China: New measures for security assessments of data exports
The Cyberspace Administration of China ('CAC') has adopted the Measures for Security Assessment of Data Exports ('the Measures'), which makes the data transfer mechanism under Article 38(1) of the Personal Information Protection Law ('PIPL') an effective mechanism for critical information infrastructure operators ('CIIOs') and organisations that meet the threshold of the CAC. As required by the Measures, such CIIOs and organisations have six months to comply with its requirements and assess their data transfer practices in relation to the Measures, which creates urgent work for the privacy teams in such organisations. Dehao Zhang, Counsel at Fieldfisher China, discusses the Measures and their requirements.
It should be noted that the Measures restrict data transfers for the purposes of national security, public interest, social stability, economic operations, and personal information protection. Thus, the Measures restrict not only personal information transfers, but also important data transfers, which is consistent with the Articles 38 and 40 of the PIPL.
Scope of application
Article 2 of the Measures has clearly indicated that the Measures apply to personal information and important data (which has been stored in China) transferred outside of China. What is a data transfer? The CAC has answered this question, outlining that a data transfer will include two activities:
- the data is collected and created in China and the required data processor transfers or retains such data outside of China; and/or
- the data is stored in China and the organisations or individuals can access or use such data from other countries or regions based outside of China.
Who is a classified as a data processor?
Article 4 of the Measures state that:
- data processors who transfer important data outside of China;
- CIIOs and the personal information processor who processes more than 1 million data subjects' personal information; and
- the personal information processor who has transferred the personal information of 100,000 people cumulatively or the sensitive personal information of 10,000 people cumulatively since 1 January of the previous year
What is 'important data'?
According to Article 19 of the Measures, important data refers to data that may endanger national security, economic operations, social stability, or public health and safety once it is tampered with, damaged, leaked, or illegally obtained or used. However, while the Measures define important data, they do not provide more detailed information about such data, which may cause difficulties for the organisations when identifying important data and managing their important data inventory.
Indeed, the concept of important data was unclear from the time such term was created. While the data authorities and national standards have tried to clear up some confusion, the term is still not very clear and practical for organisations.
If you look at the Article 73(3) of the Regulations on Network Data Security Management (Draft for Comment), you will also find a definition of important data, where it states that important data means data that may endanger national security or the public interest once it is tampered with, damaged, leaked, or illegally obtained or used, including the following data:
- government affairs-related data that has not been disclosed, official work-related secrets, intelligence data, and law enforcement or judicial data;
- export control data, data related to the core technology, design, or production process, or any such information involved in an export control item, as well as data on any scientific and technological advances in encryption, biology, electronic information, artificial intelligence, or any other field that has a direct impact on national security or economic competitiveness;
- data on national economic performance, business data relating to an important industry, statistical data, and other data that is expressly required to be protected and controlled from dissemination by any national law, administrative regulations, or departmental rules;
- data on the production or operation safety in the industrial, telecommunications, energy, transportation, water resources, finance, national defence technology industry, customs, tax, or any other key sector or field, or data on any critical system component or the supply chain of any critical equipment;
- national basic data on the population and health or natural resources and environment, such as genetic, geographical, mineral, and meteorological data that reach the threshold amount or degree of precision prescribed by the relevant state authority;
- data on the development or operation of national infrastructure or critical information infrastructure or its security data, data on the geographic location or security condition or other data of a national defence facility, military administration zone, national defence research or production unit, or any other important sensitive area; and
- other data that may impact the nation's security such as political, territorial, military, economic, cultural, social, scientific and technological, ecological, resource, nuclear, overseas interest, biological, space, polar, or maritime security.
In addition to this, the Information Security Technology - Guideline for Identification of Critical Data (Draft for Comments) helps identify important data, as well as also the factors when identifying the important data.
Is the required 'self-assessment' the same as a PIPIA?
