The Cyberspace Administration of China (“CAC”) on October 29, 2021 published the draft Measures on Security Assessment of Cross-Border Data Transfer (“Draft Measures”) for comment through November 28, 2021.1 The Draft Measures are formulated based on the Cybersecurity Law (“CSL”), Data Security Law (“DSL”), Personal Information Protection Law (“PIPL”) and related regulations. Before the Draft Measures were published, several draft measures and national standards had already focused on regulating cross-border data transfer.2 The Draft Measures, once formally promulgated, are likely to replace these previously published draft measures and may set the foundation for additional national standards in this regard.
The Draft Measures specify (I) who is subject to a CAC-led security assessment of cross-border data transfer; (II) the focus of the security assessment; and (III) the government review procedure.
(I) Who is subject to a CAC-led security assessment of cross-border data transfer
The Draft Measures require data processors to conduct a security assessment before transferring overseas “important data”3 and personal information (“PI”) collected and produced in China (Article 2). The security assessment for processors of important data or PI may entail both an internal risk assessment and a government-led security assessment (Article 3), as explained below. “Overseas” appears to refer to geography rather than nationality, so transfer to foreign persons or foreign-invested enterprises in China would not constitute an overseas transfer, at least without knowledge that the transferee intended to transfer such data or information overseas.
Article 4 of the Draft Measures imposes a CAC-led security assessment requirement based on the type of data processor (a. Critical Information Infrastructure Operator (“CIIO”), b. massive PI processor, or c. other data processor) and the type of data (i. important data, or ii. PI meeting any of several quantitative thresholds). The Draft Measures for the first time clarify the threshold for designation as a massive PI processor (PI processor which processes PI of one million or more individuals) and the threshold for PI subject to security assessment (cross-border transfer of PI of 100,000 or more individuals or sensitive PI of 10,000 or more individuals). These thresholds are not high in a country as populous as China.
CIIOs and massive PI processors are required to apply for a CAC-led security assessment whenever they transfer overseas important data or PI (no threshold requirement). Data processors other than CIIOs and massive PI processors need to apply for such security assessment only when transferring overseas important data or PI meeting a quantitative threshold, and do not need to do so when transferring overseas PI that does not meet the relevant threshold. Such other data processors do not need to apply for a security assessment when transferring overseas data that is not important data or PI, unless such transfer would otherwise implicate national security or the public interest.
More specifically, in accordance with the Draft Measures, when transferring data overseas, data processors would be required to apply for a data cross-border security assessment with the CAC through the provincial cyberspace administration under any of the following circumstances (Article 4), after first conducting an internal self-risk-assessment (Article 5):
- PI or important data collected and generated by a CIIO;4
- The underlying data includes important data;5
- A PI processor who processes PI of one million or more individuals to provide PI overseas;6
- Cumulative PI of 100,000 or more individuals or sensitive PI of 10,000 or more individuals; or
- Catch-all other circumstances under which a security assessment for cross-border data transfer is required by CAC.
Data processors which do not fall under the categories set forth in Article 4 and are not subject to a CAC-led security assessment are still required under Article 5 to conduct an internal self-risk-assessment before they can transfer the data outside China, as explained below.
(II) What does the security assessment focus on
Before transferring data outside China, all data processors are required to conduct an internal risk-assessment, regardless of whether they are subject to a CAC-led security assessment. Such internal risk-assessment is to focus on:
- Whether the purpose, scope and means of cross-border transfer and data processing of overseas data recipient are legal, proper, and essential;
- The volume, scope, type and sensitivity of data to be transferred outside China and potential risks to national security, the public interest, and the legitimate rights of individuals and organizations;
- Whether the data processor has adequate management and technical capacity and has adopted measures to prevent the underlying data from being divulged or destroyed during the data transfer process;
- Whether the overseas recipient of the data has made a commitment and adopted relevant management and technical measures to protect the security of data transferred outside China;
- Risks of leakage, falsification, loss or abuse after the data is transferred outside China and whether there is a smooth communication channel for individuals to protect their PI; and
- Whether the contract between the data processor and overseas recipient of the data has made clear their respective responsibilities on data security protection.
Data processors that do meet the requirements set forth in Article 4 shall apply to the CAC for security assessment for cross-border data transfer. When conducting the security assessment, CAC under the Draft Measures would focus on risks arising from the data cross-border transfer to national security, the public interest, and the rights and interests of individuals or organizations, specifically (Article 8):
- Whether the purpose, scope and means of the cross-border transfer are legal, proper, and essential (“essential” indicating a bias against transfer);
- The impact on the security of the underlying data by the data security protection policies and laws and cybersecurity environment in the country/region of the overseas recipient; whether the data protection level of the overseas recipient meets the requirements of the laws, administrative regulations and mandatory national standards of China;
- The quantity, scope, type and sensitivity of the underlying data and the risks of leakage, falsification, loss, or illegal acquisition or exploitation during and after cross-border transfer;
- Whether data security and PI rights can be fully and effectively protected;
- Whether the data processor and overseas recipient have made clear their respective responsibilities and obligations in their contract in terms of data security protection;
- Compliance with Chinese laws, regulations and ministry regulations; and
- Catch-all other circumstances under which a security assessment for cross-border data transfer is required by CAC.
(III) Government review procedure
The timing for clearance may be lengthy. CAC would be required to decide within seven working days after receiving the materials whether an application for a security assessment will be officially accepted (Article 7); and then complete the security assessment within 45 working days upon official acceptance with an extension to 60 working days in complex cases (Article 11). A favorable transfer assessment would be valid for two years absent changes to the purpose, method, scope, type or overseas recipient of the data; changes in the law of the recipient’s country or region potentially affecting the security of the data; or a catch-all other factors affecting the security of the transferred data (Articles 11 and 12).
Conclusion:
The Draft Measures for the first time would clarify the thresholds for the types of data processors and types of data that are subject to cross-border security assessment and establish a timeline for the government review. While the Draft Measures provide certainty as to subject matter and timelines, the bias is against overseas transfer and the procedure and length of government review may prove to be burdensome. In both of these respects, the Draft Measures are in tension with China’s commitments under the WTO’s General Agreement on Trade in Services (GATS) and China’s recently stated desire to become a party to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the Digital Economy Partnership Agreement (DEPA), two Asia-Pacific regional trade agreements with strong disciplines on facilitating digital trade, including cross-border transfers of information.