The Cyberspace Administration of China (the "CAC") released the Measures for Security Assessment of Data Export on 7 July 2022 (the "Measures 2022"), which will come into effect on 1 September 2022.
The regime, with regards to data exports, is ever-evolving in China. Since 2017, the CAC has consecutively released 'The Measures for Security Assessment of Transferring Personal Information and Critical Data Overseas (Draft)' (the "Measures 2017"), 'the Measures for Security Assessment of Transferring Personal Information Overseas (Draft)' (the "Measures 2019") and 'the Measures for Security Assessment of Data Export (Draft)' (the "Measures 2021"). Now the Measures 2022 is to be enacted. In this latest article, we introduce the highlights of the Measures 2022, with some comparisons to the Measures 2017, the Measures 2019, and the Measures 2021.
Highlights of the Measures 2022
Clarifying the definition of data export
The Measures 2022 is the first instance in which the CAC has clarified the scope of data export, including:
- whether a data handler exports or stores the data it collected and created from its operation within China; and
- whether a data handler stores the data it collected and created within China but foreign institutions, organisations or individuals have access to or are able to use such data.
Unifying the regulations on personal information and critical data
As we mentioned above, the CAC was vacillating on the issue of whether to regulate the export of personal information and critical data separately or collectively.
In the Measures 2022, the CAC finally confirms that the export of critical data and personal information should be regulated together since they share similar procedural rules. As a result, it is enacted according to both the Data Security Law (the "DSL") and the Personal Information Protection Law (the "PIPL"), and supplements them with substantive and procedural rules in terms of the security assessment.
Despite the conceptual overlap between personal information and critical data, the CAC still discriminates the legal interests between them. That is, Article 1 of the Measures 2022 stipulates that this regulation is to protect personal information rights and interests, which echoes the PIPL; and to protect national security, and social and public interests, which responds to the critical data protection under the DSL. (Read our insight on China's new DSL).
Specifying the thresholds of conducting the security assessment
In the Measures 2017, the triggers for conducting the security assessment included "exporting personal information of 500,000 data subjects" and "data volume exceeding 1,000 GB"; whilst the Measures 2019 solely stipulate that, any network operator exporting personal information shall undergo the security assessment. However, the Measures 2021 and 2022 revised the triggers and gave up the threshold of data volume, focusing on the amount of subjects' personal information and the data's criticality, which echoes the subject matter of the PIPL and the DSL.
Therefore, in the final version, the Measures 2022 stipulate four circumstances that a data handler shall apply to the national CAC for the security assessment via the provincial CAC in Article 4, if it:
- exports critical data;
- is a Critical Information Infrastructure Operator (CIIO);
- handles personal information of more than 1,000,000 data subjects;
- since 1 January of the previous year:
- has provided personal information of 100,000 data subjects in aggregate; or
- has provided sensitive personal information of 10,000 data subjects in aggregate; or
- falls into other circumstances as stipulated by the national CAC.
Providing substantive and procedures of applying for assessments in detail
The Measures 2022 requests the data handler, who reaches the above thresholds, to carry out a self-assessment at first of the data it intends to export. The issues to be dealt with in the self-assessment include, to name but a few, (a) the legality and necessity of purpose, scope, and approach of data export, (b) the risks to national security and individuals' interests, (c) whether the overseas recipient is capable of performing its legal obligations such as protecting the data being exported, (d) whether the data exporter and the recipient have entered into any legally binding documents (the "Legal Document") to stipulate the obligations of data protection.
The Measures 2022 clarify that the Legal Document includes a contract or other documents executed with the overseas recipient. We have discussed in another article about the standard contractual clauses (the "SCC") that the CAC has released on 30 June 2022 for seeking comments. (See our 'Briefing on the new draft legislation on exporting data out of China').
Although the Measures 2022 do not expressly state that the parties shall use the SCC as a template for the contract of exporting data, we believe the SCC could be regarded as a reliable reference to consider as the SCC reflects, at least, the rationale of the CAC in terms of regulating data exports.
After the self-assessment is completed, the report of self-assessment and the Legal Documents will be integrated into the set of submission documentation for security assessment, with the rest being an application form and other materials as required by the CAC.
The submission of the security assessment will be firstly checked by the provincial CAC to make sure no document is missed and then submitted to the national CAC. The national CAC will decide whether to accept the application and notify the applicant within five working days. If accepted, the national CAC shall complete the security assessment within 45 working days upon notice. The security assessment is valid for two years from the date of issuing the assessment result to the applicant.
It is worthwhile to note that should there be any change in the purpose, approach, scope, etc., or any change in the legal environment of the recipient's jurisdiction, the data handler shall re-apply for the security assessment.
Granting a grace period of six months
The Measures 2022 provide a six-month grace period from the effective date, which will end on 28 February 2023.
Despite the grace period as abovementioned, we notice that the administrative procedure is quite time-consuming, failure of which will result in a potential interruption to business. On the one hand, it will take 57 working days from submission to completion, which is equivalent to approximately three months and data handlers may miss the deadline of the grace period, not to mention the time spent on the preparation of submission documentation; on the other hand, the CAC can further extend the period of completing the review of submission where applicable at its own discretion. It is advisable to prepare as soon as possible and consider the following items:
- reviewing the data to be exported, especially the scope, types, sensitivity and purpose of export;
- evaluating the legal pathway to export data, for example, whether to proceed with security assessment or to sign the standard contractual clauses with the recipient;
- conducting the self-assessment as it is the pre-condition of each pathway to export personal information; and
- negotiating with the overseas recipient of the Legal Documents and engaging qualified legal counsel to prepare the documents.
Our lawyers are here to help answering queries in this regard. To discuss the article and what the latest measures could mean for your business, please speak to Le Rong and Nelson Tian.