Global menu

Our global pages

Close

Measures on Security Assessment of Data Export

  • Hong Kong
  • Privacy, data protection and cybersecurity - ePrivacy
  • Data centers

12-07-2022

Since the Cybersecurity Law became effective in 2017, the Cyberspace Administration of China (“CAC”) has launched three rounds of solicitation of public opinions on data export security assessment mechanism, including (i) the Measures on Security Assessment for Export of Personal Information and Important Data (Draft for Comments) (《个人信息和重要数据出境安全评估办法(征求意见稿)》) in 2017, (ii) the Measures on Security Assessment for Export of Personal Information (Draft for Comments) (《个人信息出境安全评估办法(征求意见稿)》) in 2019 and (iii) the Measures on Security Assessment of Data Export (Draft for Comments) (《数据出境安全评估办法(征求意见稿)》) in 2021.

On 7 July 2022, the CAC finally promulgated the much-anticipated Measures on Security Assessment of Data Export (《数据出境安全评估办法》) (“Assessment Measures”), marking the formal implementation of the CAC-led security assessment system for data export as set out under the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law (“PIPL”) (collectively constitute the three fundamental pieces of legislation in respect of data security and protection in the PRC). With the promulgation of the Assessment Measures, and the recently released Network Security Standard Practice Guidelines – Guidelines on Security Accreditation for Cross-border Processing of Personal Information (《网络安全标准实践指南—个人信息跨境处理活动安全认证规范》) (promulgated on and effective from 24 June 2022) and the Circular on Standard Contracts Regarding Export of Personal Information (Draft for Comments) (《个人信息出境标准合同规定(征求意见稿)》) (published on 30 June 2022 for public comments until 29 July 2022), there are more detailed implementation rules/guidelines on the available routes for personal data export as specified under Article 38 of the PIPL, and a general regulatory framework on overall data export (covering both important data and personal data) has been laid down.

An overview of the key highlights of the Assessment Measures is as follows:

What is “data export”?

In its response to the press’s queries in respect of the Assessment Measures on 7 July 2022, “data export” activities are officially confirmed by the CAC to include (i) the offshore transfer or storage of data collected and generated during onshore operations by the data processor, and (ii) the onshore storage of data collected and generated by the data processor, for offshore institutions, organizations or individuals to access or call in.

Triggering events for security assessment

The data processor (i.e. a PRC legal concept akin to “data controller” under the GDPR from a personal data perspective) must apply for a CAC security assessment, through CAC’s local provincial branch, if any of the following circumstance occurs:

  1. where a data processor provides important data offshore (including Hong Kong, Macao and Taiwan);

  2. where (a) a critical information infrastructure operator (i.e. CIIO) or (b) a data processor processing the personal data of more than 1,000,000 individuals, provides personal data offshore;

  3. where a data processor that has provided offshore (a) the personal data of 100,000 individuals or (b) the sensitive personal data of 10,000 individuals on a cumulative basis since January 1 of the preceding year, provides personal data offshore; and

  4. other circumstances prescribed by the CAC for which application of security assessment for data export is required.

Items (ii) and (iii) above align with the specifications under the recently published Circular on Standard Contracts Regarding Export of Personal Information (Draft for Comments). In particular, the threshold as referred to in (iii) provides a “two-year” resetting mechanism which may reduce the applicability scope of security assessment to some extent.

Scope of the assessment

For data processors subject to mandatory security assessment, they are obliged to complete a self-assessment before applying to CAC for formal security assessment (please note that a self-assessment report is one of the application documents to be submitted to CAC).

The scopes of the prior self-assessment and the subsequent formal security assessment by CAC do overlap to a certain extent. However, the latter focuses more on the potential risks of data export to national security, public interests, or the legitimate rights and interests of individuals or organizations, which mainly include the following matters:

  1. the legality, legitimacy and necessity of the purpose, scope, and method of the data export;

  2. the impact(s) that (a) the data security protection policies and regulations and (b) the cybersecurity environment of the country or region where the offshore recipient is located have on the security of data to be provided offshore, and whether the data protection level of the offshore recipient meets the requirements of the laws and administrative regulations and mandatory national standards of the PRC;

  3. the size, scope, categories and sensitivity of data to be provided offshore, and the risks that the data may be tampered with, damaged, divulged, lost, transferred, illegally obtained or illegally used during and after the data is provided offshore, etc.;

  4. whether data security and the rights and interests in relation to personal data can be fully and effectively guaranteed;

  5. whether the legal documents (including the data export contract, etc.) (“Legal Documents”) intended to be concluded by and between the data processor and the offshore recipient have adequately stipulated the responsibilities and obligations of data security protection;

  6. compliance with Chinese laws, administrative regulations and departmental rules; and

  7. other matters that the CAC considers necessary to assess.

