PRC Promulgated Measures for Security Assessment of Outbound

The Measures for Security Assessment of Outbound Data Transfers (“Measures”) adopted by the Cyberspace Administration of China on 7 July 2022 will take effect on 1 September 2022. The Measures summarize the circumstances which trigger security assessment subject to authorities’ review in accordance with the PRC Cybersecurity Law, the PRC Data Security Law and the PRC Personal Information Protection Law, and provide practical guidance on the administrative procedure of security assessment. Please find below an overview of the Measures.

On 7 July 2022, the Cyberspace Administration of China (“CAC”) adopted the Measures for Security Assessment of Outbound Data Transfers (“Measures”). The Measures will take effect on 1 September 2022.

1. Legislative Developments and Transition Period

Outbound data transfer has been a major concern of the Chinese government in the past few years. The PRC Cybersecurity Law (“CSL”) for the first time raised the legal requirement for security assessment of cross-border transfer of personal information and important data conducted by critical information infrastructure operators (“CIIOs”). However, so far there were no effective implementation rules on how to conduct the security assessment.

In order to implement the security assessment in accordance with relevant laws, the CAC published the Drafted Measures for Security Assessment of Outbound Personal Information and Important Data Transfers for public comments on 11 April 2017. On 13 June 2019, the CAC published the Drafted Measures for Security Assessment of Outbound Personal Information Transfers for public comments. However, the two drafts never took effect. After the PRC Data Security Law (“DSL”) and the PRC Personal Information Protection Law (“PIPL”) have been promulgated in 2021, the CAC further published the Drafted Measures for Security Assessment of Outbound Data Transfers for public comments on 29 October 2021 and promulgated the final version of the Measures on 7 July 2022. The Measures summarize the circumstances which trigger security assessment subject to authorities’ review in accordance with the CSL, the DSL and the PIPL, and provide practical guidance on the administrative procedure of security assessment.

Considering that the Measures will take effect soon as of 1 September 2022, the Measures provide a six-months’ transition period for concerned companies to make rectification. According to Article 20 of the Measures, for any outbound data transfer activity carried out before the effective date of the Measures which is not in compliance with the Measures, rectification shall be completed within six months upon the effective date of the Measures. Therefore, companies, if concerned, should make rectification by 28 February 2023.

2. Application Scope of the Measures

a) Which outbound data transfers will trigger security assessment requirement?

It is not a common legal requirement for all companies to conduct a security assessment when involving outbound data transfers. According to Article 4 of the Measures, for an outbound data transfer by a data handler that falls under any of the following circumstances, the data handler shall apply to the national cyberspace administration authority for the security assessment via the local provincial-level cyberspace administration authority:

  1. Outbound transfer of important data by a data handler;
  2. Outbound transfer of personal information by a CIIO;
  3. Outbound transfer of personal information by a personal information handler who has handled the personal information of more than 1,000,000 persons;
  4. Outbound transfer of personal information by a personal information handler who has made outbound transfers of the personal information of 100,000 persons cumulatively or the sensitive personal information of 10,000 persons cumulatively since 1 January of the previous year;
  5. Other circumstances where an application for the security assessment of an outbound data transfer is required as prescribed by the national cyberspace administration authority.

For other outbound data transfers which do not fall under the above circumstances, companies do not have to conduct the security assessment and can take alternative legal approaches in accordance with the relevant laws in order to be compliant. For instance, for outbound transfer of personal information, according to the PIPL, companies can be compliant by obtaining personal information protection certification issued by a professional institution designated by the national cyberspace administration or signing standard contracts formulated by the national cyberspace administration.

b) Definition of important data

In addition, Article 19 of the Measures provides a definition for important data as mentioned under the above item 2 a) (1), which refers to any data, the tampering, damage, leakage, or illegal acquisition or use of which, if it happens, may endanger national security, the operation of the economy, social stability, public health and security, etc.

