China Released the Long-Awaited Draft Measures of Security Assessment for Data Export: Any Clarity?

In this article, we highlight the key provisions of the Draft Measures and set out our observations on the proposed measures.

Background

Security assessment is the regime for scrutinising certain types of data export contemplated under the Cyber Security Law (CSL), the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). In summary, under the laws the following types of data must be localised, the export of which will be subject to a governmental security assessment conducted by the CAC:

i. Important data and personal information collected and generated by the operators of critical information infrastructure (CII); and
ii. Personal information of processors, who process a certain amount of personal information that reaches the threshold set by the CAC.

Under the DSL, the authorities will also publish rules regulating the export of important data that is collected and generated by data processors that are not CII operators. So far, the central government has published regulations on CII (see our latest analysis here) but the sectoral regulators have yet to identify the CII operators in their respective sector. The scope of important data has not been defined either.

In 2017 and 2019, the CAC published three drafts on regulations of data export security assessment for public consultation (including one draft that was not officially made public) and a draft guidance on data export security assessment, but none has been enacted. Among the drafts, we have seen back and forth between a position that all data exports are subject to a governmental security assessment and one that only export of a designated category of data should be assessed for security by the authorities.

The Draft Measures are the first draft regulation on security assessment of data export since the promulgation of the DSL and PIPL, and is likely to be the final draft for public consultation before its official promulgation.

Key provisions and observations

I. Extended scope of data exports subject to governmental security assessment

The data that is subject export security assessment includes (i) important data that is collected and generated by the data processors in the course of their operations in China; and (ii) certain personal information. Apparently, important data collected and generated outside of China will be out of the scope. It is not clear how the term “generate” will be interpreted.

The Draft Measures further lays down more detailed scope of data that will be subject to the security assessment when being exported, which includes:

i. Personal information and important data collected and generated by CII operators;
ii. Any important data that is to be exported;
iii. Personal information of a data processor that processes personal information of 1,000,000 individuals or more;
iv. Personal information of a data processor that in aggregate exports (i) personal information of over 100,000 individuals or (ii) sensitive personal information of over 10,000 individuals; and
v. Such other information as designated by the CAC.

Compared with the principles under the CSL, DSL and PIPL as discussed above, the Draft Measures have substantially extended the scope of data exports subject to security assessment, especially in the following aspects.

i. Export of important data by a data processor that is not a CII operator now falls in the scope. The implications are that that so long as the data to be exported includes any important data, however small the amount is, the data processor must apply to the CAC for security assessment of the transfer of the important data.

ii. the CAC has added two additional thresholds to the previously anticipated threshold under the PIPL, i.e. the number of individuals whose personal information is processed by a data processor. The additional thresholds concern the amount of personal information to be exported and the sensitivity of such personal information.

It is not yet clear how to calculate the amount of personal information when determining whether a threshold has been met. For instance, does the threshold of 1,000, 000 individuals include individuals whose personal information has been processed but was later deleted? Does the threshold of cumulative 100,000 individuals mean that security assessment will not apply to export of the first 100,000 individuals’ personal information? Does the threshold of 10,000 individuals mean that only the export of sensitive personal information will be assessed?

II. A hybrid regime of self-assessment and governmental assessment

In addition to the governmental security assessment applicable to a designated range of data exports, the Draft Measures also requires all data processors to conduct a self-assessment before exporting data outside China.

Self-assessment

The Draft Measures further set out the key contents of the assessment, including:

i. The legality, legitimacy and necessity of the data export and the purpose, scope and means of the data processing by overseas recipients;
ii. The amount, scope, types, and sensitivity of the data to be exported and any risks of the export to national security, public interest, and legal interests of individuals or organisations;
iii. Whether the management and technical measures and capability of the data processors may prevent data leakage and loss at data export;
iv. Whether the undertakings and the corresponding management and technical measures and capability of the overseas recipient will ensure safety of the data export;
v. The risks of the leak, loss, unauthorised alteration or abuse of the data export and subsequent transfers, and the effectiveness of the channels for individuals to exercise their individual rights to the personal information; and
vi. Whether the contract entered into between the overseas recipient and data processors has adequately provided for the protection obligations.

Under the PIPL, personal information processors are mandated to conduct personal information protection impact assessment (PIPIA) on the export of personal information. A question arises as to whether the self-assessment conducted under the Draft Measures will automatically satisfy the requirement for a PIPIA under the PIPL.

Governmental assessment

Where a governmental security assessment is required, the data processor must submit the following materials:

i. An application letter, the form of which is not specified.;
ii. A report on the self-assessment of data export risks;
iii. The contract that the data processor and the overseas recipient propose to enter into or other documents of equivalent legal effect; and
iv. Other materials as required by the authorities.

