On 7 July 2022, the Cyberspace Administration of China (“CAC”) released the Measures of Security Assessment for Data Export (“Measures”), which will take effect on 1 September 2022. Data processors are allowed six months to complete any rectification required for compliance with the Measures.
In this article, we highlight the key provisions of the Measures and set out our observations and recommendations.
Security assessment (“Security Assessment”) is the regime under which the CAC will scrutinises certain types of data export as required by the Cyber Security Law (“CSL”), Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”). In summary, under the laws the following types of data must be stored locally in China, the export of which will be subject to the Security Assessment:
Under the DSL, the authorities will also publish rules regulating the export of important data that is collected and generated in China and will be exported by data processors that are not CII operators. So far, the central government has published regulations on CII (for our comments on the regulation, please click here) but the sectoral regulators have yet to publish any list the CII operators in their respective sectors. The scope of important data has not been defined either.
In 2017 and 2019, the CAC released three drafts regulations of data export security assessment (including one draft that was not officially made public) and a draft guidance on data export security assessment, but none has been enacted. Among the drafts, we have seen back and forth between a position that all data exports are subject to a governmental security assessment and one that only export of specified categories of data should be assessed for security by the authorities.
In October 2021, the CAC released the draft Measures for public consultation after the PIPL and DSL were promulgated earlier that year (for our comments on the draft Measures, please click here). The final Measures retain most of the requirements under the draft Measures and make some important changes that seek to address the comments from the public.
Under the Measures, the Security Assessment applies to “export by the data processors of important data and personal information that is collected and generated in the course of operations in the territory of China”. Apparently, export of important data and personal information collected or generated outside of China will be out of the scope.
It is not clear how the term “generate” will be interpreted, which seems to refer to an artificial process of creating certain information that did not exist or was not recorded. Further clarification from the CAC will be helpful in determining whether a particular type of data will be considered being “generated” in China or which party generated the data. For instance, if certain important data is created through cooperation between both Chinese and foreign entities, in which country should such data be considered “generated” and which party generated the data?
In addition, the term “data processor” is not defined in the Measures or in the DSL, CSL or PIPL. In the draft Administrative Rules of Network Data Security released by the CAC in November 2021, “data processor” is defined as the individual or organisation that independently determines the purpose and means of data processing activities. If this is also the definition adopted by the Measures, it may exclude those processing important data or personal information on behalf of data processors (“Entrusted Parties”) and therefore may also exclude export from the scope of security assessment export from the Entrusted Parties in China to overseas data processors.
Also notably, the Measures do not specify whether the Security Assessment applies to export by a data processor of important data and personal information that are collected and generated by others in their operation process in China. The wording seems to suggest that such important data and personal information are generated and collected by the data processor that exports such data but falls short of making it clear. However, if this is the case, then a loophole may exist if a data exporter exports important data and personal information that is collected or generated by other data processors.
Whilst the DSL does not define important data, the Measures define important data as data that may harm national security, economy, social stability, and public health and safety if it is altered without authorisation, destructed, leaked or illegally acquired or used. We note the detailed scope of important data has yet to be determined by sectoral regulators.
The Measures further lay down detailed scenarios where the Security Assessment applies to data export, which include:
Export of important data by a data processor that is not a CII operator now falls in the scope of the Security Assessment, which is an expansion of the position taken by the CSL and DSL that the Security Assessment applies to export of important data by CII Operators. The implications are that so long as the data to be exported includes any important data, however small the amount is, the data processors must apply to the CAC for the Security Assessment.
On the other hand, in relation to personal information export, the Security Assessment will apply not only to the CII operators but also a data processor that processes personal information of 1,000,000 individuals or more. This is in line with the CSL and the PIPL that require a CII operator to apply for the Security Assessment for any export of personal information.
The Measures also set thresholds on the amount personal information to be exported and try to clarify how to calculate the amount of personal information being exported by a data processor by adding a starting date. This means that the exported amount will be calculated for a period of up to two years starting from 1 January of last calendar year on a rolling basis. Data processors should establish a real-time monitoring mechanism to check the amount of personal information being exported. The calculation will restart each year on 1 January.
However, such wording may still give rise to dilemmas and impracticality to data processors in practice. For instance, If the amount of exported personal information reaches the Thresholds of exported personal information in the last a few months of the second year, they may not have enough time to complete the Security Assessment process, and from 1 January of the next year, the calculation will restart. In this scenario, should they stop exporting personal information and wait till 1 January the next year and continue to export personal information if the Thresholds are not triggered in the third year?
The key question here is whether the data processors need to stop exporting personal information and apply for the Security Assessment once the exports meet the Thresholds. Based on the provisions of the PIPL and the Measures, the answer seems to be yes, which could be a challenge to business continuity and disrupt operation of normal business functions. The implications for data processors are that they should have a clear vision as to whether and when their processing activities will reach any of the Thresholds. If there is a reasonable possibility that the amount being processed or exported will reach one of the Thresholds in the foreseeable future, the data processors should embark on localising the personal information and be prepared to apply for the Security Assessment once they hit the Threshold.
Before applying for the Security Assessment, the data processors must first conduct a self-assessment. The Measures further set out the key contents of the assessment, including:
Under the PIPL, personal information processors are mandated to conduct personal information protection impact assessment (“PIPIA”) on the export of personal information. A question arises as to whether a PIPIA under the PIPL will automatically satisfy the requirement for the self-assessment conducted under the Measures. In the absence of clear guidance or prohibition, the data processors may be able to combine the PIPIA and the self-assessment in a single exercise, if they need to apply for the Security Assessment.
