Measures for the Security Assessment of Outbound Data Transfers
#China
On July 7th, 2022, the Cyberspace Administration of China (hereinafter referred to as the “CAC”) issued the Measures for the Security Assessment of Outbound Data Transfers (hereinafter referred to as the “Assessment Measures“). Together with the Three Major Laws, namely the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law, as well as other relevant laws and regulations, China has built a robust legal system for the governance and data protection in China’s cyberspace.
The Assessment Measures further regulates outbound data transfer activities, clarifying specific provisions on data outbound security assessment, and puts forward principles such as the combination of prior assessment and continuous supervision of data outbound security assessment, with risk self-assessment and security assessment.
We have selected the following topics from the perspective of enterprises for further discussion:
What is Considered an “Outbound Data Transfer”?
The Measures apply where a data processor provides a security assessment of important data and personal information collected and generated during operations within the territory of the People’s Republic of China to recipients abroad. In response to a reporter’s question on the Measures, the CAC further clarified that the Outbound Data Transfer activities referred to in the Measures, which mainly include the following:
1) The data processors will transfer and store the data collected and generated in the course of domestic operations abroad.
2) The data collected and generated by data processors is stored in China, and can be accessed by institutions, organizations or individuals outside of the country.
In summary, in order to determine whether it constitutes an “Outbound Data Transfer” regulated by the Assessment Measures, the following elements need to be met:
1) Data Type: Important data or personal information collected and generated in domestic operations;
2) Outbound Method: Provided to overseas, including physical crossing and remote access;
3) Definition of Overseas: Other countries/regions other than the mainland area of the People’s Republic of China, including Hong Kong, Macao and Taiwan; and
4) Parties carrying out Outbound Data Transfer Activities: Both the data transfer provider and the data receiver.
What Are the Circumstances Under Which the “Data Outbound Security Assessment” is Triggered?
The circumstances to which the export of data needs to be reported to the competent authorities for assessment, has become the key issue of Outbound Data Transfer rules, with the Outbound Data Transfer rules making many attempts to clarify the issue of the trigger conditions for Outbound Data Transfer security assessment. The Assessment Measures integrate and echo the relevant rules in the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law, and finally establish four trigger conditions from the perspectives of data type, subject type, data scale, among others:
1) The outbound data contains important data, regardless of whether the data processor constitutes a critical information infrastructure operator (“CIIO“);
2) The data processor constitutes a special subject: The data processor is a CIIO and provides personal information overseas;
3) The amount of data processed by the data processor exceeds the threshold:
a. Handling personal information reaching more than 1 million people;
b. From January 1st of the previous year, more than 100,000 people’s personal information or 10,000 people’s sensitive personal information has been provided overseas;
4) Other circumstances provided by the State Internet Information Department that require a security assessment of the declaration of data export.
How to Identify a Critical Information Infrastructure Operator (CIIO)?
According to Article 2 of the Regulations on the Security Protection of Critical Information Infrastructure promulgated in 2021, a critical information infrastructure refers to important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology industry, and other important network facilities that, once destroyed, lost functioning or data leakage, may seriously endanger national security, national economy and people’s livelihood, and public interests, information systems, etc.
In accordance with Article 10 of the Customs Regulations, the protection work department is responsible for organizing the identification of critical information infrastructures in the industry and field in accordance with the identification rules formulated by it and notifying the operator of the results of the determination. Based on these provisions, once an enterprise is identified as a CIIO, it will receive a notification from the relevant authorities.
It is understandable that if an enterprise does not receive a notice from the competent authority to identify it as a CIIO, the enterprise may consider itself a non-CIIO, for the time being that is. However, it is believed that with the introduction of relevant regulations, the identification rules will also be improved and clarified further.
Compliance Recommendations
According to Article 20 of the Assessment Measures, it will become effective from September 1st 2022. Its official enforcement means that it provides an implementation path for enterprises to handle security assessments on Outbound Data Transfer, and Outbound Data Transfer security assessments will be officially implemented.
For enterprises that meet the four types of situations in these Measures that should declare security assessments and have Outbound Data Transfer needs, they shall sort out their data situation as soon as possible, entrust professional institutions or conduct self-assessments on their own, sign legal documents such as data export contracts that meet the requirements with overseas recipients, and carry out security assessment declarations as soon as possible.
Although the Assessment Measures give a grace period of six months, considering that a self-assessment might be needed first, and a self-assessment, rectification, and the modification of self-assessment reports may be time consuming, it is recommended that enterprises carry out relevant work as soon as possible and actively adjust their Outbound Data Transfer business framework, ensuring that business is conducted in compliance with the laws and regulations.
We at D’Andrea & Partners Legal Counsel constantly monitor the latest developments in the Chinese market. If you want to inquire more information related to this issue, feel free to get in contact with us: info@dandreapartners.com
The Shanghai Municipal Bureau of Justice issued on 13 June 2024 and entered into force on 1 August 2024 the Measures for the Promotion of Ad Hoc Arbitration in Shanghai for Foreign-related Matters in Commercial and Maritime Fields (For Trial Implementation) which refers to Ad Hoc Arbitration Measures in this article. For most people, ad
As a key city in Northern China, Tianjin has successfully attracted significant foreign investment due to its unique geographical location, abundant resources, and supportive legal policies. The latest policies concerning Tianjin, in particular, offer even greater development potential and opportunities for foreign investment in China. I. Recent Policies Create New Opportunities for Foreign Investment II.
In order to implement the requirements of the State Council’s Action Plan for Promoting Large-scale Equipment Renewal and Trade-in of Consumer Goods (Guo Fa [2024] No. 7), the Shanghai Municipal People’s Government released the “Shanghai Action Plan for Promoting Large-scale Equipment Update and Consumer Goods Exchange for New (2024-2027)”(“Action Plan”) on April 30, 2024. According
#China
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.