On July 7, 2022, the Cyberspace Affairs Commission (“CAC”) of China issued the Measures on Security Assessment of Cross-Border Data Transfer (the “Security Assessment Measures”), which sets out the security assessment framework for cross-border data transfers. The Security Assessment Measures will become effective on September 1, 2022. In conjunction with the issuance of the Security Assessment Measures, CAC also issued an interpretation guideline on the same day (the “Interpretation Guideline”).
The Security Assessment Measures lay out the ground rules for a security assessment filing for cross-border data transfers that was stipulated in the Cybersecurity Law (“CSL”) and the Personal Information Protection Law (“PIPL”).
1. Security Assessment Is Required for Certain Cross-Border Data Transfers
Under the CSL, when it is necessary for a critical information infrastructure operator (“CIIO”) to transfer important data outside of China, a security assessment is required. The Data Security Law together with the Security Assessment Measures expands the security assessment requirement for cross-border data transfers of important data to all data processors (“Data Processors”).
Under the PIPL, in order to transfer personal information (“PI”) outside China, PI processors (“PI Processors”) must meet at least one of the following conditions: (i) pass a security assessment, (ii) obtain a PI protection certification (“PIPC”) from certain qualified institutions, (iii) enter into a contract with the data recipient in accordance with a standard contract prescribed by the CAC, or (iv) fulfill conditions stipulated in other laws or regulations. Additionally, the PIPL requires that CIIOs and PI Processors that process a certain amount of PI exceeding CAC’s prescribed threshold must undergo a security assessment prior to effecting any cross-border data transfer. The threshold is now prescribed in the Security Assessment Measures, as further discussed below.
When a Security Assessment Is Required
A security assessment will be triggered if the cross-border data transfer falls into any of the following scenarios:
- transfer of “important data” by Data Processors (“Important data” is defined as “any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety);
- transfer of PI by CIIOs and Data Processors that process PI of more than one million individuals;
- transfer of PI by Data Processors that have transferred either PI of over 100,000 individuals or “sensitive” PI of over 10,000 individuals abroad since January 1 of the preceding year; and
- other situations as determined by CAC.
According to the Interpretation Guideline, cross-border data transfer includes (i) an outbound transfer of data collected and generated during a company’s operation in mainland China and (ii) a remote access or use of data stored within mainland China by overseas institutions, organizations and individuals.
Self-Risk Assessment Required in Advance
Prior to applying for a security assessment with CAC, Data Processors shall first carry out a self-risk assessment, which involves evaluation of a number of factors that CAC will consider in a security assessment. The findings of the self-risk assessment shall be presented to CAC along with an application filing to CAC for a security assessment. Upon receipt of the security assessment filing, CAC will notify the Data Processor of its decision to either accept the filing if it determines that the filing falls within the scope of security assessment or reject the filing if it determines that the filing does not fall within the scope of security assessment. If accepted, CAC will have 45 working days to complete the assessment in coordination with other relevant regulatory authorities. CAC may extend the period of assessment due to the complexity of the filing or if additional supporting documents are required.
Review of Security Assessment Filing
During the course of a security assessment, CAC will primarily focus on the risks to national security, public interests and the legitimate rights and interests of individuals or organizations that the cross-border data transfer may cause. The factors that come into play include:
- the legality, justification and necessity of the purpose, scope and method of the cross-border data transfer;
- the data security protection policies and regulations of the country or region where the overseas recipient is located, the impact of the network security environment on the security of the exported data, and whether the level of data protection of the overseas recipient meets PRC laws, administrative regulations, and national standards;
- the scale, scope, type, sensitivity of the exported data and the risk of the exported data being tampered with, destroyed, leaked, lost, onward transferred or illegally obtained or used during and after the cross-border data transfer;
- whether data security and PI rights are fully and effectively guaranteed;
- whether the contract executed with the overseas recipient has fully addressed the responsibilities and obligations in terms of data protection; and
- compliance with PRC laws, administrative regulations and departmental rules, etc.
Cross-border data transfer of the relevant data will not be allowed if CAC does not approve the security assessment filing. Once CAC approves the security assessment filing, such approval will remain valid for two years and may be renewed within 60 working days prior to the expiration date. During the two-year period, the Data Processor is required to re-submit an application for security assessment if it encounters any circumstances that may affect the security of the exported data, such as changes in the purpose, method, scope, and type of the exported data and changes in the purpose and method of the processing of the exported data by overseas recipients.
Notwithstanding any approval of a security assessment filing, CAC has the power to order a Data Processor to terminate a cross-border data transfer, if CAC determines that such cross-border data transfer no longer meets data export security management requirements. In such case, the Data Processor needs to re-submit an application for security assessment after taking necessary rectification measures.
Notably, the Security Assessment Measures has retroactive effect for cross-border data transfers of relevant data conducted prior to its effective date. If a Data Processor fails to complete its security assessment for any of its cross-border data transfers of relevant data, it needs to rectify the failure within six months after the effective date of the Security Assessment Measures.