Article 55 establishes the requirement to conduct a Personal Information Protection Impact Assessment ('PIPIA') in certain scenarios, such as when data is transferred outside of China. Meanwhile, Article 5 of the Measures provides for a self-assessment requirement for the relevant data processors. The content of the self-assessment shall address:
- the legality, legitimacy, and necessity of the outbound data transfer and the data processing by the overseas recipient in terms of the purpose, scope, method, etc.;
- the quantity, scope, type, and sensitivity of the outbound data, and the risks that may be brought about by the outbound data transfer to national security, public interests, or the lawful rights and interests of individuals or organisations;
- whether the responsibilities and obligations undertaken by the overseas recipient and the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations can ensure the security of the outbound data;
- the risk of the outbound data being tampered with, damaged, leaked, lost, relocated, illegally acquired, or used during and after the outbound data transfer, whether the channels for individuals to safeguard their personal information rights and interests are unobstructed, etc.;
- whether data security protection responsibilities and obligations are sufficiently stipulated in the contract or other legal documents with legal force to be executed with the overseas recipient in relation to the outbound data transfer; and
- other matters that may affect the security of the outbound data transfer.
In practice, if transferring personal information outside of China, the self-assessment can be same as a PIPIA under PIPL, since they mostly overlap. However, they are different when it comes transferring important data outside of China, since the PIPIA obligation is not applicable to important data under the Data Security Law ('DSL').
How to apply for a formal security assessment?
When applying for the security assessment of a cross-border data transfer, the following materials shall be submitted:
- an application form;
- the self-assessment report on the data transfer;
- the legal documents (e.g. contracts) to be executed between the data processor and the overseas recipient; and
- other materials as required for the security assessment.
Required organisations shall submit their application materials to their provincial CAC, which will then carry out a completeness check within five working days from the receipt of such application. These materials will then be forwarded to the CAC, who within seven working days shall determine whether to accept the application. If the application is accepted, the CAC shall complete the security assessment within 45 working days from the date of written notification of acceptance to the data processor.
The result of the security assessment shall be notified to the data processor in writing. If the data processor has any objection to the assessment result, the data processor may apply for a reassessment within 15 working days of the date of receipt of the assessment result to the CAC, and the result of the reassessment shall be final.
When to reapply for a security assessment?
According to Article 14 of the Measures, the result of the security assessment of an outbound data transfer shall be valid for two years. commencing on the date of the issuance of the assessment result. If the data processor needs to continue the outbound data transfer activity after the expiration of the validity period, the data processor shall reapply for the assessment within 60 working days of the date of expiration of the validity period.
In addition to this, the Article 14 also indicates the following scenarios that allow organisations to reapply for a security assessment:
- there is any change to the purpose, method, or scope of the outbound data transfer or the type of data, or change to the purpose or method of the data processing by the overseas recipient, which will affect the security of the outbound data, or the period for retaining personal information or important data overseas is to be extended; in this case, it may be understood as constituting a new data transfer which may require a new assessment;
- there is any change in the data security protection policies and legislation and cybersecurity environment or any other force majeure event that has occurred in the country or region where the overseas recipient is located, any change in the actual control of the data processor or overseas recipient, or any change to the legal documents executed between the data processor and the data recipient, which will affect the security of the outbound data; or
- other circumstances that may affect the security of the outbound data.
What are the liabilities of organisations who do not comply with the requirements?
If the required organisations transfer data outside of China without applying for this required security assessment, or provides false material, Article 45 of the DSL and Article 66 of the PIPL will apply to the non-compliant behaviour. In addition to the regulatory sanctions and fines, from a practical perspective, it will also affect the global data flow/structure of the organisations, which may further affect the organisation's business in other countries or regions.
In addition to these, based on the Measures, the data authorities will also monitor the actual data transfer rather merely check the application, and they have the power to order the organisations to correct, suspend, and even terminate the data transfer if the transfer is different from the description in the application materials.
Dehao Zhang Counsel
Fieldfisher China, Beijing