China: 10 Must-See FAQ Regarding Security Assessment For Outbound Data Transfer

Q.1. How Can Enterprises Determine Whether They Need to Declare Security Assessments for Outbound Data Transfer?

Answer:

Enterprises should mainly refer to Article 4 of the Measures and determine in the light of their own business. Specifically, enterprises fall into any of the following criteria are obligated under the measures to complete the declaration for security assessment for outbound data transfer within a limited period: (i) enterprises that process personal information of no less than 1 million people and provide personal information abroad; (ii) enterprises that are critical information infrastructure operators ("CIIOs") and provide personal information abroad;(iii) enterprises that provide personal information of 100,000 people abroad in two calendar years;(iv) enterprises that provide sensitive personal information of 10,000 people abroad in two calendar years; or (v) enterprises that provide important data abroad. The methodologies of determining which criteria should apply and how to conduct self-assessment work vary from enterprise to enterprise as the nature of their businesses is different. For example, whether an enterprise is a CIIO depends on if it has received a notice from the competent authority and the result of its self-assessment. As for handlers who process the personal information of no less than 1 million people, they should declare the security assessments in accordance with the Measures, even if they have transferred only a small amount of data abroad (such as employee's data). As for important data, except for a few industries (automobile and surveying & mapping industries), most industries do not have specific regulations or guidelines for determining whether they constitute important data. During the self-assessments, enterprises often need to determine whether their transferred data constitutes important data based on the definition of important data under the Measures, namely, the magnitude of damage caused by the breach of such specific data.

For the personal information, according to the advice we received from the Cyberspace Administration of China ("CAC"), when determining whether the obligation of security assessment is triggered under the criteria of personal information or sensitive personal information, enterprises need to estimate the total number of people whose personal information has been transferred abroad during their business operations for the past two calendar years. For example, assuming that the number of personal information transferred abroad by an enterprise in 2021 and 2022 was 50,000 for each year, by the beginning of 2023, however, the enterprise has interpreted the new Measures, believing that the number of personal information transferred abroad by itself has not reached 100,000 calculating from January 1 of the previous calendar year (2022) to 2023, therefore it decides not to declare the security assessment. However, according to regulatory requirements, the aforementioned way of determination is a misinterpretation of the statutory declaration obligation with a purpose of circumventing such obligation, therefore, it is non-compliant. In determining whether enterprises meet the conditions for security assessment declaration for outbound data transfer (100,000 people for personal information in 2 calendar years, and 10,000 people for sensitive personal information in 2 calendar years), enterprises should estimate the volume of personal information transferred abroad in 2 complete calendar years on the basis of the actual situation of previous business operations. For example, when determining whether a security assessment declaration for outbound data transfer is required in 2023, the proper methodology for enterprises is to estimate the volume of personal information or sensitive personal information transferred abroad in 2 complete calendar years from 2021 to 2022.

Q.2. How Do Enterprises Use the Guide to Applications for Security Assessment of Outbound Data Transfers (First Edition) and Its Appendices When Declaring Security Assessments for Outbound Data Transfer?

Answer:

Acting as the "Detailed Rules for the Implementation" of the Measures, the "Guide to Applications for Security Assessment of Outbound Data Transfers (First Edition)" ("Guide") and its appendices are the "Golden Rules" for enterprises to carry out assessment work on the risks of outbound data transfer. The Guide and its appendices provide answers to the following questions:

" Whose information needs to be filled in?

" Whose ID copy needs to be submitted?

" What documents need to be submitted in original?

" What needs to be included in the self-assessment report?

We advise enterprises to start the security assessment work for outbound data transfer by formulating work task plans and lists strictly in accordance with the Guide, with the goal of completing the preparation of the materials and filling in the content of the Guide, and carrying out the self-assessment work in a well-organized way.

Q.3. How to Understand the Relationship between the Requirements of the Measures for "Legal Documents" and the "Standard Contract for Cross-Border Transfers of Personal Information" Annexed to the Provisions on Standard Contracts for Cross-Border Transfers of Personal Information (Exposure Draft)?

Answer:

In our opinions, for the outbound transfer of personal information, it is operative for the domestic data handler and the overseas data recipient to sign the "Standard Contract for Cross-border Transfers of Personal Information ("SCC")" issued by the CAC to meet the requirements of the Measures for "Legal Documents". The reason is that both the Measures and the Standard Contract for Cross-border Transfers of Personal Information are issued by the CAC. From the perspective of regulatory bodies, two documents are coherently drafted by the CAC. Also, a careful review of the content of Article 9 of the Measures and the terms of the SCC reveals that the terms agreed in the SCC meet most of the requirements of Article 9 of the Measures. However, the content of Article 9(1) and (4) of the Measures is not reflected in the template terms of the SCC, therefore the data handler and the overseas recipient shall add relevant terms in the form of annexes and make additional agreements when executing the SCC.

