On July 7, 2022, the Cyberspace Administration of China (the “CAC”) issued the Measures on Security Assessment on Cross-border Transfer (the “Measures”), which became effective on September 1, 2022, and provide a six-month grace period to the relevant data handlers. On August 31, 2022, the CAC issued the Guidelines on Application for Security Assessment on Cross-border Transfer (the “Guidelines”), which further clarify certain issues and provide specific application documents for security assessments (including templates of application forms for security assessment on cross-border transfer and self-assessments report for risks of cross-border transfer).
Applicable Scope of the Measures
Both personal information and important data (non-personal information, as defined below) are governed by the Measures. If a proposed cross-border data transfer satisfies any of the following conditions (“Condition”), data handlers shall, through the local cyberspace administration at provincial level, apply for a mandatory security assessment for such transfer:
- transfer of important data outside of China;
- transfer of personal information outside of China by a critical information infrastructure (“CII”) operator, or a data handler processing more than one million individuals’ personal information;
- cumulative transfer of personal information of more than 100,000 individuals from January 1 of the previous year or cumulative transfer of “sensitive” personal information of more than 10,000 individuals from January 1 of the previous year; or
- other circumstances required for security assessment provided by the CAC.
Under the Guidelines, cross-border transfer includes the following circumstances: (1) data handlers transfer and store the data collected and generated in China domestic operation to any receipt outside of China; (2) the data collected and generated in China by data handlers is stored in China, but overseas entities, organizations or individuals could access, retrieve, download and/or export such data; and (3) other circumstances provided by the CAC.
Important data refers to any data to which tampering, damage, leakage or illegal acquisition or use of may endanger national security, operation of the economy, social stability, public health and security (“Important Data”). Important Data will be further defined and subject to specific industrial regulations by different industries, such as financial, automobile and health and medicine. At present, only the automobile industry has issued its Important Data related rules: “Several Provisions on Vehicle Data Security Management.”
CII is defined very broadly under Chinese law. From a practical perspective, at present, if a data handler is not notified by the relevant government authorities that it is a CII operator, generally it may consider itself not a CII operator.
One Million Individuals
In terms of processing of one million individuals’ personal information, currently it is not clear whether there is a time span applicable for calculating the one million individuals. In theory, if the data handler who processes over one million individuals’ personal information only transfers a few individuals’ personal information, it also must pass the mandatory government assessment before a cross-border transfer. This is to be further interpreted by the competent Chinese authority.
Converted into Mandatory Security Assessment
A data handler (not a CII operator) may be eligible to sign the standard contract for cross-border transfer of personal information issued by the CAC (the “Standard Contract”), but then later meet the Condition for mandatory security assessments within two years from January 1 of the previous year and after execution of the Standard Contract. In that case, the data handler must pass the mandatory security assessment before the continual transfer of personal information outside of China.
Combined Counting or Separate Counting
A company may have several subsidiaries/affiliates in China and each subsidiary/affiliate may transfer personal information outside of China. If there is no data combination or data fusion among the subsidiaries/affiliates, each entity must calculate its thresholds for the mandatory security assessment separately.
A data handler might transfer personal information relating to the same individuals to several data recipients. In such case, it is not clear whether the number of individuals would be double counting.
Instructions for the application form provide very practical guidance and sample answers for data handlers. For instance, the data handlers must provide how data is transferred outside of China (e.g., via Internet or dedicated line), the data link of cross-border transfer (e.g., provider of data link, number and strip width of data link, the name, location and IP address of data centers inside and outside of China), and information on the data to be transferred (e.g., type, sensitiveness, volume, industry). The data handlers may refer to Information Security Technology Personal Information Security Specification (GB 35273-2020) to determine whether personal information is considered sensitive personal information.
Before the application for the mandatory security assessment, the relevant data handlers must first conduct a self-assessment and prepare a self-assessment report based on the CAC’s template. The self-assessment is required to be completed within three months from the application date, and there should be no material change in relation to the self-assessed matters till the application date.
The self-assessment report must include, but is not limited to, the following information: (1) basic information of the data handler (e.g., organization chart and investment inside and outside of China); (2) information on the business and information system related to the proposed cross-border transfer; (3) information on the proposed cross-border transfer; (4) the safeguard capability of the data handler; (5) basic information on the data recipient; and (6) the relevant legal document for cross-border transfer with highlighted key terms. For more details, refer to Appendix 4 of the Guidelines.