2. PIPC May Not Be a Feasible Route for Cross-Border Transfer yet
On June 24, 2022, the National Information Security Standardization Technical Committee issued the Guidance on Network Security Standardized Practice – Specification for Certification of Personal Information Cross-Border Processing (the “Certification Specification”). The Certification Specification has no legal effect and serves as an industry standard only. It provides that PI Processors may apply for PIPC from certain qualified institutions recognized by CAC, pursuant to which PI Processors may rely on PIPC to effect (i) intragroup cross-border transfers within a multinational company or an economic/business entity; and (ii) data processing activities conducted outside of China involving PI of individuals located in China subject to the extraterritorial jurisdiction of the PIPL.
Qualified institutions will primarily focus on whether the cross-border data transfer is legitimate, justifiable, and necessary and the security protection measures taken are legitimate, effective, and appropriate to the degree of risk when determining the grant of PIPC to PI Processors. In addition, qualified institutions will also take into account a number of factors in the application for PIPC, including:
- whether the cross-border data transfer complies with laws and administrative regulations;
- the impact on the rights and interests of PI subjects, especially the impact of the legal environment and network security environment of foreign countries and regions; and
- other matters necessary to safeguard the rights and interests in relation to PI.
However, the list of qualified institutions has not been released to date, and therefore, as of the date of this article, it is not yet possible for companies to rely on PIPC to legitimize their cross-border data transfers.
3. Standard Contract May Be a Safe Harbor for Cross-Border Data Transfers of Personal Information
On June 30, 2022, CAC issued the draft Regulations on the Standard Contract for Cross-Border Transfer of Personal Information (the “Draft Provisions”) for public consultation, which introduced a draft standard contract for the cross-border transfer of PI outside of China (the “Draft PRC SC”). As with the Standard Contractual Clauses for the Transfer of Personal Data to Third Countries under Regulation (“GDPR”) (EU) 2016/679 (the “EU SCCs”) issued by the European Commission on June 4, 2021, the Draft PRC SC provides clarity on the terms and conditions to be agreed on between PI Processors as a data exporter and an overseas recipient as a data importer with respect to cross-border data transfers of PI to third countries. When finalized, the Draft PRC SC can be used to comply with requirements under the PIPL for cross-border data transfers of PI out of China that do not need to undergo a security assessment.
As the terminology used in the Draft PRC SC and the EU SCCs are markedly different, the table below highlights the differences in the terms used frequently in this article.
|PIPL or Draft PRC SC
|GDPR or EU SCCs
|data controller (or data exporter)
|data importer (could either be a data controller or a data processor)
|PI Protection Impact Assessment (“PIPIA”)
|data protection impact assessment (“DPIA”)
The Draft PRC SC and EU SCCs are structured differently, with the former designed to address different types of cross-border data transfer scenarios in one standard contract and the latter having different sets of standard contractual clauses catering to different cross-border data transfer scenarios: (i) controller to controller; (ii) controller to processor; (iii) processor to controller; and (iv) processor to processor. A comparison table of the Draft PRC SC and EU SCCs is set out below to illustrate the respective pertinent features.
|Draft PRC SC
|Scope of Application
PI Processor may enter into a contract to effect a cross-border data transfer (the “Standard Contract”) only if the following conditions are satisfied:
|No similar prerequisites for adopting EU SCCs.
Prior to any cross-border data transfer, PI Processors shall carry out a PIPIA and file such assessment findings with the relevant regulatory authorities. The assessment encompasses the following criteria:
|An entity that is not a party to the EU SCCs may, with the agreement of the parties, accede to such agreement at any time, either as a data exporter or data importer.
|Transparency and Disclosure
|Data Transfer to Foreign Authorities
|Generally prohibits providing PI to foreign judicial or law enforcement authorities, unless otherwise approved by relevant PRC regulatory authorities.
|The data importer shall notify the data exporter and data subjects when it receives legally binding requests from public authorities.
|Depends on the specific type of the EU SCCs. The governing law could be laws of the country within or outside the European Economic Area where the data importer is located.
The rules pertaining to cross-border data transfers have broad ramifications for companies with operations in China, especially for foreign companies that operate in China and have a genuine business need to transfer data to its group companies or business partners located outside of China, or to maintain its existing data-sharing arrangements.
While the Security Assessment Measures provide comprehensive guidance regarding security assessment filings, it creates operational hurdles for companies to facilitate cross-border data transfers, particularly when such transfers fall into any category that triggers a security assessment filing. Further, “important data” is broadly defined in the Security Assessment Measures, thereby adding a layer of uncertainty as to the specific circumstances under which a security assessment filing is required. The retrospective effect of the Security Assessment Measures is also anticipated to cause a profound impact across many different industries concerning cross-border data transfers.
As for intragroup cross-border transfers, a PIPC could potentially be another route for companies to effectuate cross-border data transfers. However, the rules pertaining to obtaining a PIPC are yet to be operationalized given that the CAC has not yet released a list of qualified institutions that can grant a PIPC.
CAC is in the process of soliciting comments from the public on the Draft Provisions until July 29, 2022. We will closely monitor the development of the Draft Provisions and updates to the Draft PRC SC. The Draft PRC SC, once finalized, may likely be the most viable method to facilitate cross-border data transfers where approval of security assessment filings are not required.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.