Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
News & Insights
From 29 October to 28 November 2021, the Cyberspace Administration of China (CAC) is seeking public comments on the Measures for the Security Assessment of Outbound Data (Draft). This third draft has been formulated on the basis of China’s Cybersecurity Law (CSL), Data Security Law (DSL, effective as of 1 September 2021) and Personal Information Protection Law (PIPL, effective as of 1 November 2021), whereas the previous two drafts circulated in 2017 and 2019 were primarily based on the CSL. It is expected that this Draft will be enacted soon and probably take effect in early 2022.
Scope of application
The Draft intends to regulate the outbound transfer of (including cross-border assess to) important data and/or personal information (PI) collected/generated in domestic operations within China. Thus it shall not be applicable to offshore/overseas entities directly collecting personal information from individuals in China. For clarity, “offshore/overseas” herein shall include Hong Kong, Macau and Taiwan, in addition to the foreign countries (regions).
There is no unified definition of important data under the current legislation in China. The DSL has delegated authority to the local governments and various government departments to make specific catalogues of important data for their respective regions and for relevant industries and fields. For instance, the CAC, the NDRC (National Development and Reform Commission), the MIIT (Ministry of Industry and Information Technology), the MPS (Ministry of Public Security) and the MOT (Ministry of Transport) jointly issued the Several Provisions on Automotive Data Security Management (for Trial Implementation), which became effective on 1 October 2021, to define the important data (involved in the design, manufacturing, sales, use, operation and maintenance of automobiles) as the data that may endanger national security, public interests or the legitimate rights and interests of individuals or organisations once they are tampered with, damaged, disclosed, illegally obtained or illegally used, and elaborates on the specific types of the same.
The security assessment requirement was initially introduced in the CSL against the critical information infrastructure (CII) operators only. Now the Draft has extended the security assessment obligation to all data processors, and provides two types of security assessment to be undertaken before providing data from China to overseas.
All data processors shall conduct a risk self-assessment before providing any data abroad (which may include offshore mirror / remote access, intra-group sharing staff information, outbound transfer of personal information after de-identification etc.). The term “data processor” is not defined in the Draft or current legislation in China. By reference of the DSL, the term “Data” refers to any recording of information by electronic or other means; and “Data Processing” includes the collection, storage, use, processing, transmission, availability and disclosure of data, etc. Accordingly, the outbound data concerned could be any type of data including but not limited to the personal information, non-personal information, and a company’s business data.
The risk self-assessment shall focus on:
Note that the contract(s) between a data processor and overseas recipient(s) in item (6) above does not need to be the standard form formulated by the CAC as mentioned in the PIPL, however shall include but not be limited to the following:
The security assessment by CAC will be triggered in any of the following circumstances:
To apply for the security assessment, the risk self-assessment report and contact(s) between the applicant/data processor and overseas recipient(s), among others, shall be submitted to the CAC. Within 7 working days from the receipt of an application for security assessment, the CAC shall confirm in writing if the application is acceptable. In the subsequent 45-60 working days, the CAC shall complete the security assessment, and inform the applicant in writing of the assessment result which shall be valid for 2 years. For continuous outbound transfer of data, application for assessment shall be made again no later than 60 working dates prior to the expiration of the prior assessment. During the 2-year valid period, reassessment shall be required if:
Data outbound activities shall cease if the reassessment has not been done as legally required. Where the CAC finds that any outbound data which has passed the assessment no longer meets the security management requirements in the actual process, it shall revoke the assessment result and notify the data processor in writing of the same. The data processor concerned shall then terminate the outbound data activities before making rectification and passing the reassessment.
Any entity or individual who is aware of that any data processor provides data abroad without an assessment may report or complain to the CAC office at provincial level or above.
The Draft does not provide specific sanctions against the violation, and simply refers to relevant penalties under the CSL, DSL and PIPL, which means that penalty up to RMB50 million (or 5% of turnover in the preceding year whichever is higher) may be imposed for illegal outbound transfer of personal information, and/or penalty up to RMB 10 million may be imposed for illegal outbound transfer of important data, as the case may be.
It is advisable for the subsidiaries of multinationals to review the type and quantity of its outbound data, and take actions necessary for legally transfer data abroad from China, for instance:
For tailored measures and practical advices on legal compliance, please contact us.
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.
For media enquiries, please contact:
Marketing and Communications Department
Tel: +852 2825 9211