The Cyberspace Administration of China ("CAC") on October 29, 2021 published the draft Measures on Security Assessment of Cross-Border Data Transfer ("Draft Measures") for comment through November 28, 2021.1  The Draft Measures are formulated based on the Cybersecurity Law ("CSL"), Data Security Law ("DSL"), Personal Information Protection Law ("PIPL") and related regulations.  Before the Draft Measures were published, several draft measures and national standards had already focused on regulating cross-border data transfer.2  The Draft Measures, once formally promulgated, are likely to replace these previously published draft measures and may set the foundation for additional national standards in this regard.

The Draft Measures specify (I) who is subject to a CAC-led security assessment of cross-border data transfer; (II) the focus of the security assessment; and (III) the government review procedure.

(I) Who is subject to a CAC-led security assessment of cross-border data transfer

The Draft Measures require data processors to conduct a security assessment before transferring overseas "important data"3 and personal information ("PI") collected and produced in China (Article 2).  The security assessment for processors of important data or PI may entail both an internal risk assessment and a government-led security assessment (Article 3), as explained below.  "Overseas" appears to refer to geography rather than nationality, so transfer to foreign persons or foreign-invested enterprises in China would not constitute an overseas transfer, at least without knowledge that the transferee intended to transfer such data or information overseas. 

Article 4 of the Draft Measures imposes a CAC-led security assessment requirement based on the type of data processor (a. Critical Information Infrastructure Operator ("CIIO"), b. massive PI processor, or c. other data processor) and the type of data (i. important data, or ii. PI meeting any of several quantitative thresholds).  The Draft Measures for the first time clarify the threshold for designation as a massive PI processor (PI processor which processes PI of one million or more individuals) and the threshold for PI subject to security assessment (cross-border transfer of PI of 100,000 or more individuals or sensitive PI of 10,000 or more individuals).  These thresholds are not high in a country as populous as China. 

CIIOs and massive PI processors are required to apply for a CAC-led security assessment whenever they transfer overseas important data or PI (no threshold requirement).  Data processors other than CIIOs and massive PI processors need to apply for such security assessment only when transferring overseas important data or PI meeting a quantitative threshold, and do not need to do so when transferring overseas PI that does not meet the relevant threshold.  Such other data processors do not need to apply for a security assessment when transferring overseas data that is not important data or PI, unless such transfer would otherwise implicate national security or the public interest. 

More specifically, in accordance with the Draft Measures, when transferring data overseas, data processors would be required to apply for a data cross-border security assessment with the CAC through the provincial cyberspace administration under any of the following circumstances (Article 4), after first conducting an internal self-risk-assessment (Article 5):

  1. PI or important data collected and generated by a CIIO;4
  2. The underlying data includes important data;5
  3. A PI processor who processes PI of one million or more individuals to provide PI overseas;6
  4. Cumulative PI of 100,000 or more individuals or sensitive PI of 10,000 or more individuals; or
  5. Catch-all other circumstances under which a security assessment for cross-border data transfer is required by CAC.

Data processors which do not fall under the categories set forth in Article 4 and are not subject to a CAC-led security assessment are still required under Article 5 to conduct an internal self-risk-assessment before they can transfer the data outside China, as explained below.

(II) What does the security assessment focus on

Before transferring data outside China, all data processors are required to conduct an internal risk-assessment, regardless of whether they are subject to a CAC-led security assessment.  Such internal risk-assessment is to focus on:

  1. Whether the purpose, scope and means of cross-border transfer and data processing of overseas data recipient are legal, proper, and essential;
  2. The volume, scope, type and sensitivity of data to be transferred outside China and potential risks to national security, the public interest, and the legitimate rights of individuals and organizations;
  3. Whether the data processor has adequate management and technical capacity and has adopted measures to prevent the underlying data from being divulged or destroyed during the data transfer process;
  4. Whether the overseas recipient of the data has made a commitment and adopted relevant management and technical measures to protect the security of data transferred outside China;
  5. Risks of leakage, falsification, loss or abuse after the data is transferred outside China and whether there is a smooth communication channel for individuals to protect their PI; and
  6. Whether the contract between the data processor and overseas recipient of the data has made clear their respective responsibilities on data security protection.

