From 1 September 2022, all transfers of “important data” and all transfers of personal data exceeding the thresholds set out in the Security Assessment Measures are subject to official review. Our previous briefing on China’s international data transfer regulations (available here) reviews the Security Assessment Measures in detail. To briefly summarize, all international transfers of important data are subject to review and international transfers of personal data are subject to review in the following circumstances:
- The data exporter is an operator of critical information infrastructure or processes the personal data of more than one million data subjects; or
- The data exporter has, since 1 January of the preceding year, cumulatively transferred: (i) the personal information of more than one hundred thousand individuals; or (ii) the sensitive personal information of more than ten thousand individuals.
The Security Assessment Application Guideline provides greater detail as to what the CAC is expecting from organizations subject to security assessments of international transfers of important data and personal data, in particular the application materials required. We have set out below key questions and answers for organizations seeking to navigate these new requirements.
What is an international data transfer?
In line with the Security Assessment Measures, the Security Assessment Application Guideline defines international data transfers in broad terms to include:
- where a mainland China entity transmits and stores data collected and generated in the course of domestic operations at an overseas location;
- where data collected and generated by a mainland China entity is stored within the territory of China may be accessed, retrieved and downloaded by overseas institutions, organizations or individuals; and
- other circumstances specified by the CAC.
The key point to note is that remote access to personal data in China is considered to be an international transfer for the purposes of security assessments.
To which agency should the application be made?
Applications for security assessment should be made to the CAC through the local CAC in the province where the data exporter is located.
Can applications cover both important data and personal data?
The Security Assessment Measures cover both international transfers of personal data (which is defined broadly in line with international standards) and transfers of “important data”. Important data has not been defined in detail under Chinese law except in the case of some specific industries, such as the automobile industry. However, in general terms important data is understood to be data that, if leaked, could directly affect national security, economic security, social stability or public health and safety, such as unpublished government information, large scale population data, generic health data, geographic data or data relating to mineral resources. Applications for assessments in respect of both types of data can be submitted together.
How should groups of companies approach the application?
The Security Assessment Application Guideline requires that application forms be executed by a single legal entity. It therefore appears to be a requirement to specify one legal entity from a group companies as the applicant. It is important to note that “entity by entity” basis of calculating the personal data volume could be a helpful approach to assessing thresholds triggering the need for a security assessment under the Security Assessment Measures. However, considering the group companies may use the same IT system without segregating their data, this approach may not be in line with official views.
We note that some local CACs have stated a preference for group companies to designate one company to file the application on behalf of the group.
What information about the data exporter must be submitted?
The security assessment application form requires the data exporter to submit the following information:
- basic information about the data exporter (e.g., name, registration address, registered capital, employee numbers, business description and unified social credit code),
- information about the applicant’s legal representative,
- information about the applicant’s data security officer and management organization (e.g. name, title, personal identity document), and
- information of the application handler (i.e., the employee authorized by the data exporter to handle the application on behalf of the data exporter).
In addition to the above details, applicants are required to provide details of their equity structure, controllers, organizational structure, overall business and the circumstances of the data processing.
What information about the offshore recipient must be submitted?
The security assessment application form requires the following information about the offshore recipient of the data to be submitted:
- basic information about the offshore recipients (e.g. name, country or region, address, registered number, registered capital, number of employees and business scope),
- information about the offshore recipient’s responsible person (e.g. name, title and personal identity document), and
- information of the offshore recipient’s data security officer and management organization (e.g. name, title, personal identity document).
The self-assessment report should further elaborate on the offshore recipients’ purposes and methods of data processing, data security capabilities, data protection policies and network security environment of the country or region where the offshore recipients are located.
What does the self-assessment report require?
The most substantial component of a security assessment application is the self-assessment report. The Security Assessment Application Guideline includes a template for the self-assessment report, which is structured as follows.
Brief Description of the Self-Assessment
Applicants are expected to include details of how and when the self-assessment was conducted, noting that the Security Assessment Application Guideline requires that it be conducted within the three months immediately prior to the application.
Overall Situation of the International Transfer
This section must include basic information about the data exporter, the business and information system involved in the data export, details of the data to be exported, the data exporter's data security capacity, information about the offshore recipient, and the responsibilities and obligations of data security protection stipulated in legal documents, in particular details of the agreement between the data exporter and the offshore recipient.
The section describing the data transfer itself is fairly detailed, meaning that a data inventory exercise is likely required in order to be in a position to complete it. Applicants are required to describe the legality, appropriateness and necessity of the transfer and make an assessment of the sensitivity of the data being transferred.
The consideration of data security capabilities of the data exporters is holistic, including data security management capacity, data security technology capacity, certification, and supporting materials regarding data security and compliance with data and cybersecurity laws.
