Moving Data Out of China May Be Subject to Security Review

Entities who want to provide data abroad should go through an internal security review and, on some occasions, will be subject to a governmental security review, according to a draft regulation, the Measures for the Security Assessment of Cross-border Data Transfer (the “Draft Measures”), released for seeking public opinion by the Cyberspace Administration of China (“CAC”) on October 29, 2021.

The Draft Measures is the latest effort of CAC in respect of supervision over cross-border transfer of data and personal information after it issued the Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (draft for seeking public opinion) and the Measures for Security Assessment for Cross-border Transfer of Personal Information (draft for seeking public opinion) in 2017 and 2019, respectively. The Draft Measures, once formally promulgated, is likely to replace these previously issued draft rules and will set additional regulatory compliance foundation for cross-border data transfer.

CAC formulates the Draft Measures based on the Personal Information Protection Law (“PIPL”) effective on November 1, 2021, the Data Security Law (“DSL”) effective on June 1, 2021, and the Cybersecurity Law (“CSL”) effective on June 1, 2017.

1. What is cross-border data transfer

The relevant laws and the Draft Measures provide that to provide data and personal information abroad must go through security assessment and fulfil other conditions as specified in PIPL, DSL and CSL; however, they keep silent on what cross-border data transfer means.

The overwhelming view is that cross-border data transfer normally includes the following situations:

• Data processor provides personal information and data directly to recipients located overseas;

• Overseas entities, organizations and individuals have remote access to data and personal information stored within the territory of China;

• Multi-national companies transmit, from China to overseas, personal information and data they generate or collect in their operations within China;

• Data processor provides data to entities that are located within China but not subject to Chinese jurisdiction or not registered within China.

2. Internal security review – self-assessment of risk for cross-border data transfer

Data processors are required to conduct an internal risk assessment before transferring any type of data abroad.

The self-assessment focuses on the following:

(1) whether the purpose, scope and means of cross-border data transfer and data processing of overseas recipients are lawful, fair and necessary;

(2) the quantity, scope, type and sensitivity of data to be transferred abroad, and risks to national security, public interests, legitimate rights and interests of individuals and organizations;

(3) whether management and technical measures and capabilities of data processor in the data transfer can prevent leakage, damage and other risks relating to data;

(4) responsibilities and obligations that overseas recipient undertakes to perform; whether management and technical measures and capability for performing such responsibilities and obligations can ensure the security of data to be transferred abroad;

(5) risks of data leakage, damage, falsification, and abuse after data is transferred abroad and further transferred; whether individuals may easily defend their rights and interests with respect to their personal information; and

(6) whether data export contract concluded by and between data processor and overseas recipient clearly defines the responsibilities and obligations for data security protection.

It is not 100% clear if the self-assessment under the Draft Measures is the same as the personal information protection impact assessment under the PIPL. It is not clear either that if the self-assessment under the Draft Measures applies to all non-personal-information data while transferring personal information abroad should be separately subject to the personal information protection impact assessment. The PIPL requires personal information processor to complete personal information protection impact assessment before personal information is transferred abroad (impact assessment reports and relevant records should be retained for a period of at least three years). Furthermore, according to the PIPL, a personal information protection impact assessment must include: (1) an assessment of lawfulness, fairness and necessity of the processing, its purposes, means and others; (2) an assessment of the impact and security risk to the personal information subjects; and (3) an assessment of lawfulness, effectiveness and compatibility with risks of the risk-mitigation measures in place. Such slightly different assessment criterion between the self-assessment and the personal information protection impact assessment may bring confusion to processors which should be the right one when running assessment.

3. Governmental security review – CAC-led security assessment for cross-border data transfer

The Draft Measures requires data processors to go through a security assessment organized by CAC before transferring abroad important data collected and generated during their operations within the territory of China and personal information that is subject to security assessment according to the PIPL.

Specifically, data processors are required to apply for a CAC-led security assessment through provincial cyberspace administration authorities under any of the following circumstances:

(1) A critical information infrastructure operator (as defined in the CSL) transfers abroad personal information and important data that it has collected and generated.

(2) A data processor transfers important data.

(3) A personal information processor who processes over one million individuals’ personal information transfers personal information abroad.

(4) A personal information processor has accumulatively transferred personal information of more than one hundred thousand individuals or sensitive personal information of more than ten thousand individuals.

(5) Other circumstances to be specified by the CAC.

DSL declares to establish a data classification and hierarchical protection system. It has broadly classified protected data as core data of the State, important data, and other data. Important data will be defined by general and specific catalogues. The general catalogues shall be formulated under coordination of the national data security coordination mechanism, whereas the specific catalogues shall be formulated by departments and regional governments.

The quantitative threshold of transferring personal information abroad is noteworthy. Particularly, the accumulative transfer threshold would mean that any processor may fall into such mandatory security assessment if its processing reaches the quantitative threshold in the long run and such threshold is not high in a country as populous as China.

CAC will focus its assessment on potential risks to national security, public interest, and legitimate rights and interests of individuals or organizations, especially the following:

• the impact on the security of the transferred data by the data security protection policies and laws and cybersecurity environment in the country/region of the overseas recipient; whether the data protection level of the overseas recipient meets the requirements of the laws, administrative regulations and mandatory national standards of China;

• the quantity, scope, type and sensitivity of the transferred data and the risks of leakage, falsification, loss, damage, transfer or illegal acquisition or exploitation during and after cross-border transfer;

• whether data security and personal information rights can be fully and effectively protected;

• whether the data processor and overseas recipient have made clear their respective responsibilities and obligations in their data export contract in terms of data security protection;

• compliance with Chinese laws, regulations and ministry regulations; and

• other items that CAC deems relevant and necessary for such security assessment.

4. Flowchart of self-assessment of risk and CAC-led security assessment

5. Validity term of security assessment and reassessment

Security assessment result would be valid for a term of two years and data processors should apply for reassessment sixty working days before the expiration of validity term if they intend to continue the original data transfer.

In addition, reassessment is needed in the event that any of the following circumstances occurs during the validity term:

• changes to the purpose, means, scope or type of the cross-border data transfer;

• changes to use and means of processing of personal information by overseas recipient;

• extension of overseas retention period of personal information and important data;

• changes to legal environment of the country or region where overseas recipient is located;

• changes to the actual control of data processor or overseas recipient;

• changes to the data export contract that might affect the security of the transferred data;

• Other circumstances that might affect the security of transferred data.

6. Data export contract

The Draft Measures requires a data export contract between data processor and overseas recipient to clearly specify the responsibilities and obligations for data security protection which shall at least include the key terms and conditions as listed in the Draft Measures. The must-have terms and conditions required by the Draft Measures are different from those as required by the 2019 draft. The following chart lists the must-have terms and conditions under the Draft Measures and those in 2019 draft, which may provide to us insight into the development of CAC’s regulatory thinking:

Interestingly, the PIPL requires personal information processors to use standard contract clauses to be promulgated by CAC for the cross-border personal information transfer. It remains unclear whether the standard contract clauses would be applicable to cross-border transfer of personal information only while data processors may tailor their data export contracts pursuant to the above must-have clauses in the Draft Measures if they transfer non-personal-information data abroad.