Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
Developing a unique culture, which blends traditional client care with modern technology and working practices since 1851.
Stay up to date on the latest news and legal insights.
News & Insights
Authored by: Edwarde Webre and Minning Wei
The Cyberspace Administration of China (“CAC”) promulgated the Measures for the Security Assessment of Outbound Data (the “Measures”) on 7 July 2022, which will come into effect on 1 September 2022. Compared to the third draft of the Measures (the “Draft”) released in October 2021, the provisions under the Measures are more specific and developed and can be more practicably applied.
Scope of application
The Measures are applicable to the security assessment of important data and personal information (“PI”) collected/generated in domestic operations within China that are transferred abroad by a data processor. “Important data” is defined broadly to be “the data that may endanger national security, economic operation, social stability, public health and security, etc. once they are tampered with, damaged, disclosed, illegally obtained or illegally used, etc.”
Risk self-assessment
The Draft required a data processor to conduct a risk self-assessment before transferring any data abroad, which has been revised under the Measures to provide that a risk self-assessment shall be conducted before a data processor applies to the CAC for a security assessment of the outbound data. The Measures do not clarify whether data processors that are not required to apply for the security assessment need to conduct a risk self-assessment. To be prudent, it is advisable that all the data processors in Mainland China conduct a risk self-assessment in accordance with the Measures before they transfer the data abroad, regardless of whether a security assessment is required.
With regard to the key risk self-assessment items under the Draft, the item of “whether the management, technical measures and capabilities of the data processor in the data transfer link can prevent data leakage, damage and other risks” has been deleted. A general miscellaneous provision that “any other item(s) that may affect the security of outbound data” is added instead. “The relevant contract(s) for the outbound data concluded with the overseas recipient(s)” under the Draft has been expanded to “contracts or other documents with legal effect”. The key assessment items of risk self-assessment are as follows:-
The specific requirements of the Legal Document(s) to be concluded with the overseas recipient(s) under the Measures are similar to the relevant contracts required under the Draft subject to some adjustment.
Security assessment of outbound data by the CAC
The circumstances that will trigger the CAC’s security assessment are revised in the Measures. A data processor shall apply to the CAC for security assessment of outbound data through the provincial cyberspace administration where it is located in any of the following circumstances:-
The procedures of the security assessment by CAC are specified under the Measures:-
It is worth noting that the Draft provision limiting the CAC’s review extension to “no longer than 60 working days in general” has been deleted. As such, the data processor may need to reserve more time for the security assessment in practice.
A new article regarding re-assessment has been inserted into the Measures, providing that if a data processor has any objection to the assessment result of the CAC, it may apply for a re-assessment to the CAC within 15 working days upon the receipt of the assessment result. The result of the re-assessment shall be final.
Under the Measures, the effective term of the security assessment is 2 years starting from the date of the issuance of the assessment result. Compared with the Draft, the circumstances under which a re-assessment needs to be made has been adjusted in the following two aspects:-
The requirement that “data outbound activities shall cease if the re-assessment has not been done as legally required” which appeared in the Draft has been deleted. Instead, the Measures provide that “where the CAC finds that the security of any outbound data which has passed the assessment no longer meets the security management requirements in the actual process, it shall notify the data processor in writing to terminate the outbound data activities. The data processor concerned shall make rectification as required and complete the re-assessment if it intends to continue its outbound data activities.” Therefore, if a data processor encounters any circumstances that require re-assessment, it is advisable for it to apply for re-assessment as soon as possible to avoid any adverse impact on the data outbound activities.
Suggestions
The Measures will come into effect on 1 September 2022. Any data outbound activity incompliance with the Measures before it is effective shall be rectified within 6 months upon the effective date, i.e., by 28 February 2023. The data processors in China shall review and adjust its data outbound activities as required by the Measures and take necessary actions for compliance within the stipulated time.
Further, the data processors shall keep a close eye on the implementation and interpretation of the Measures by the CAC afterwards and update its risk self-assessment periodically for continuous compliance.
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.