The governmental security assessment will focus on the following aspects of the data transfer to evaluate the risks to national security, public interest and legal interests of individuals and organisations:

i. The legality, legitimacy and necessity of the purpose, scope and means of the data export;
ii. The impact of the data security protection laws and policies and cybersecurity environment of the nation or region of the overseas recipient’s domicile on data transfer security; and whether the level of data protection of the overseas recipient meets the requirements of the laws, regulations and governmental national standards;
iii. The amount, scope, types and sensitivity of the exported data and the risks of the data being leaked, unauthorised alteration, lost, destructed, diverted or illegally obtained or used during and after the export;
iv. Whether the contract entered into between the overseas recipient and data processors has adequately provided for the protection obligations;
v. Compliance with Chinese laws, regulations and ministerial rules; and
vi. Other items that the CAC considers necessary.

One of the above aspects that requires further guidance is how the CAC will determine whether the data protection level of a particular country or region is adequate. There is no indication that the CAC will publish a whitelist of countries and regions that will be considered meeting the requirements, although a whitelist will be more sensible. As such, it appears at this stage that CAC will determine the data protection level on a case-by-case basis.

Governmental assessment procedures

The CAC at central level will be responsible for conducting the governmental assessment, but the data processors must submit the application to the CAC of provincial level, which will then pass the application on to the central CAC.

The central CAC will notify the data processors in writing of whether their applications will be accepted within seven workings days of receiving the application. If the application is accepted, the central CAC will organise sectoral regulators, provincial CACs, other ministries and specialised institutions to conduct security assessment.

The central CAC is required to complete the security assessment within 45 working days of accepting the application, and has the power to extend the time period to no more than 60 working days in complicated cases. The data processors will be notified in writing of the assessment result, which will be valid for two years.

The data processors must file an application to reassess the data transfers at least 60 working days before the expiry of the assessment results, if they would like to continue the data exports. However, a reassessment will be required earlier if changes have happened to the following aspects of the export:

i. The purposes, means, scope or types of the data export or the purposes and means of the data processing by the overseas recipient, or the period of overseas storage of the personal information and important data if being extended; and
ii. The legal environment of the country or region of the overseas recipient’s domicile, the actual control of the data processor or overseas recipient, or the contract between the data processor or overseas recipient which may affect data security; and
iii. Other situations that may affect security of data export.
With the expanded scope of data export subject to governmental security assessment, one concern of the companies is whether the CAC is capable of handling the growing number of applications effectively and complete the assessment within the statutory time frame.
We would assume that the CAC will start to process data export applications before the measures take effect, then question is whether companies will be permitted to export data while their application is being reviewed. If the backlog of applications results in a failure of the CAC to complete security assessments before the measures take effect, the CAC should clarify whether a company should be held liable if it continues to export data outside of China.

III. The data export contract

Both the governmental assessment and the self-assessment have put a great emphasis on the data export contract to be entered into between the data processor and the overseas recipient. In particular, the Draft Measures have set out the mandatory contents for such contracts, which include:

i. The purpose, means and scope of the data export and the use and means of the data processing by the overseas recipient;
ii. The location and period of the overseas storage of the data and the processing measures upon the expiry of the storage period, fulfilment of the processing purpose and termination of the contract;
iii. Provisions restricting the overseas recipient from transferring the data to other organisations individuals;
iv. Security measures to be taken upon the material change of the actual control or business scope of the overseas recipient or changes to the legal environment of the country or region of the overseas recipient’s domicile which renders it difficult to ensure data security;
v. Liability for beaching data security obligations and binding and enforceable dispute resolutions clauses; and
vi. Remedial measures to be taken in the event of a data breach and the obligations to ensure effective channel for individuals to exercise their rights.

Interestingly, the PIPL provides that personal information processors may adopt a “standard contract” on personal information export which will be published by the CAC. It is unclear whether signing such standard contract will automatically satisfy the above requirements. Apparently, for export of important data, the data processor and overseas recipient will need to sign a contract prepared by the parties in the absence of a standard contract.

The Draft Measures also require the contract to restrict subsequent transfers after the data export, but do not specify what the restrictions will be. It is likely that the overseas recipient will need to sign a contract with any transferee, but it remains to be a question as to whether a contract will be considered adequate.

Our recommendations

If the Draft Measures are enacted as it is, then companies should first assess or re-assess their data inventory and determine whether their processing and exporting activities will trigger the security assessment. The extended scope means that more companies will now be subject to the governmental security assessment.

The Draft Measures require all data exporters to conduct a self-assessment. The CAC has not published any more specific guidance, but companies should start to conduct an initial assessment on the key aspects of their data exports in order to evaluate whether there will be any issue preventing their data exports from passing such assessment.

Besides, data processors should be prepared to enter into a contract with their overseas data recipient, including gathering a list of overseas recipients and start notifying them of the requirement for entering into a data export contract with them.

Unlike the previous drafts, we expect that the Draft Measures will be finalised and promulgated in the next a few months. Companies are advised to take actions as soon as possible for compliance with the requirements. A violation of the data export regulation may give rise to administrative penalties under the laws and even criminal liabilities.