Q.4. How to Understand the Relationship between the Overseas "Recipient" and the "Recipient" of the Retransfer?

Answer:

According to Article 9 of the Measures and the requirements of the Guide, the data handler should specify in the Legal Documents with the overseas recipient the restrictive requirements for the overseas recipient to transfer the outbound data to other organizations or individuals. In addition, in the process of drafting the Self-Assessment Report on Outbound Data Transfer Risks ("Report"), the data handler is also required to describe in a specific section the information retransferred to other overseas recipients after the data is transferred abroad. Therefore, when entering into Legal Documents, the domestic data handler and the overseas recipient need to specifically agree on the overseas recipients' obligations regarding the retransfer of data to the third party, if the overseas recipients are determined to do so. Also, the information of the third party shall be disclosed in the Report when declaring the security assessment.

According to Article 3(7) of the SCC and the interpretation regarding the relationship between the SCC and the "Legal Documents" as elaborated in Q3, before the retransfer of data, the overseas recipient shall ensure that: (i) in principle, no data shall be retransferred unless there is a genuine need to do so; (ii) the recipient shall fully fulfill its obligation to inform the personal information subject of the identity, contact information, purpose and method of processing, type of personal information, and the method and procedure of exercising the rights of the personal information subject; (iii) the recipient shall obtain the separate consent of the personal information subject unless otherwise provided by law; and (iv) the recipient shall reach a written agreement with the recipient of the retransferred data and provide the personal information subject with a copy of the agreement.

In addition, as per the advice we received from the CAC, the recipient of the retransferred data does not need to describe and provide an analysis of the data security protection policies and regulations and the cybersecurity environment in the country or region where it is located in accordance with the requirements stipulated in the Report. In its advice, however, the CAC did not prohibit enterprises from analyzing the data security protection policies and regulations and the cybersecurity environment of the country or region where the recipient of the retransfer is located. We believe that if the country or region where the recipient of the retransfer is located can provide robust protection for the received outbound data (such as joining specific international conventions and committing to provide the same level of protection for the data transferred from member countries, etc.), it is then better for enterprises to add relevant descriptions in the Report.

Q.5. How to Understand the Relationship between the Assessment Report on the Impacts on Personal Information Protection ("PIA Report") and the Self-Assessment Report on Outbound Data Transfer Risks?

Answer:

According to the requirements of Article 55 of the Personal Information Protection Law, outbound personal information transfer falls into the categories of personal information processing that requires the impact assessment on personal information protection. Considering the matters of time and efficiency, it is feasible for the enterprise to issue a "limited edition" of the PIA report only themed on the outbound data transfer. However, we do not recommend that enterprises take this approach to fulfill their obligations to conduct personal information protection impact assessments. While the Report requires the assessment for outbound data transfer, Article 55 of the Personal Information Protection Law also requires a PIA for the processing of sensitive personal information, automated decision-making, entrusted processing, provision of personal information to any third parties, and public disclosure of personal information. If a domestic data handler issues a PIA report solely based on the contents of the Report and at the same time processes sensitive personal information during its activities of outbound data transfer, the PIA report issued cannot fully meet the compliance requirements stipulated in Article 55 of the Personal Information Protection Law.

Q.6. How to Understand the "Legality" of the Outbound Data Transfer?

Answer:

The Guide requires the data handler to elaborate on the "legality" of transferring the data abroad and the receipt and processing of data by the overseas recipient when drafting the Report. For personal information, "legality" in a narrow sense means that the above-mentioned processing has obtained the legal basis under Article 13 of the Personal Information Protection Law. The "legality" in a broad sense refers to whether the handler of personal information has fulfilled the relevant compliance obligations required under the Cybersecurity Law, the Personal Information Protection Law, the Data Security Law, and other laws and regulations, including but not limited to: (i) whether it has adequately informed the personal information subject of the outbound transfer and processing activities; (ii) whether the impact assessment on personal information protection has been completed in accordance with the requirements of the regulations; (iii) whether the record-filing of the classified protection for cybersecurity has been obtained; and (iv) whether binding Legal Documents have been signed in accordance with the requirements of the Measures.

As per our experience, when assessing the "legality" of the outbound data transfer and the data processing activities by the overseas recipient, the assessment work of data processing activities shall be unfolded by the analysis of the "outbound data transfer" and the "data processing activities by the overseas recipient". However, in terms of the completeness of compliance, we advise enterprises to consider all of the requirements on "legality" stipulated in the above laws and regulations and conduct the corresponding assessment work.

Q.7. How to Understand the "Legitimacy" of the Outbound Data Transfer?

