On July 7th, 2022, the Cyberspace Administration of China (hereinafter referred to as the “CAC”) issued the Measures for the Security Assessment of Outbound Data Transfers (hereinafter referred to as the “Assessment Measures“). Together with the Three Major Laws, namely the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law, as well as other relevant laws and regulations, China has built a robust legal system for the governance and data protection in China’s cyberspace.
The Assessment Measures further regulates outbound data transfer activities, clarifying specific provisions on data outbound security assessment, and puts forward principles such as the combination of prior assessment and continuous supervision of data outbound security assessment, with risk self-assessment and security assessment.
We have selected the following topics from the perspective of enterprises for further discussion:
1. What is considered an “Outbound Data Transfer”?
The Measures apply where a data processor provides a security assessment of important data and personal information collected and generated during operations within the territory of the People’s Republic of China to recipients abroad. In response to a reporter’s question on the Measures, the CAC further clarified that the Outbound Data Transfer activities referred to in the Measures, which mainly include the following:
Firstly, the data processors will transfer and store the data collected and generated in the course of domestic operations abroad.
Secondly, the data collected and generated by data processors is stored in China, and can be accessed by institutions, organizations or individuals outside of the country.
In summary, in order to determine whether it constitutes an “Outbound Data Transfer” regulated by the Assessment Measures, the following elements need to be met:
1) Data Type: Important data or personal information collected and generated in domestic operations;
2) Outbound Method: Provided to overseas, including physical crossing and remote access;
3) Definition of Overseas: Other countries/regions other than the mainland area of the People’s Republic of China, including Hong Kong, Macao and Taiwan; and
4) Parties carrying out Outbound Data Transfer Activities: Both the data transfer provider and the data receiver.
2. What are the circumstances under which the “Data Outbound Security Assessment” is triggered?
The circumstances to which the export of data needs to be reported to the competent authorities for assessment, has become the key issue of Outbound Data Transfer rules, with the Outbound Data Transfer rules making many attempts to clarify the issue of the trigger conditions for Outbound Data Transfer security assessment. The Assessment Measures integrate and echo the relevant rules in the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law, and finally establish four trigger conditions from the perspectives of data type, subject type, data scale, among others:
1) The outbound data contains important data, regardless of whether the data processor constitutes a critical information infrastructure operator (“CIIO“);
2) The data processor constitutes a special subject: The data processor is a CIIO and provides personal information overseas;
3) The amount of data processed by the data processor exceeds the threshold:
- Handling personal information reaching more than 1 million people; or
- From January 1st of the previous year, more than 100,000 people’s personal information or 10,000 people’s sensitive personal information has been provided overseas;
4) Other circumstances provided by the State Internet Information Department that require a security assessment of the declaration of data export.
3. How to identify a Critical Information Infrastructure Operator (CIIO)?
According to Article 2 of the Regulations on the Security Protection of Critical Information Infrastructure promulgated in 2021, a critical information infrastructure refers to important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology industry, and other important network facilities that, once destroyed, lost functioning or data leakage, may seriously endanger national security, national economy and people’s livelihood, and public interests, information systems, etc.
In accordance with Article 10 of the Customs Regulations, the protection work department is responsible for organizing the identification of critical information infrastructures in the industry and field in accordance with the identification rules formulated by it and notifying the operator of the results of the determination. Based on these provisions, once an enterprise is identified as a CIIO, it will receive a notification from the relevant authorities.
It is understandable that if an enterprise does not receive a notice from the competent authority to identify it as a CIIO, the enterprise may consider itself a non-CIIO, for the time being that is. However, it is believed that with the introduction of relevant regulations, the identification rules will also be improved and clarified further.
4. Compliance Recommendations
According to Article 20 of the Assessment Measures, it will become effective from September 1st 2022. Its official enforcement means that it provides an implementation path for enterprises to handle security assessments on Outbound Data Transfer, and Outbound Data Transfer security assessments will be officially implemented.
For enterprises that meet the four types of situations in these Measures that should declare security assessments and have Outbound Data Transfer needs, they shall sort out their data situation as soon as possible, entrust professional institutions or conduct self-assessments on their own, sign legal documents such as data export contracts that meet the requirements with overseas recipients, and carry out security assessment declarations as soon as possible.
Although the Assessment Measures give a grace period of six months, considering that a self-assessment might be needed first, and a self-assessment, rectification, and the modification of self-assessment reports may be time consuming, it is recommended that enterprises carry out relevant work as soon as possible and actively adjust their Outbound Data Transfer business framework, ensuring that business is conducted in compliance with the laws and regulations.