Export security assessments

According to Article 40 of the PIPL, a critical information infrastructure ('CII') operator or a personal information processor which processes personal information, up to a threshold amount specified by the Cyberspace Administrative of China ('CAC'), must store, within China, all the personal information that it collects and generates within China, and pass the security assessment organised by the CAC ('Governmental Assessment'), if it wants to export any such personal information outside of China.

Following the PIPL, the CAC released the draft Measures of Security Assessment for Data Export ('Draft Measures') for public consultation on 29 October 2021. Under the Draft Measures, any personal information processor must conduct a self-assessment before it can export any personal information outside of China. For a CII operator or a non-CII personal information processor who meets any of the following thresholds, it must also go through a Government Assessment before it can export any personal information outside of China:

• it processes personal information of 1,000,000 individuals or more;
• it, in aggregate, exports personal information of over 100,000 individuals; or
• it, in aggregate, exports sensitive personal information of over 10,000 individuals.

Key factors that must be considered in both a self-assessment and a Governmental Assessment include:

• the legality, legitimacy, and necessity of the export and the purpose, scope, and means of the foreign recipient's processing;
• the amount, scope, type, and sensitivity of the personal information to be exported and any risks of the export to national security, the public interests, and the legal interests of individuals or organisations;
• whether the personal information processor's management, technical measures, and data protection capabilities can prevent data leakage or data loss;
• whether the undertakings of the foreign recipient, as well as its corresponding management, technical measures, and data protection capabilities can ensure the security of the data exported;
• the risks of any leak, loss, unauthorised alteration, or abuse of data involved in the export and subsequent transfers, and the effectiveness of the channels for individuals to exercise their rights; and
• whether the export contract entered into with the foreign recipient has adequately provided for the protection obligations.

In a Governmental Assessment, two additional key factors will be considered by the CAC. One is the impact of the data security protection laws and policies, as well as the cybersecurity environment of the country of the foreign recipient's domicile on data transfer security. The other is whether the level of data protection of the foreign recipient meets the requirements of the laws, regulations, and national standards of China. However, there is no indication that the CAC will publish a whitelist of countries that will be considered as having an adequate data protection level. Instead, it appears that the CAC may determine the data protection level on a case-by-case basis.

In addition, both the Governmental Assessment and the self-assessment have put a great emphasis on the data export contract between the personal information processor and the foreign recipient. In addition to the general data protection responsibility and liability allocation between the parties, the contract must include provisions restricting the overseas recipient from transferring the data to other organisations individuals. It must also include security measures to be taken upon the material change of the actual control or business scope of the foreign recipient or changes to the legal environment of the country of the foreign recipient's domicile which renders it difficult to ensure data security.

A Governmental Assessment, by statute, will take between 45 to 60 working days. Considering the large volume of applications that the CAC may receive after the final version of the Draft Measures is published, the Governmental Assessment may take even longer in practice. Meanwhile, to expedite the process, it is recommended to initiate the self-assessment in advance and remediate existing problems that may prevent an intended export from passing the required Governmental Assessment.

Personal information protection impact assessments

Article 55 of the PIPL requires a personal information processor to conduct a personal information protection impact assessment ('PIPIA') before it engages in any of the following processing activities:

• processing any sensitive personal information;
• using personal information to conduct any automatic decision making;
• entrusting another party to process person information on its behalf, providing personal information to another processor, or disclosing personal information to the public;
• exporting personal information outside of China; or
• engaging in any other processing activities that may have significant impact on the interests of personal subjects.

Article 56 of the PIPL sets out the factors that must be assessed in a PIPIA, including whether the purpose and method of processing is legal, legitimate, and necessary, the security risks involved, the impact on personal interests, and whether the measures taken are legal, effective, and suitable to the degree of risks involved.

The national standard, GB/T 39335-2020 Information Security Technology – Guidance for Personal Information Security Impact Assessment, which predates the PIPL, sets out the recommended approach to conduct a personal information security impact assessment that was contemplated in the pre-PIPL, non-mandatory data protection regime. Whilst it is unclear whether new guidelines will be published for conducting a PIPIA, data processors may consider using this guidance to conduct PIPIAs.

Other assessments

The CAC released the draft Administrative Provisions on Network Data Security ('Draft Provisions') for public consultation on 14 November 2021. The Draft Provisions governs both personal information and important data. Under the Draft Provisions, if a personal information processor processes the personal information of over 1 million individuals, it must follow all the requirements applicable to an important data processor, including conducting assessments required for processing important data.

According to Article 32 of the Draft Provisions, if a personal information processor processes more than 1 million individuals' personal information, or if it plans for an IPO in a foreign country, it must conduct a data security assessment ('Annual Security Assessment'), either by itself or by engaging a data security service institution, once a year, and submit the assessment report to the local CAC by 31 January each year. Compared with the other assessments, the Annual Security Assessment takes a retroactive view over the processing activities which occurred in the previous year.

The following aspects must be addressed in an Annual Security Assessment report:

• information regarding how personal information was processed;
• identified data security risks and responsive measures taken;
• information regarding how data security management systems were implemented, and how effective the data backup, encryption, access control, and other security protection measures were;
• compliance status with the national data security laws, regulations, and standards;
• Information regarding data security incidents which occurred, and information regarding how the incidents were handled;
• the security assessment results of any sharing, trading, entrusted processing, and exporting of personal information;
• received complaints relating to data security and information regarding how the complaints were handled; and
• other data security related information requested by the CAC and other authorities.

In addition, the Draft Provisions set out a few other context-specific assessments. For example:

• According to Article 17 of the Draft Provisions, when a personal information processor accesses or collects personal information by using automatic tools, it shall assess the impact of the processing on the performance and function of network services and shall not interrupt the normal functions of network services.
• According to Article 25 of the Draft Provisions, when a personal information processor uses biometric characteristics to conduct identity authentication, it shall assess the necessity and security of the processing, and shall not make biometric authentication the only personal identity authentication method, which would force individuals to consent to the collection of their biometric characteristics.
• According to Article 43 of the Draft Provisions, before the operator of a large internet platform, with greater than 100 million daily active users, formulates a privacy policy or make amendments to the existing privacy policy that may have significant impact on users' interests, it must pass the assessment of a third-party institution appointed by the CAC, and submit the assessment result to the CAC and the telecom regulatory authority at the provincial level.
• According to Article 54 of the Draft Provisions, before an internet platform operator uses artificial intelligence, virtual reality, deep composition, and other new technologies to conduct any personal information processing, it must conduct security assessments in accordance with the applicable laws and regulations.

Currently, there is no further detail provided, either under the Draft Provisions or under other regulations or standards, regarding how these context-specific assessments shall be conducted or whether they shall be conducted in parallel or as alternatives to any PIPIAs.

James Gong Partner
[email protected]
Bird & Bird, Beijing