As to the practical classification of important data in different industries, this still needs to be determined by specific important data catalogues to be issued by regulatory departments in different industries in accordance with the DSL. In practice, whether certain data constitute important data shall be determined on a case-by-case basis.

c) Definition of outbound data transfers

The Measures do not provide a clear definition of outbound data transfers. However, according to the CAC officer’s response to journalists’ questions about the Measures, there are two main types of outbound data transfers as follows:

  1. A data handler transfers and stores data which are collected and generated within the territory of the PRC overseas;
  2. A data handler stores data which are collected and generated within the territory of the PRC, while overseas entities, organizations and individuals can have access to or use the relevant data.

Therefore, if a company conducts the aforesaid outbound data transfer activities and falls into any of the circumstances under the above item 3 a), the company shall conduct the security assessment and obtain approval from the national cyberspace administration authority before such outbound data transfers are started.

3. Preparations for Security Assessment

According to Article 6 of the Measures, the following materials shall be submitted for applying for the security assessment of outbound data transfers:

  • An application form;
  • A self-assessment report of the risks in the outbound data transfers;
  • The legal document to be executed between the data handler and the overseas recipient;
  • Other materials as required for the security assessment.

a) Self-assessment

According to Article 5 of the Measures, a data handler shall conduct a self-assessment of the risks in the outbound data transfer before applying for the security assessment. The self-assessment shall focus on the following matters:

  • The legality, legitimacy, and necessity of the outbound data transfer and the data handling by the overseas recipient in terms of the purpose, scope, method, etc.;
  • The quantity, scope, type, and sensitivity of the outbound data, and the risks that may be brought to national security, public interests, or the lawful rights and interests of individuals or organizations;
  • Whether the responsibilities and obligations undertaken by the overseas recipient, and the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations can ensure the security of the outbound data;
  •  The risk of the outbound data being tampered with, damaged, leaked, lost, relocated or illegally acquired or used during and after the outbound data transfer, and whether the channels for individuals to safeguard their personal information rights and interests are unobstructed, etc.;
  • Whether data security protection responsibilities and obligations are sufficiently stipulated in the contract or other documents with legal force to be executed with the oversea recipient in relation to the outbound data transfer; and
  •  Other matters that may affect the security of the outbound data transfer.

b) Legal document to be executed between the data handler and the overseas recipient

According to the Measures, a legal document covering data protection clauses is necessary for applying for the security assessment and is also the focus of self-assessment. Article 9 of the Measures stipulates that such legal document shall clearly stipulate the data security protection responsibilities and obligations, including but not limited to the following:

  • The purpose and method of the outbound data transfer and the scope of data, and the purpose and method of the data handling by the overseas recipient;
  • The place and retention period of the data stored overseas, and the measures to handle the data transferred overseas upon the expiration of the retention period, completion of the agreed purpose, or termination of the legal document;
  •  A requirement restricting the overseas recipient from retransferring the outbound data to any other organization or individual;
  • The security measures to be adopted when there is any material change in the actual control or business scope of the overseas recipient, or when the data security protection policies and legislation and cybersecurity environment have changed or any other force majeure event has occurred in the country or region where the overseas recipient is located, which makes it difficult to ensure data security;
  •  The remedial measures, liability for breach of contract and dispute resolution in the event of breach of any data security protection obligation stipulated in the legal document; and
  • The requirements for proper emergency disposal and for ensuring the channels and ways for individuals to safeguard their personal information rights and interest when the outbound data is exposed to risks such as being tampered with, damaged, leaked, lost, relocated, or illegally acquired or used.

The Measures provide helpful guidance on the relevant content to be covered by the legal document. For companies who are not subject to the security assessment requirements, the execution of such a legal document, e.g. a standard contract with the overseas recipient, may also serve as a compliant approach to transfer data abroad in accordance with the PIPL.