The level of detail expected in respect of the means of transfer to the data recipient is also considerable, with applicants required to specify whether the data will be transmitted over the public Internet or through private lines, the identity of service providers providing the link, the quality of the link and its bandwidth, the specific identity of domestic and overseas data centers and the physical location and IP addresses of computer rooms involved in the cross-border data transfer. Many applicants will no doubt be concerned about the nature and extent of the information required to be submitted, noting that information security policies and details of security environments can in themselves be sensitive information, the disclosure of which would amount to a cyber security incident in itself. The requirement that information be submitted in respect of the “cybersecurity environment in the country or region where the overseas recipient is located” may also pose practical challenges for applicants in the context of cloud-based storage in rapidly evolving regulatory environments.
Applicants are also required to refer to relevant sections of the legal agreements put in place with the overseas recipient.
Risk Assessment of the International Transfer
Applicants are required to set out an item-by-item risk assessment tracking the requirements of Article 5 of the Security Assessment Measures.1 We expect applicants to have concerns as to how detailed the risk assessment will need to be and how high the bar will be for establishing the sufficiency of risk mitigants. For example, will the “necessity” of transfers will be judged against a standard of business efficiency, or a higher, more literal standard? Will the reference to “guarantees” of security be judged literally or against a more practical measure, such as relevant industry standards and practices that represent reasonable mitigants in the context of the sensitivity of the data.
Self-assessment Conclusions
Applicants are required to complete the self-assessment with an objective conclusion, specifying the supporting reasons in detail.
The self-assessment report should be completed within three months before the application. If the applicant has engaged a third-party agency in the preparation of the self-assessment, details of the third party and their involvement should be indicated, with the seal of the third-party agency affixed thereon. The applicant is required to execute and submit a power of attorney authorizing its representative to conduct the application on its behalf and submit a letter of undertaking certifying the contents of the application.
What is the application format and procedure?
A copy of the data transfer agreement or other legally binding documents between the data exporters and the offshore recipients should be submitted with the official seal affixed. Clauses related to data exportation should be highlighted, and the page numbers of the concerned clauses should be filled in the Security Assessment Application Form on an item-by-item basis in accordance with Article 9 of the Security Assessment Measures.2 If these documents are prepared in a language other than Chinese, a Chinese translation must be provided.
The local CAC is required to check the completeness of the application documents within five working days of receipt. Complete applications will be passed to the CAC, with the CAC issuing an acceptance notice within seven working days and issuing its decision within forty-five working days from the date of the acceptance notice. Where applications are complex, the CAC may notify the applicant of an extended period of assessment. Applicants are entitled to apply for re-assessment within fifteen working days of an adverse notice of assessment result, with the results of the re-assessment being final.
Conclusions
The clock is now ticking on security assessments of data leaving China. Businesses have six months from 1 September 2022 to complete their applications and make any necessary remediation.
We understand that the intention of the security assessment requirements is not to disrupt multi-national businesses whose operations are reliant on regional and global operating platforms, but the proof will be in how the Security Assessment Application Guideline is applied and how specific applications fare in practice.
1/ Pursuant to Article 5 of the Security Assessment Measures, self-assessments should cover the following: (1) the legality, legitimacy and necessity of the purpose, scope and methods of the exportation, and the processing of the data by the offshore recipient; (2) the scale, scope, type and sensitivity of the data being exported, and any corresponding risks to national security, the public interest or to the legitimate rights and interests of individuals or organizations; (3) the duties and obligations which the offshore recipient commits to perform, and whether the offshore recipient’s organizational and technical measures and capabilities can guarantee the security of the transfer; (4) the risk of the data being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the exportation, and whether there is an effective channel for safeguarding personal information rights and interests; (5) whether the responsibilities and obligations for data security protection are agreed in relevant contracts for the exportation, or other legally binding documents; and (6) other matters that may affect the security of the transfer.
2/ According to Article 9 of the Security Assessment Measures, the legal documents between the data exporters and the offshore data recipients should cover: (1) the purpose, method and scope of the data to be transferred abroad, and the purpose and method for processing the data by the offshore recipient; (2) the location and duration for the storage of the exported data, as well as how to process the exported data upon the expiry of the storage period, achievement of the agreed purpose, or termination of the legal documents; (3) restrictions on the offshore recipient’s re-transfer of the exported data to another organization or individual; (4) security measures which should be taken in case of a material change to the actual control or business scope of the offshore recipient, or in case of a change to the data security protection policies or regulations, or network security environment of the country or region where the offshore recipient is located, or in case that the data security cannot be guaranteed as a result of any other force majeure event; (5) remedial measures, liability for breach of contract and dispute resolution mechanism in the event of a violation of data security protection obligations as agreed in the legal documents; and (6) requirements on properly responding to a data security incident, as well as channels and method to safeguard individuals’ personal information rights, when the exported data is tampered with, destroyed, leaked, lost, transferred, illegally obtained or illegally used.
Authored by Mark Parsons, Sherry Gong, and Tong Zhu.
