abroad.
  • A foreign entity outside China has remote access to (including being able to view, download, retrieve and export) data which is collected or generated during day-to-day operations in China and stored locally in China.
  • Any other international transfer of data as determined by CAC at its discretion from time to time.

In practice, multinational companies often run shared IT systems or applications where the Chinese subsidiary shares, transfers or grants access to data collected or generated in China. This will be treated as a cross-border data transfer subject to mandatory security assessment if it falls under any of the above scenarios.

4) Documents, process and timeline

In order to initiate the security assessment process, the data exporter in China must work with the foreign data recipient to prepare a large volume of requisite documents, including the self-assessment report, the cross-border data transfer agreement, the application form and any other supplementary information depending on the specific requirements set out by CAC in the Security Assessment Measures and Security Assessment Guidelines.

The CAC security assessment takes about 60 working days, but this may be extended for complicated cases. Possible outcomes notified to the data exporter are that: (i) the assessment was not applicable, (ii) the assessment was passed and data transfer is allowed or (iii) the assessment was not passed and data transfer is not allowed. If the data exporter is not satisfied with the outcome of the CAC’s security assessment, it has the right to apply for a review, the result of which will be final.

The security assessment is valid for two years. The data exporter is required to submit a new assessment upon the expiry of the two year period or in the event of any change affecting data security, such as an extension to the data retention period, a change of control of the foreign data recipient, major changes in the destination country’s data laws and practice, and force majeure. 

Any failure under a previous assessment to comply in full with the new rules must be rectified by 1 March 2023.