Circumstances subject to security assessment by CAC
As a general rule, not all cross-border data transfer activities are subject to security assessment by CAC. For instance, in terms of personal data, the PRC Personal Data Protection Law generally provides that only critical information infrastructure (CII) operators and personal data processors processing personal data that reaches the quantity threshold (see below) must pass the security assessment organised by CAC before the cross-border transfer of data.
The draft Measures further specify that prior to any cross-border transfer of data, CII operators and personal data processors will be subject to a security assessment conducted by CAC in any of the following circumstances:
- Transfer of personal data and important data collected and generated by CII operators
- Transfer of important data1
- Transfer of personal data by a personal data processor that has processed personal data of more than one million persons
- Transfer of the personal data of 100,000 persons or more or transfer of the sensitive personal data of 10,000 persons or more
- Other circumstances provided by CAC
General process of security assessment
According to the draft Measures, the security assessment involves the following five steps:
Step 1: The data processor must conduct a risk self-assessment on various aspects of the cross-border data transfer before proceeding with the transfer.
In particular, the data processor must assess whether the contract signed by the cross-border recipient adequately covers the parties’ responsibilities and obligations with respect to data security and protection. The draft Measures also spell out what is required to be included in such a contract:
- The purpose, manner and scope of the cross-border data transfer, and the purpose and manner of the data processing by the cross-border recipient.
- The cross-border storage location, period of storage, and treatment measures upon the expiration of the storage period, accomplishment of the agreed purpose or the termination of the contract.
- A restrictive clause limiting the cross-border recipient’s ability to transfer the data to other organisations or individuals.
- Security precautions in the event of a change of control or change of business of the cross-border recipient, or in the event of changes in the legal environment of the country or region where the cross-border recipient is located, which may cause difficulties in ensuring the requisite data security.
- Liabilities for breach of data security protection obligations, and binding and enforceable dispute resolution clauses.
- Unobstructed channels to carry out emergency treatment and to ensure the protection of rights and interests of personal data in the case of risks such as data leakage.
After the self-assessment is done, the data processor must produce a data transfer risk self-assessment report, which is required to be submitted to CAC for review.
Step 2: The data processor must apply for a security assessment review with the local counterpart of CAC at the provincial level for its further forwarding to CAC.
Materials to be submitted include an application letter, the data transfer risk self-assessment report, and a contract signed by the cross-border recipient.
Step 3: CAC will, within 7 working days upon receipt of the application materials, decide whether to accept such an application for security assessment review. Once the decision is made, CAC must inform the concerned data processor in writing.
Step 4: If CAC accepts the application, it will conduct the review, together with other competent authorities and professional institutes, focusing on the below key elements of the data transfer:
- The legality, legitimacy and necessity of the purpose, scope and manner of data transfer.
- The impact of data security protection policies and regulations of the country or region where the cross-border recipient is located and the network security environment on the security of the data transfer, and whether the level of data protection of the cross-border recipient meets the requirements under PRC laws and regulations.
- The volume, scope, type and sensitivity of the data to be transferred; and the risk of leakage, tampering, loss, destruction, transfer, illegal access or illegal use during and after transfer.
- Whether data security and the rights and interests of personal data can be fully and effectively protected.
- Whether the contract signed by the cross-border recipient adequately covers the responsibility and obligation with respect to data security and protection.
- Compliance with PRC laws and regulations.
- Other matters required by CAC.
Step 5: CAC will complete the security assessment within 45 working days after the issuance of the written acceptance notice. If the case is complicated or if supplementary materials are needed, the time period may be extended to up to 60 working days.
The authorities, institutes and officers involved in the review of the security assessments must keep confidential any state secrets, personal privacy, personal data, trade secrets, and other confidential information, and must not disclose or illegally provide the same to any other party.
Valid period of security assessment result and re-assessment
The result of the security assessment will be valid for two years. The draft Measures also require that if any of the following circumstances occur during the two-year period, the concerned data processor must apply for a re-assessment review by CAC:
- Changes to the purpose, manner, scope and type of the data to be transferred and the purpose and manner of the data processing by the cross-border recipient, or extension to the cross-border storage period of personal data and important data.
- Changes to the legal environment of the country or region where the cross-border recipient is located, changes to the actual control rights of the data processor or the cross-border recipient, and changes to contract between the data processor and the cross-border recipient, which may affect the security of the transferred data.
- Other circumstances affecting the security of the transferred data.
If the data processor intends to continue the cross-border transfer of data following the expiration of the original valid period, it will need to apply for re-assessment within 60 working days before the expiration of the original valid period.
Takeaway
Ever since the PRC Cybersecurity Law laid down the requirement for a security assessment to be conducted for cross-border data transfers in 2017, the whole market, especially multinational companies doing business in China, has been awaiting the issuance of detailed implementation rules for such transfers. In today’s global economy, it is almost inevitable that companies will need to perform cross-border data transfers as part of their daily operations whether for internal management or commercial purposes. The draft Measures, once finalised and officially issued, will be an important guideline for both data processors and authorities to follow when conducting cross-border data transfers involving China.
If you would like to discuss the impact of the draft Measures on your business, please contact the authors of this alert.
- ‘Important data’ generally refers to “data (including original and derivative data) collected or generated by the relevant organisations, institutions and individuals domestically, not involving state secrets, which is closely related to national security, economic development and public interests. Once such data is disclosed, lost, abused, tampered with or destroyed, or aggregated, integrated and analysed, it may cause a serious impact on national security, national economic and financial security, social and public interests and individual legal rights and interests.” More detailed rules regarding important data, especially the national standard ‘Information Security Technology – Identification Guide of Important Data’, are expected to be finalised and published in the near future.
Client Alert 2021-283