 4. Procedure and Timeline of Security Assessment

The Measures clarify the procedure and timeline of conducting a security assessment by the relevant authorities. If everything goes smoothly, it takes around sixty working days for passing the security assessment. However, the relevant authorities have discretion to require supplemental materials from the applicant and may extend the examination period as appropriate case by case. Please find a brief introduction on the procedure below.

a) Formality check

According to Article 7 of the Measures, the filing materials for a security assessment shall be submitted to the provincial-level cyberspace administration authority. The provincial-level cyberspace administration authority shall check the completeness of the filing materials within five working days upon the date of receipt of the filing materials. If the filing materials are complete, they shall be submitted to the national cyberspace administration authority.

However, if the filing materials are incomplete, they shall be returned to the data handler who shall then be informed all at once of any materials to be supplemented. The national cyberspace administration authority shall determine whether to accept the application and notify the data handler of the decision in writing within seven working days upon the date of receipt of the filing materials.

 b) Substantial check

According to Article 10 of the Measures, the national cyberspace administration authority shall organize the relevant authorities of the State Council, provincial-level cyberspace administration authority, specialized institutions, etc. to perform the security assessment after accepting an application.

  In addition, according to Article 11 of the Measures, the national cyberspace administration authority may require the filing materials to be supplemented or corrected by the data handler. If the data handler refuses to do so without proper reason, the national cyberspace administration authority may terminate the security assessment. Data handlers shall be responsible for the authenticity of the materials they submit. If they deliberately submit false materials, they shall be deemed to have failed to pass the security assessment and be held legally liable under the law.

Article 12 of the Measures stipulates that the national cyberspace administration authority shall complete the security assessment within forty-five working days upon the issuance date of written notification of receipt to a data handler. If the case is complicated or there are materials to be supplemented or corrected, this period may be properly extended and the extension shall be notified to the data handler. The result of the security assessment shall be notified to the data handler in writing.

 c) Objection procedure

According to Article 13 of the Measures, if the data handler has any objection to the security assessment result, the data handler may apply for a reassessment within fifteen) working days upon the date of receipt of the assessment result to the national cyberspace administration authority. The result of the reassessment shall be final.

 5. Validity Period and Reapplication for Security Assessment

According to Article 14 of the Measures, if a company passes the security assessment, the result of the security assessment of outbound data transfer shall be valid for two years commencing on the issuance date of the assessment result. If the data handler needs to continue the outbound data transfer activity after the expiration of the validity period, the data handler shall reapply for the security assessment within 60 working days before the expiration date of the validity period.

In addition, if any of the following circumstances occurs during the validity period, the data handler shall reapply for the security assessment:

  •  There is any change to the purpose, method, scope or type of the outbound data transfer, or change to the purpose or method of the data handling by the overseas recipient, which will affect the security of the outbound data, or the retention period of the personal information or important data stored overseas is to be extended;
  • There is any change in the data security protection policies and legislation and cybersecurity environment or any other force majeure event that has occurred in the country or region where the overseas recipient is located, or any change in the actual control of the data handler or overseas recipient, or any change to the legal document executed between the data handler and the overseas recipient, which will affect the security of the outbound data; or
  • Other circumstances that may affect the security of the outbound data.

Further, according to Article 17 of the Measures, if the national cyberspace administration authority discovers that any outbound data transfer activity which has passed the security assessment no longer meets the security requirements for outbound data transfers in the course of the actual implementation, it shall notify the data handler concerned in writing to terminate the outbound data transfer activity. If the data handler needs to continue the outbound data transfer activity, the data handler shall make rectification as required and reapply for the security assessment when the rectification is completed.

6. Conclusion

 In summary, only certain types of outbound data transfers will be subject to the security assessment requirement under the Measures. For other types of outbound data transfers, there are alternative approaches to comply with the administrative restrictions on cross-border transmission of data and personal information in accordance with relevant PRC laws. Therefore, we recommend that companies should first determine whether certain outbound data transfer activities fall under the stipulated circumstances which trigger the security assessment requirement. If it is necessary to conduct the security assessment, we recommend starting to prepare for the security assessment as soon as possible. We also recommend paying attention to the practice of the national cyberspace administration authority and the provincial-level cyberspace administration authorities regarding security assessment in the following months in order to get practical guidance on the implementation.