Answer:

The Guide requires the data handler to elaborate on the "legitimacy" of the outbound data transfer and the processing of the data by the overseas recipient when drafting the Report. For personal information, according to the Personal Information Protection Law, the Information Security Technology: Guide to Personal Information Security Impact Assessment, and the advice from the CAC, we understand that the "legitimacy" of personal information transferred abroad is mainly focused on the legitimacy of the purpose and the legitimacy of the means. The legitimacy of the purpose means that the personal information handler should aim to achieve legitimate purposes such as promoting personal interests or social public interests, rather than improper purposes such as harming the rights and interests of others and undermining public order; the legitimacy of means indicates that the means used by the handler to process personal information should meet the general expectations of the public and the requirements of public order. When describing the details of outbound data transfer, enterprises can elaborate on the above-introduced aspects based on the characteristics of the industry and whether the relevant business activities are in line with general business ethics.

Q.8. How to Understand the "Necessity" of the Outbound Data Transfer?

Answer:

The Guide requires the data handler to elaborate on the "necessity" of the outbound data transfer and the processing of the data by the overseas recipient when drafting the Report. For personal information, according to the Personal Information Protection Law, where a personal information handler genuinely needs to provide personal information outside the territory of the People's Republic of China due to business or other needs, it shall meet any of the following conditions: (i) it shall pass the security assessment organized by the CAC in accordance with the provisions of Article 40 hereof...... Except for special types of data that are not allowed to be transferred abroad (e.g., population health information), all other types of data are subject to the necessity analysis during the outbound transfer. We believe that the necessity is based on the premise of the "minimum necessity" principle to achieve the legal and legitimate purpose of personal information processing. For example, if a multinational enterprise transfers the personal information of employees abroad for the purpose of paying and verifying employees' salaries, the personal information fields transferred abroad in compliance with the "minimum necessity" principle should include personal information such as employees' names, ranks, attendance and bank card numbers. However, it is difficult to justify the necessity of outbound transfer of personal information fields that are not related to payroll purposes, such as employees' medical histories and gender. Nevertheless, personal information fields such as employees' medical histories or gender may be necessary to achieve other purposes, such as the purchase of commercial insurance or the provision of welfare for specific holidays (Women's Day) by the enterprise. To make it more straightforward for regulators to see the correlation between specific processing activities and the necessity when conducting security assessment for outbound data transfer, the enterprise can also analyze the details of each system, elaborating the necessity of transferring data abroad in terms of the specific purposes for which each system processes personal information.

Q.9. If an Enterprise Provides a Channel for an Overseas Recipient to Access Data in China, yet the Overseas Recipient Never Accesses the Data in China, Does Such Inactive Behavior Constitute an Outbound Data Transfer?

Answer:

Yes. According to the definition of "outbound data transfer" stipulated in the Guide to Applications for Security Assessment of Outbound Data Transfers (First Edition), as long as a domestic data handler opens an access channel for overseas organizations to query, retrieve, download, or export data, it is deemed as an outbound data transfer. As per the advice we received from the CAC, an overseas subject that has access to domestic data but does not do so will still be deemed as an "overseas recipient" under the Measures, and only when the domestic data handler completely closes the access channel for overseas organizations and ceases all other active outbound transfer can it be considered as not engaging in outbound data transfer.

Q.10. What Will Be the Consequences If an Enterprise Fails to Declare the Security Assessment for Outbound Data Transfer When It Is Required to Do So?

Answer:

We believe that administrative authorities have the right to impose penalties on enterprises that fail to fulfill their obligations of security assessment for outbound data transfer in accordance with the relevant provisions in the Personal Information Protection Law, the Cybersecurity Law, and the Data Security Law.

The enterprises obligated to conduct security assessment for outbound data transfer under the above laws but failed to do so may be subject to a maximum fine of up to 50 million yuan or up to 5% of the previous year's turnover (Personal Information Protection Law); the person directly in charge and other directly liable persons may be subject to a maximum fine of up to 1 million yuan (Personal Information Protection Law & Data Security Law), and may be prohibited from acting as directors, supervisors, senior executives and persons-in-charge of personal information protection of the relevant enterprises for a certain period of time (Personal Information Protection Law). In addition to the penalties, the enterprise will be ordered by the relevant competent authorities to make rectifications, confiscate the illegal gains, stop the business for rectification, and the relevant business permit or license will be revoked.

It is worthwhile for enterprises to pay attention to the fact that if 2022 is the "first year of implementation" of regulations related to outbound data transfer, then 2023 will be the "first year of law enforcement". With the introduction of regulations such as the Provisions on the Administrative Law Enforcement Procedures by the Cyberspace Administration Authority of various levels, the administrative law enforcement procedures based on which the CAC is the main body of law enforcement will become more straightforward. We believe that as the main regulatory body of outbound data transfer, the CAC will strengthen administrative enforcement against data violations in 2023 and penalize enterprises that fail to complete rectification or declaration obligations promptly in accordance with the aforementioned laws and regulations.