Data processors that do meet the requirements set forth in Article 4 shall apply to the CAC for security assessment for cross-border data transfer. When conducting the security assessment, CAC under the Draft Measures would focus on risks arising from the data cross-border transfer to national security, the public interest, and the rights and interests of individuals or organizations, specifically (Article 8):

  1. Whether the purpose, scope and means of the cross-border transfer are legal, proper, and essential ("essential" indicating a bias against transfer);
  2. The impact on the security of the underlying data by the data security protection policies and laws and cybersecurity environment in the country/region of the overseas recipient; whether the data protection level of the overseas recipient meets the requirements of the laws, administrative regulations and mandatory national standards of China;
  3. The quantity, scope, type and sensitivity of the underlying data and the risks of leakage, falsification, loss, or illegal acquisition or exploitation during and after cross-border transfer;
  4. Whether data security and PI rights can be fully and effectively protected;
  5. Whether the data processor and overseas recipient have made clear their respective responsibilities and obligations in their contract in terms of data security protection;
  6. Compliance with Chinese laws, regulations and ministry regulations; and
  7. Catch-all other circumstances under which a security assessment for cross-border data transfer is required by CAC.

(III) Government review procedure

The timing for clearance may be lengthy.  CAC would be required to decide within seven working days after receiving the materials whether an application for a security assessment will be officially accepted (Article 7); and then complete the security assessment within 45 working days upon official acceptance with an extension to 60 working days in complex cases (Article 11).  A favorable transfer assessment would be valid for two years absent changes to the purpose, method, scope, type or overseas recipient of the data; changes in the law of the recipient's country or region potentially affecting the security of the data; or a catch-all other factors affecting the security of the transferred data (Articles 11 and 12). 

Conclusion:

The Draft Measures for the first time would clarify the thresholds for the types of data processors and types of data that are subject to cross-border security assessment and establish a timeline for the government review.  While the Draft Measures provide certainty as to subject matter and timelines, the bias is against overseas transfer and the procedure and length of government review may prove to be burdensome.  In both of these respects, the Draft Measures are in tension with China's commitments under the WTO's General Agreement on Trade in Services (GATS) and China's recently stated desire to become a party to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the Digital Economy Partnership Agreement (DEPA), two Asia-Pacific regional trade agreements with strong disciplines on facilitating digital trade, including cross-border transfers of information.

Footnotes

1 http://www.cac.gov.cn/2021-10/29/c_1637102874600858.htm

2 Such draft measures and national standards include the draft Measures for the Security Assessment of Cross-Border Transfer of Personal Information and Important (2017); draft Information Security Technology - Guidelines for Data Cross-Border Transfer Security Assessment (2017); and draft Measures for the Security Assessment of Cross-Border Transfer of Personal Information (2019).

While neither the CSL nor the DSL clearly defines what constitutes "important data," the draft Data Security Management Measures (2019) and the recent draft Information Security Technology - Guidelines on Identification of Important Data (2021) in general define "Important Data" as "data which, if disclosed, may affect national security, economic security, social stability or public health, safety and interest, such as undisclosed government information, information relating to large-scale population, population genetics and health, geography and mineral resources, etc."  Important data generally does not include information relating to relevant operation, production or internal management data or information of enterprises.

4 The legal foundation may be found in Article 37 of the CSL (2017): "CIIOs shall store within the territory of China personal information and important data collected and generated during its operation within China. Where such information and data have to be provided abroad for business purpose, security assessment shall be conducted pursuant to the measures developed by the CAC together with competent departments of the State Council, unless otherwise provided for in laws and administrative regulations, in which such laws and administrative regulations shall prevail."

5 The legal foundation may be found in Article 31 of the DSL (2021): "... the administrative measures for the security management for the cross-border transfer of important data collected and produced during operation by other data processors within China shall be formulated by the state cyberspace administration in concert with the relevant departments under the State Council."

6 The legal foundation may be found in Article 40 of the PIPL (2021): "CIIO and personal information processors whose quantity of processing of personal information reaches that as prescribed by CAC shall store personal information collected and generated within China.  Where it is necessary to provide such information and data to an overseas party, such provision shall pass the security evaluation organized by the CAC; where the laws, administrative regulations and the provisions of the CAC stipulate that security evaluation is not required, such stipulation shall prevail."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.