Contents of Legal Documents

The Assessment Measures also set out the minimum scope of contents which shall be covered in the Legal Documents to be executed by and between the data processor and the offshore data recipients, including:

  1. the purpose and method of data export and the scope of data, and the purpose and method of data processing by the offshore recipient, etc.;

  2. the location and duration for the offshore retention of the data, and the measures for exported data upon the expiration of the retention period, completion of the agreed purpose, or termination of the Legal Documents;

  3. a restrictive requirement imposed on the offshore recipient from retransferring the exported data to other organizations or individuals;

  4. the security measures to be adopted when there is any material change in the actual control or business scope of the offshore recipient, or when the data security protection policies and legislation and cybersecurity environment have changed or any other force majeure event has occurred in the country or region where the offshore recipient is located, which makes it difficult to ensure data security;

  5. the remedial measures, liability for breach of contract and dispute resolution mechanism in the event of breach of any data security protection obligation as stipulated in the Legal Documents; and

  6. the requirements for proper emergency disposal and the channels and methods for individuals to safeguard their rights and interests of personal data when the exported data is exposed to risks such as being tampered with, damaged, divulged, lost, transferred, or illegally acquired or illegally used, etc.

In the event that only personal data (instead of important data) is exported, we are of the view that, once finalised, the CAC standard contract on personal data export could serve as a key reference for preparing the Legal Documents.

Further, given the security assessment is an “approval” in nature, the data processor must not export the data until it obtains clearance from the CAC. On this basis, if the data processor intends to execute the relevant Legal Documents with the offshore data recipient prior to applying for security assessment, it is recommended that the Legal Documents shall make clear that the effectiveness of the Legal Document is subject to successful completion of the CAC security assessment.

Assessment Procedures

The procedures of security assessment are as follows:

  1. The CAC shall, within 5 working days after receipt of application documents (including but not limited to the application letter, self-assessment report, Legal Documents), check if the submitted documents are complete. If incomplete, such application documents will be returned to the applicants.

  2. The CAC shall, within 7 working days after receipt of application documents, determine whether to accept the application and inform the applicant in writing; if the application is accepted, it shall further complete the security assessment within 45 working days upon its issuance of the written notice for acceptance of the case to the data processor (which may be extended in case of complexity).

  3. If the data processor is not satisfied with the assessment result, it may apply to the CAC for a re-assessment within 15 days upon receipt of the assessment result. The re-assessment result shall be final.

Please note that the assessment result shall be valid for 2 years. The data processor shall re-apply for security assessment within 60 days before expiration of the same.

Further, during the 2-year validity period, if any of the following circumstance occurs, the data processors is required to re-apply for the security assessment:

  1. there is any change of the purpose, method, scope or category of the exported data, or the purpose or method of data processing by the offshore recipient, which will affect the security of the exported data; or there is an extension of the offshore retention period of personal data or important data;

  2. there is any change of the data security protection policies and legislations and cybersecurity environment, or the occurrence of any other force majeure event, in the country or region where the offshore recipient is located; or there is any change of the actual control of the data processor or offshore recipient, or any change to the Legal Documents executed between the data processor and the offshore data recipient, which will affect the security of the exported data; or

  3. other circumstances that may affect the security of the exported data.

Grace Period

The Assessment Measures will come into effect on 1 September 2022. For data processors which have carried out data export prior to the effectiveness date without complying with the requirements under the Assessment Measures, a 6-month grace period will be granted for rectification, meaning the relevant breaching data processors will have to complete the security assessment before 1 March 2023.

Summary

With the establishment of a progressively clear legal framework on data export, Chinese business operators are now in a better position to determine their data export routes. In particular, for those who are potentially subject to mandatory security assessment, the relevant preparation work shall be commenced as soon as possible, including but not limited to carrying out self-assessment, drafting or revising the data export contract, conducting preliminary assessment on the legal environment of the country/region where the offshore data recipient is located to ensure there is no material legal issue with data export, and continuous monitoring of the latest legislative development.

The Assessment Measures can be found here (in Chinese).

For more detailed advice about what the Assessment Measures could possibly mean for you, please contact us.