2021.11.02 DONG, Xiao (Marissa)、GUO, Chao
On October 29, 2021, the Measures on Security Assessments of Data Exports (Draft for Comments) (“Draft Assessment Measures") was released by the Cyberspace Administration of China (CAC) and made available for public comment until November 28, 2021.
The Draft Assessment Measures set out the requirements for the "security assessment", which is an assessment that is required to be applied with the regulators, and the "risk self-assessment", which is an internal assessment carried out by data processors themselves. The Draft Assessment Measures apply to both critical information infrastructure operators and general processors that process personal information and important data.
The highlights of the Draft Assessment Measures are as follows.
In accordance with the Draft Assessment Measures, a data processor shall apply for a security assessment on a data export in one of the following scenarios: (1) where any personal information or important data collected and generated by a critical information infrastructure operator is transferred abroad; (2) where the data transferred abroad contains important data; (3) where a processor who processes the personal information of one million or more individuals transfers such personal information abroad; (4) where the personal information of one hundred thousand or more individuals or the sensitive personal information of ten thousand or more individuals is transferred abroad; and (5) in any other circumstances under which a security assessment on a data export is required to be conducted, as required by the national cyberspace administration. Items (3) and (4) are the first criteria to explicitly address the security assessment of personal information exports after the release of the Personal Information Protection Law (“PIPL”).
The result of a security assessment of a data export remains valid for two years. If there is any significant change during the validity period (such as change in the purpose or manner for or in which the data is processed by the overseas recipient), the data processor shall apply for a new security assessment on such a data export.
The Draft Assessment Measures emphasize seven different areas for a security assessment of a data export as follows:
(1) Lawfulness, Justification and Necessity. The lawfulness, justification and necessity of the purpose, scope and manner for or in which such data is transferred abroad.
(2) Data Protection Level of the Overseas Recipient. The impact of the data security protection policies and regulations and the network security environment of the country or region where the overseas recipient is located on the security of data transferred abroad; and whether the data protection level of the overseas recipient meets the requirements of the laws, administrative regulations and mandatory the national standards of the People’s Republic of China (PRC).
(3) General Risk. The quantity, scope, type and sensitivity of the data transferred abroad; and the risk of leakage, falsification, loss, destruction, transfer or illegal acquisition or use of such data during and after the data export process.
(4) Protection of Data Security and Personal Information Rights. Whether the data security and personal information rights can be fully and effectively protected.
(5) Contracts Related to Data Export. Whether the contract between a data processor and the overseas recipient contains adequate provisions on the data security protection obligations.
(6) Compliance with Laws. Compliance with the laws, administrative regulations and departmental rules of the PRC.
(7) Other Matters. Other matters that are necessary to be assessed as determined by the national cyberspace administration.
A data processor shall apply for a security assessment on a data export with the national cyberspace administration via the provincial-level cyberspace administration at its location. Upon accepting an application, the national cyberspace administration shall lead the security assessment efforts in conjunction with the industrial administrations, relevant departments of the State Council, provincial-level cyberspace administrations and professional agencies.
To apply for a security assessment on a data export, a data processor shall submit the application form, the risk self-assessment report on the data export, the contract or other legal binding document to be entered into by the data processor and the overseas recipient, and other documents and materials required for security assessment.
The national cyberspace administration shall complete the security assessment on a data export within forty-five (45) business days after issuing the notice of accepting the application in writing. In the case of complicated circumstances or requests for supplementary submissions, the period of assessment may be extended appropriately, but for no more than sixty (60) business days. Data processors shall be informed of the results of a security assessment in writing.
No matter whether the data transfer by a data processor triggers a security assessment, the data processor is required to conduct risk self-assessment on its data export before transferring any data outside of the PRC. Self-assessment focuses on the factors relatively similar to those required under a security assessment, including (1) the lawfulness, justification and necessity of the purpose, scope and manner for or in which such data is transferred abroad and processed by the overseas recipient; (2) the general risks that may arise from a data export; (3) the risks associated with the transfer of data; (4) the duties and obligations of the overseas recipient; (5) the risks of the data after being transferred abroad; and (6) whether the contract with the overseas recipient in relation to the data export contains adequate provisions on the data security protection obligations.
The Draft Assessment Measures require that the contract entered into between the data processor and the overseas recipient shall contain adequate provisions on the data security protection obligations and explicitly illustrate the necessary particulars of the contract. It is not clear whether the “standard contract formulated by the national cyberspace administration” referred to under Article 38 of PIPL corresponds to the provisions on the contract content under the article.
With the enactment of the PIPL, the provisions of PIPL concerning data exports will become a focus for corporate compliance. The Draft Assessment Measures further specify the statutory requirements for companies to ensure compliance regarding data exports. It is advisable that companies further consider developing compliance programs and take into account the requirements of the Draft Assessment Measures.