The Cyberspace Administration of China (CAC) recently deliberated and adopted “Measures for Security Assessment of Data Exports.” These came into effect on 1st September 2022.
Considering the volume of data consistently being shared to and from China, these measures hold critical importance for organizations worldwide. These measures, elaborated in 20 articles, address how organizations must carry out rigorous security assessments for the cross-border transfer of important data and personal information collected and generated during operations within the territory of the People's Republic of China.
Any violations of these measures will be dealt with per the provisions laid down in "Network Security Law of the People's Republic of China", "Data Security Law of the People's Republic of China", "Personal Information Protection Law of the People's Republic of China" and other data-related regulations within China.
Additionally, there are detailed guidelines that explain the situations that qualify as data exports behavior by data processors, such as:
- Transfer of data collected and generated in the domestic operation is transported for storage overseas;
- The data collected and generated by processors stored in China or abroad, which the individuals may be able to retrieve, download, or export; and
- Other behaviors as specified by CAC.
The guidelines also specify the documents that should be submitted along with the application and provide templates for some of them. These include data export security assessment declaration, data export risk self-assessment report, and certification materials, amongst others.
Criteria For Data Export Security Assessment
A data processor or controller will be subject to these measures if it fulfills either one of the following criteria:
- Shares important data overseas;
- Processes the personal information of more than one million people;
- Shared personal information of 100,000 people or sensitive personal information of 10,000 people since 1st January 2021;
- Other situations that require a data export security assessment as determined by the CAC.
Data Export Security Assessment Process
Data exit security assessment focuses on the risks that data exit activities may bring to China's national security, public interests, and the legitimate rights and interests of individuals or organizations.
For an organization to apply for the data export security assessment, the data processors are required to carry out a self-evaluation of their data export risks. This evaluation must focus on the following:
- The legitimacy and necessity of the purpose, scope, and method of data export and data processing by overseas recipients;
- The scale, scope, type, and sensitivity of the data being shared abroad and the risks the sharing of data may pose to the national security, public interests, and the legitimate rights and interests of individuals or organizations in China;
- The responsibilities and obligations of the overseas recipient of data and what technical measures are in place to ensure the security of such data;
- Any risk of data being tampered with, destroyed, leaked, lost, transferred, or illegally obtained or used during or after the data is shared with an entity outside China and ensure that channels for protecting rights and interests in personal information are unrestricted;
- Any data export-related contracts or legally binding documents that fully stipulate the responsibility and obligation of data protection by the recipient of data overseas.
- Other matters that may affect the security of data leaving the country.
Once such a self-evaluation has been completed, the organization may apply for a data export security assessment. To do so, the following documents will need to be submitted:
- A declaration form;
- Self-assessment report on data export risk;
- Legal documents stipulating agreements between the data processor and the overseas recipient;
- Other materials are required for the safety assessment.
Data Security Protection Responsibilities and Obligations for Overseas Recipient
Contracts or legally binding documents used for cross-border data transfer must clearly define the exact data security protection responsibilities and obligations of all parties involved, including at least the following information:
- The purpose, method, and scope of data export, and the purpose and method of data processing by overseas recipients;
- The location and period of data storage overseas, as well as what happens to the shared data after the retention period expires;
- Any binding requirements for overseas recipients to transfer outbound data to other organizations and individuals;
- Security measures that should be taken in case there is a substantial change in the business scope of the recipient or data security protection policies and regulations of the country or region where the recipient is located;
- All remedial measures, liability for breach of contract, and dispute resolution methods for breach of data security protection obligations;
- The exact emergency response and the ways and methods to protect individuals' rights to safeguard their personal information in case shared data is at risk of being tampered with, destroyed, leaked, lost, transferred, or illegally obtained or used illegally.
Official Security Assessment Process
Once the required documents are submitted, the provincial network information department must conduct its completeness check within five working days from the date of the receipt of the application. If the application is incomplete, the data processor is informed and must provide the missing document. The application is forwarded to the national network information department if the documents are complete and in order.
Additionally, the national network information department may terminate the entire security assessment altogether if the data processor cannot provide the missing documents without a justifiable reason.
If the data processor is found to have submitted false or incomplete documents deliberately, they will be dealt with according to the evaluation failure.
The national network information department then assesses the data processor’s data export security assessment application within seven working days and informs the data processor of the acceptance notice in writing.
The national network information department’s data export security assessment is carried out similarly to that of the data processor’s self-evaluation. Additionally, the national network information department assesses whether the data export activity would comply with China’s other administrative regulations and mandatory national standards of China.
Once the national network information department has conducted its assessment and accepted the declaration, it must then organize the relevant departments of the State Council, provincial-level network information departments, specialized agencies, etc., to conduct their own security assessments per the declaration situation.
This collaborative assessment must be completed within forty-five working days after the national network information department acceptance notice to the data processor. In case the assessment requires additional time or additional documents to be submitted, this period can be extended with the data processor being informed of the extended assessment period.
Once completed, the data processor must be informed of the assessment results in writing.
Suppose the data processor has any objections to the assessment results. In that case, they may apply for a re-assessment by the national network information department within fifteen working days of receiving the results. However, the re-assessment results are final and cannot be challenged further.
Approval and Validity of Security Assessment
The results of a data export security assessment will remain valid for two years from the date of the issuance of the assessment results. However, the data processor will need to apply for a re-assessment if the following occur during the validity period:
- Any changes in the purpose, method, scope, and type of data provided overseas and the purpose and method of data processing by overseas recipients;
- Any changes in the data security protection policies, regulations, and network security environment of the country or region where the overseas recipient is located, as well as any changes in the legal agreement between the data processor and the overseas recipient;
- Other factors affect the security of the shared data.
The data processor must re-apply for the assessment sixty days before the two-year validity period expires.
In case the national network information department determines the data processor, having passed the assessment, no longer meets the data export security requirements during the validity period, they must notify the data processor in writing to terminate their data export activities. The data processor must then take any corrective measures required and apply for a re-assessment.
These measures also stipulate obligations on the part of the relevant institutions and personnel that carry out the data export security assessment. They are required to keep any state secrets, personal privacy, personal information, business secrets, confidential business information, and other data that they learn in the performance of their duties confidential unless legally required to disclose.
Furthermore, if any organization or individual learns of the data processor engaging in activities that violate these measures, they must report it to the national network information department or its provincial subordinates.
