IDC Names Securiti a Worldwide Leader in Data PrivacyView
The Cyberspace Administration of China (CAC) recently deliberated and adopted “Measures for Security Assessment of Data Exports.” These came into effect on 1st September 2022.
Considering the volume of data consistently being shared to and from China, these measures hold critical importance for organizations worldwide. These measures, elaborated in 20 articles, address how organizations must carry out rigorous security assessments for the cross-border transfer of important data and personal information collected and generated during operations within the territory of the People's Republic of China.
Any violations of these measures will be dealt with per the provisions laid down in "Network Security Law of the People's Republic of China", "Data Security Law of the People's Republic of China", "Personal Information Protection Law of the People's Republic of China" and other data-related regulations within China.
Additionally, there are detailed guidelines that explain the situations that qualify as data exports behavior by data processors, such as:
The guidelines also specify the documents that should be submitted along with the application and provide templates for some of them. These include data export security assessment declaration, data export risk self-assessment report, and certification materials, amongst others.
A data processor or controller will be subject to these measures if it fulfills either one of the following criteria:
Data exit security assessment focuses on the risks that data exit activities may bring to China's national security, public interests, and the legitimate rights and interests of individuals or organizations.
For an organization to apply for the data export security assessment, the data processors are required to carry out a self-evaluation of their data export risks. This evaluation must focus on the following:
Once such a self-evaluation has been completed, the organization may apply for a data export security assessment. To do so, the following documents will need to be submitted:
Contracts or legally binding documents used for cross-border data transfer must clearly define the exact data security protection responsibilities and obligations of all parties involved, including at least the following information:
Once the required documents are submitted, the provincial network information department must conduct its completeness check within five working days from the date of the receipt of the application. If the application is incomplete, the data processor is informed and must provide the missing document. The application is forwarded to the national network information department if the documents are complete and in order.
Additionally, the national network information department may terminate the entire security assessment altogether if the data processor cannot provide the missing documents without a justifiable reason.
If the data processor is found to have submitted false or incomplete documents deliberately, they will be dealt with according to the evaluation failure.
The national network information department then assesses the data processor’s data export security assessment application within seven working days and informs the data processor of the acceptance notice in writing.
The national network information department’s data export security assessment is carried out similarly to that of the data processor’s self-evaluation. Additionally, the national network information department assesses whether the data export activity would comply with China’s other administrative regulations and mandatory national standards of China.
Once the national network information department has conducted its assessment and accepted the declaration, it must then organize the relevant departments of the State Council, provincial-level network information departments, specialized agencies, etc., to conduct their own security assessments per the declaration situation.
This collaborative assessment must be completed within forty-five working days after the national network information department acceptance notice to the data processor. In case the assessment requires additional time or additional documents to be submitted, this period can be extended with the data processor being informed of the extended assessment period.
Once completed, the data processor must be informed of the assessment results in writing.
Suppose the data processor has any objections to the assessment results. In that case, they may apply for a re-assessment by the national network information department within fifteen working days of receiving the results. However, the re-assessment results are final and cannot be challenged further.
The results of a data export security assessment will remain valid for two years from the date of the issuance of the assessment results. However, the data processor will need to apply for a re-assessment if the following occur during the validity period:
The data processor must re-apply for the assessment sixty days before the two-year validity period expires.
In case the national network information department determines the data processor, having passed the assessment, no longer meets the data export security requirements during the validity period, they must notify the data processor in writing to terminate their data export activities. The data processor must then take any corrective measures required and apply for a re-assessment.
These measures also stipulate obligations on the part of the relevant institutions and personnel that carry out the data export security assessment. They are required to keep any state secrets, personal privacy, personal information, business secrets, confidential business information, and other data that they learn in the performance of their duties confidential unless legally required to disclose.
Furthermore, if any organization or individual learns of the data processor engaging in activities that violate these measures, they must report it to the national network information department or its provincial subordinates.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.