When does a business need to submit to a mandatory security assessment by the CAC?
If any of the following criteria are met, a business must submit to a mandatory security assessment by the CAC before it can transfer data out of China:
- The business is transferring ‘critical data’ (as defined below) out of China; or
- The business is: (a) a critical information infrastructure (CII) operator, or (b) processing the personal information of more than one million individuals; or
- The business has transferred out of China: (a) the personal information of more than 100,000 individuals, or (b) the sensitive personal information of more than 10,000 individuals, since 1 January of the previous year.
The CAC may also impose or identify other circumstances in which a security assessment is required.
What constitutes a ‘cross-border transfer’?
It remains to be seen how the CAC will interpret and implement the Measures. However, the following are common scenarios that will likely constitute a cross-border transfer and therefore be subject to the Measures:
- A multinational company with local operations in China has a shared working system for all of its global offices, where employees outside China have remote access to critical data or personal information collected within China.
- Employees who are based outside China have access to critical data or personal information which is collected within China, during their business travel in China.
- A foreign entity collects the personal information of Chinese data subjects for the purpose of selling goods or providing services to them, or assessing their individual behaviour.
What is ‘critical data’?
The concept of ‘critical data’ was first introduced in the Cybersecurity Law and was referred to again in the Data Security Law. The central government is required to publish a national-level catalogue of critical data whilst regional and sectoral regulators are required to issue more detailed catalogues to further identify the scope of critical data in their regions and sectors.
The draft national standard1 on general identification rules for critical data was released on 13 January 2022 for public comment. It is anticipated that the national standard will be finalised for publication soon. However, no specific definitions or examples are provided in the draft national standard. A case-by-case risk analysis is recommended in order to determine whether the data constitutes critical data. Some sectoral regulators have started to experiment with providing detailed definitions and examples of critical data in specific sectors. This includes the automotive and banking industries. For example, according to the rules issued by the automotive industry regulator, geological data, passenger and vehicle flows in military zones and other sensitive locations, and operational data of automobile charging networks are identified as critical data.
Who are CII operators?
CII is defined broadly as infrastructure that could, if damaged or compromised, seriously endanger national or public interests. In practice, if an entity has already been notified by a sectoral or local regulator that it is designated as a CII operator, then it must comply with all requirements applicable to CII operators. However, just because an entity has not been so notified yet does not mean that it will certainly not be classified as a CII operator. Ultimately, a case-by-case risk analysis is still advised.
Will the number of data subjects be calculated on a whole-group basis or for each subsidiary?
Corporate groups with several affiliates in China will likely be treated collectively for the purpose of determining whether or not they meet the thresholds which trigger the requirement of a mandatory security assessment. This is particularly the case where affiliates within China engage in intra-group data sharing.
It is extremely important to note from recent enforcement actions taken by Chinese governmental authorities that these regulators have a tendency to look through the ‘corporate veil’ when assessing how much personal information or critical data is collected and processed by the group companies and who are the key decision makers in the group in terms of data activities. Hence, a case-by-case analysis based on a self-assessment is advised.
What are the legal consequences of violations?
Violations may result in the business and its officer in charge of data privacy being liable for penalties under the Cybersecurity Law, Data Security Law and Personal Information Protection Law. These include having to comply with a rectification order, an order to cease any transfer activity, and fines of up to RMB 50 million or 5 per cent of the business’ annual revenue, and up to RMB 1 million for the relevant officer in charge. The revocation of a business’ licence and/or criminal charges may apply in cases which involve serious violations.
How should a business prepare for compliance with the Measures?
For all activities that could constitute cross-border data transfers, a self-assessment and data mapping exercise are advised to determine whether the Measures apply. In particular, a business should ensure that it:
- Performs a case-by-case analysis to identify whether it is a CII operator, or processes critical data or personal information (including sensitive personal information).
- Ascertains the number of data subjects whose personal data is transferred from China overseas.
- Adheres to, and ensures that all recipients of the transferred data adhere to, any and all data privacy requirements under the local laws of the foreign jurisdiction where such data recipients are located.
- If a mandatory security assessment is triggered based on the self-assessment, the business must engage and consult with the CAC about procedures and formalities in preparation for the security assessment.
- In line with good market practice, it is important to adopt template data transfer and processing agreements which specify clearly the responsibilities and liabilities of the transferor and recipient of the data, including in intra-group cross-border transfers as well as transfers to data processors located outside of China.
Given that the Measures will take effect on 1 September 2022 and businesses only have a grace period of six months to rectify any non-compliant activities pertaining to data transfers out of China, business organisations are advised to plan ahead and to start aligning their practices with these new requirements as soon as possible.
- The draft of Information Security Technology ‒ Guideline for Identification of Critical Data was released on 13 January 2022 on the National Information Security Standardization Technical Committee’s website.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.
Client Alert 22-191