Where the Security Assessment is required, the data processor must submit the following materials:
The Security Assessment will focus on the following aspects of the data export to evaluate the risks to national security, public interest and legal interests of individuals and organisations:
One of the above aspects that requires further guidance is how the CAC will determine whether the data protection level of a particular country or region is adequate. There is no indication that the CAC will publish a whitelist of countries and regions that will be considered meeting the requirements, although a whitelist will be more sensible considering that the data processors may not all be capable of making that assessment. As such, it appears at this stage that the CAC will determine the data protection level on a case-by-case basis.
The CAC at central level will be responsible for conducting the governmental assessment. The data processors must submit the application to the CAC of provincial level, which will have five business days to review completeness of application materials before passing the application on to the central CAC. Incomplete applications will be returned to the applicants, who will also be notified of the supplemental materials that should be provided.
The central CAC will determine and notify the data processors in writing of whether their applications will be accepted within seven workings days of receiving the application. If the application is accepted, the central CAC will organise provincial CACs, governmental ministries and specialised institutions to conduct the Security Assessment.
The central CAC is required to complete the security assessment within 45 working days of accepting the application and has the power to extend the time period in complicated cases or where supplemental or corrected materials need to be provided, after notifying the applicants of the extended period. The data processors will be notified in writing of the assessment result, which will be valid for two years from the date of the issuance of the result. Notably, the Measures remove the 60 business days’ limit on the maximum time period in complicated or prolonged cases, and whole process could now take 57 business days or more.
If a data processor is not satisfied with the decision of the CAC, the data processor may apply for a reassessment with 15 business days of receiving the decision.
The data processors must file an application to reassess the data transfers at least 60 working days before the expiry of the assessment results, if they would like to continue the data exports. However, a reassessment will be required earlier in the following circumstances:
The Measures include “force majeure events” as one of the circumstances where a reassessment is required but does not provide any further guidance as to how to determine a force majeure event has happened. We note that force majeure is a contractual law concept, and under the Civil Code parties to the contract are allowed to be exempted from performing some or all of their obligations, if continuous performance has been rendered impossible. However, it is unclear how this civil law concept will be interpreted in the context of administrative regulations in the absence of a contract between the applicant and the CAC.
The CAC may have contemplated that the reassessment should apply, if a force majeure event has rendered impossible the performance of the Legal Document between the data processors and the overseas recipients. Whilst the reasoning may be a valid one, the current wording does not provide any express support for such an interpretation, except that in the Legal Document must provide for the security measures that the overseas recipient should take in the case of a force majeure event.
Another interpretation is that any unforeseeable, unavoidable and insuperable events happening in the foreign country or region may have made it impossible to maintain protection of the data at the expected level. If this is the case, the regulation should have given more guidance as to what will be considered a force majeure event and in what circumstances such force majeure event will require a reassessment, in the absence of which it will be difficult for data processors will need to make their own evaluation.
Both the Security Assessment and the self-assessment have put a great emphasis on the Legal Document to be entered into between the data processors and the overseas recipients. In particular, the Measures have set out the mandatory contents for such contracts, which include:
Interestingly, the PIPL provides that personal information processors may adopt a “standard contract” on personal information export, and the CAC released the draft standard contract on 30 June this year. It is unclear whether signing the standard contract will automatically satisfy the above requirements. Apparently, for export of important data, the data processor and overseas recipient will need to sign a contract prepared by the parties in the absence of a standard contract.
The Measures also require the Legal Document to restrict subsequent transfers after the data export but do not specify what the restrictions will be. It is likely that the overseas recipients will need to sign a contract with transferees to impose certain data protection obligations on the transferees, but it remains a question as to whether signing a contract will be considered adequate.
The Measures require all data processors to complete rectification and comply with the requirements for data export thereunder within six months (“Grace Period”) of the Measures taking effect on 1 September 2022.
However, the Measures do not specify the criteria by which a data processor will be considered to have achieved compliance. In particular, does it mean that data processors subject to the Security Assessment must obtain a decision from the CAC before the end of the Grace Period? If so, the timeframe for remediation actions by the data processors and the Security Review process would extremely tight. The CAC should be prepared to receive and process a large volume of applications for the Security Assessment in the next a few months and consider whether the backlog of applications could result in a failure of the CAC to complete the Security Assessments before the end of the Grace Period.
It is also possible that compliance with the Measures is determined by whether the data processors have filed an application for the Security Assessment by the end of the Grace Period, which seems to be a more reasonable approach. Either way, the CAC should clarify whether a data processor should be held liable for violating the Measures, if it continues to export data while waiting for the decision of the CAC.
In addition, for data processors of important data, the timeline would appear even more challenging given that the scope of important data is not clear. Even if the CAC and sectoral regulators can provide detailed guidance for identifying important data in the next a few months, the data processors will have an even shorter timeframe to complete the remediation and application process.
With the tight timeframe for compliance with the Measures, data processors should start to take actions immediately. We would recommend that data processors in China take the following actions:
Despite the ambiguities and issues that could prove to be problematic in implementation, the Security Assessment has now become an enforceable requirement for certain data processors in China. The Measures have provided for a short Grace Period, and therefore data processors affected by the Measures should take immediate actions to ensure compliance.