The Cybersecurity Administration of China (the "CAC") has published guidelines concerning outbound data transfers of personal information and "important data" from China to other jurisdictions. Businesses must comply with these new measures and guidelines by 1 March 2023 or risk facing administrative, civil and criminal penalties.
Background
In certain situations, data protection and cyber security laws1 in China require that "data processors"2 conduct security assessments before transferring personal information3 and important data4 out of China (an "outbound data transfer").
Outbound data transfers include situations in which an entity in China actively sends data to a recipient in another jurisdiction, or permits a person or entity outside China to access data generated in the course of the data processor’s operations in China. For multinationals, this would include intragroup transfers of data (e.g. via email and file transfer protocol) and operating centralised document management systems for global operations, with servers hosted outside China.
The CAC has now published ‘Measures for Security Assessment of Outbound Data Transfers’ (the "Measures") and the ‘Guide to the Application for Security Assessment of Outbound Data Transfers (First Edition)’ (the "Guidelines"). The purpose of the Measures and the Guidelines is to explain: (i) the circumstances in which security assessments are required for outbound data transfers; and (ii) how such security assessments must be carried out. Data processors must comply with these requirements by 1 March 2023, and must have also addressed any historic non-compliance by this date.
When are Security Assessments Required?
The Measures require data processors to conduct security assessments before engaging in outbound data transfers of data in four circumstances:
- the outbound data transfer involves "important data";
- the outbound data transfer is a transfer of personal information by a critical information infrastructure operator ("CIIO");5
- the outbound data transfer is a transfer of personal information by a data processor that has processed personal information relating to 1,000,000 or more data subjects;6 or
- the outbound data transfer is: (a) a transfer of personal information by a data processor that has made outbound data transfers of personal information relating to 100,000 or more data subjects cumulatively since 1 January of the preceding year; or (b) a transfer of sensitive personal information7 relating to 10,000 or more data subjects cumulatively since 1 January of the preceding year.
The Measures further include a catch-all provision that allows the CAC to specify additional circumstances in which security assessments will be required.
Application Process for Security Assessments
The Measures require data processors to first conduct a self-assessment of their planned outbound data transfers, and prepare a self-assessment report. Once this is completed, the data processor must submit the self-assessment (along with certain additional application materials) to the CAC for review. The CAC will then make a determination regarding the contemplated transfer.
The factors that the CAC will consider when reviewing application materials include: (i) whether the data processor complies with Chinese laws, administrative regulations and departmental rules; and (ii) whether the data security protection policies, legislation and cybersecurity environment of the country in which the overseas recipient is located meet the mandatory national standards that apply in China.
If an application is approved, the approval will be valid for two years, but if any key aspects of the security assessment change post-approval, the data processor must reapply. Data processors should keep their outbound data transfers under review, and be prepared to reapply for an assessment if necessary. Should the contemplated transfer not be approved by the CAC, the data processor may request a reassessment. Any decision made by the CAC regarding a reassessment is final.
Legal Consequences
Pursuant to Article 18 of the Measures, failure to comply with the applicable requirements regarding outbound data transfers may result in administrative, civil and criminal penalties.
Grace Period
For outbound data transfer activities conducted before 1 September 2022, the Measures grant data processors a six-month grace period to remedy any non-compliance by 1 March 2023.
Comment
The key takeaways are as follows:
- Companies should assess their planned and existing outbound data transfers, and evaluate the compliance obligations they face in light of the Measures and the Guidelines, in order to determine whether they are required to conduct security assessments.
- Companies should identify and address any instances of non-compliance by 1 March 2023.
- Companies should take concrete steps to ensure that compliance and IT functions have the necessary staff, resources and mandate to conduct self-assessments and take remedial actions as appropriate.
- Companies should evaluate their data privacy policies and practices and conduct self-assessments promptly, to leave sufficient time for remediation and adjustments.
- Companies should keep an eye out for further implementing regulations or industry-specific guidance related to the Measures and the Guidelines.
1 Namely, the Cybersecurity Law ("CSL"), the Personal Information Protection Law ("PIPL") and the Data Security Law ("DSL").
2 Article 73(1) of the PIPL defines "data processor" as an organization or individual that independently determines the purposes and means of the processing and handling of personal information.
3 Per Article 4 of the PIPL, "personal information" is broadly defined as "all kinds of information relating to any identified or identifiable natural person, whether it is in electronic form or any other form, exclusive of any anonymised information".
4 Article 19 of the Measures defines "important data" as "data that, once tampered with, destroyed, leaked, illegally obtained, or illegally used, may endanger national security, economic operation, social stability, public health and safety, etc.".
5 Article 2 of the Security Protection Regulations on the Critical Information Infrastructure defines "CIIO" as "an operator of the key network facilities and information systems in important industries, which may seriously endanger national security, the national economy, people’s livelihood and public welfare once they are subject to any destruction, loss of function or data leakage. Examples of important industries include public telecommunication and information service, energy, transport, water conservancy, finance, public service, e-government and science and technology industry for national defence".
6 Absent regulatory clarifications, data processors will need to examine the entire history of their outbound data transfers and personal information processing to assess whether their activities trigger a security assessment under the Measures.
7 Article 28 of the PIPL defines "sensitive personal information" as "personal information, the leakage or illegal use of which may lead to violations of personal dignity of a natural person or harm to personal or property safety" and includes a data subject’s biometrics, religious beliefs, health data, financial metrics, travel records as well as any personal information of a minor under the age of 14.
Xue Feng (White & Case, Associate, Beijing) and Renee Phil-Agbasi, (White & Case, Trainee Solicitor, London) contributed to the development of this publication.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2023 White & Case LLP