Specifically, the Guidelines lists specific requirements for assessment on safeguard capability of data handler, including (1) management capability of data security (e.g., policies related to the management of data lifecycle, data categorization and classification, contingency response, risk assessment, data subjects’ rights); and (2) the technical capability of data security (including security technical measures covering whole lifecycle of data) and documentation of the effectiveness of data security (e.g., security assessment report, data security capability certification, data security inspection test, audit report, multi-level protection of cybersecurity). For instance, if a data handler’s system is considered as level three or above from the perspective of multi-level protection of cybersecurity, it must conduct filing of muti-level protection of cybersecurity with the local public security bureau before applying for a security assessment by the CAC. The Guidelines do not list the aforementioned specific requirements for assessment of safeguard capability of data recipients. It is not clear whether the CAC would use same standard to evaluate safeguard capability of data recipients.
In the risk assessment section of the self-assessment report, the data handler must explain issues and potential risks involved from the following perspectives and illustrate relevant correction measures and effectiveness of correction:
- Whether the purpose, scope and methods of cross-border data transfer and data processing by the data recipient is legal, legitimate and necessary;
- The scale, scope, types and sensitivity of data to be transferred outside of China, and potential risks to national security, public interest or the legitimate rights and interests of individuals or organizations caused by cross-border data transfer;
- Whether duties and obligations undertaken by the data recipient, and its management, technical measures and capabilities for fulfillment of such duties and obligations can safeguard the data to be transferred;
- The risk of data being tampered with, damaged, leaked, lost, relocated or illegally acquired or used during and after cross-border transfer, and whether the channels for individuals to safeguard their personal information rights and interests are smooth;
- Whether the data security protection responsibilities and obligations are sufficiently stipulated in the enforceable contract or other documents in relation to cross-border transfer with the data recipient; and
- Other matters that may affect the security of cross-border data transfer.
The relevant data handlers must submit the following documents for application for a mandatory security assessment:
- Copy of the unified social credit code certificate;
- Copy of the legal representative’s identity certificate;
- Copy of the authorized representative’s identity certificate;
- Power of attorney for the authorized representative (template available);
- Application form for the security assessment of cross-border transfer (template available);
- Copy of the cross-border transfer contract or other relevant documents with legal effect (such documents must be in Chinese);
- Self-assessment report on the risks of cross-border transfer (template available); and
- Other relevant materials.
Mandatory Security Assessment Procedure
Data handlers must submit paper application materials and electronic versions to the cyberspace administration at the provincial level. Such regulator must complete the formality review within five business days after receipt of the application documents. If such documents satisfy the formality requirements, such regulator would submit the application materials to the CAC.
Upon receipt of the application documents from the cyberspace administration at the provincial level, the CAC must notify the applicant in writing whether it accepts the application within seven business days. If the CAC accepts the application, it must complete the security assessment within 45 business days after issuing a written notification of acceptance. In the case of complexity or supplementing/amending application documents, an appropriate extension is allowed. Most of the applications likely would not fall into such extension scenario.
In general, the estimated time for completeness of security assessment by the CAC is within 57 business days. Given that a large volume of applications likely will be submitted at the beginning of effectiveness of the Measures, the review period likely will not be significantly shortened at present.
If the relevant data handlers object to the result of security assessment, they may apply for re-assessment within 15 business days upon receipt of such result. The re-assessment would be final and binding.
In addition to the risks assessed by self-assessment, the mandatory security assessments focus more on the potential risks to national security and public interests (e.g., assessment of the impact of data protection laws and regulations and the cybersecurity environment of the country or region where the data recipients are located in cross-border transfer; whether the data protection level of the country or region where the data recipients are located could reach equivalent level as the Chinese laws, regulations and mandatory national standards provide).
The result of security assessment by the CAC is effective for two years upon issuing the result of assessment. The relevant data handlers shall apply for re-assessment 60 business days before the expiration.
During the two-year effective term, if any of the following conditions may affect the security of data to be transferred, re-assessment would be required:
- Change of processing or extension of retention period;
- Change of data security laws and cybersecurity environment where the data recipients are located;
- Change in control of the data handler or the data recipient; and
- Other circumstances.
Retrospective Effect of the Measures
As mentioned above, the Measures became effective as of September 1, 2022, and provide a six-month grace period for the relevant data handlers. However, Many the Measures may apply to cross-border transfers occurring before September 1, 2022, as processing is a continual activity, including storing and analyzing data. Assuming data handers meet any Condition for mandatory security assessments and the cross-border transfer occurred before September 1, 2022, such cross-border transfer would likely be subject to the Measures if the data recipient continues to store/process the data received before September 1, 2022. If the data recipient has deleted or anonymized the data received before September 1, 2022, such processing likely would not be subject to the Measures.
In sum, in practice, many companies will be subject to a mandatory security assessment by the CAC for cross-border transfer. Given that the application is open as of September 1, 2022, it may be challenging for the CAC to complete review of all the applications within six months. The Measures do not explicitly provide whether the relevant data handlers must obtain approval or simply submit the application for security assessment within the six-month grace period (i.e., before Feb. 28, 2023). We recommend the data handlers subject to the mandatory security assessment start preparing the self-assessment based on the Guidance as soon as possible.