On October 29, 2021, the Cyberspace Administration of China (“CAC“) published the “Draft Measures on Security Assessment of Cross-Border Data Transfer” (“Draft Measures“) for public comment, which outlines the requirements for security assessments on cross-border data transfers. The CAC had released previous draft measures specifying the “Security Assessment” requirements and procedures formulated based on the Cybersecurity Law that had come into effect in 2017. However, the latest Draft Measures further refine the implementation of the “Security Assessment” requirements in line with the recently promulgated Data Security Law and Personal Information Protection Law. Once the latest Draft Measures are approved, they will replace all previous draft measures relating to security assessments of cross-border data transfers.
Security assessment criteria under the Draft Measures
The Draft Measures specify that any of the circumstances below will require a CAC-led security assessment before any cross-border data transfers out of China can occur:
- Transfer of personal information and important data collected and generated by operators of critical information infrastructure (important network facilities and information systems which, in case of destruction, may result in serious damages to national security, people’s livelihood and public interests);
- Transfer of important data (which, when disclosed, may affect national security, economic security, social stability, or public health, safety, and interest);
- Transfer of personal information by a data processor who processes one million or more individuals’ personal information;
- Cumulative transfer of personal information of 100,000 or more individuals or sensitive personal information (defined by Personal Information Protection Law) of 10,000 or more individuals; or
- Other circumstances to be specified by the CAC.
It is worth noting that even if the criteria outlined above for the Draft Measures are not met, data processors are still required to conduct a self-assessment for any cross-border data transfer. The self-assessment must consider the following factors, including – but not limited to – the legality, legitimacy, and necessity of any such transfer; and risk prevention related to the data privacy rights incorporated in the Personal Information Protection Law. The Draft Measures also specify the application checklist and schedule for CAC-led security assessments. Additionally, CAC-led security assessments results would be valid for two years.
The Draft Measures are expected to significantly impact the business operations of multinationals in China, including the global management of data of both customers and employees. We recommend multinationals take the following measures regarding any cross-border data transfer practices in advance of the Draft Measures being approved:
- Reviewing and assessing the current practice of cross-border data transfers;
- Undertaking consultation with relevant authorities if necessary – and updating – the current policies relating to data and personal information for compliance purposes;
- Establishing a standardized anonymization/de-identification mechanism to process personal data and information prior to any cross-border transfers, in order to avoid triggering a CAC-led security assessment, to the extent permitted by law;
- Preparing a backup of local (Chinese) data storage facility (either electronic or paper) in case the normal storage facility that is subject to a CAC-led security assessment fails to receive approval for a cross-border transfer; and
- Delivering training for employees and advance notices to customers about legal requirements and procedures of cross-border data transfers as a means of risk prevention.
Following the release of the Draft Measures, representatives from many industries in China have expressed concerns relating to the data and personal information security of their customers and employees. The Draft Measures clarify the process for security assessments for cross-border data transfers to both data and personal information providers and processors. This is another step forward in improving and integrating data and personal information related laws and regulations following the promulgation of Cyber Security Law, Data Security Law, and Personal Information Protection Law. Considering China is eager to safeguard its data sovereignty, the final version of the Draft Measures is expected to be released and effective soon.
Additionally, China has indicated interest in participating regional interoperability systems such as the APEC Cross-Border Privacy Rules system. This system is based on an “Accountability Agent” certifying compliance with a set of privacy program requirements. This certification can be used to place a business in “deemed compliance” with any local privacy laws of participating economies. Businesses should keep an eye on how CAC and the related ministries move in engaging with these regional cross-border systems. If China were to participate, there could be added clarity in what the requirements are for legal cross-border transfers in China.