The CAC issued a draft of the Measures for public consultation in October last year (Draft). The final version remains mostly unchanged from the draft, but some adjustments have been made regarding the scope, conditions and procedures of the security assessments. They aim to provide clearer and more specific guidance for data processors to apply for security assessments, and for the competent authorities to accept and conduct assessments.
This article intends to summarize and comment on the key points of the Measures.
According to the Measures, if a data processor triggers any of the following thresholds, it needs to apply for a security assessment of its cross-border data transfer: (a) it provides important data abroad; (b) it is a critical information infrastructure operator or it processes the personal information of more than one million individuals in total; (c) it has exported the personal information of more than 100,000 persons in aggregate or the sensitive personal information of more than 10,000 persons in aggregate since January 1 of the previous year; or (d) other circumstances subject to a security assessment as required by the CAC.
Specific procedures for a security assessment
If a data export activity triggers a security assessment, the following procedures should be followed:
(a) Pre-review: The data processor should carry out a self-assessment of the risks involved in the data export.
(b) Applying for a security assessment: The data processor should apply to the CAC for a security assessment via the provincial-level cyberspace authority, by submitting: (i) an application form; (ii) a report on the self-assessment; (iii) the legal document to be executed between the data processor and the overseas recipient; and (iv) other materials as required for the security assessment. The provincial-level cyberspace authority is responsible for the complete check of the application materials, and transfer such materials to the CAC.
(c) Carrying out a security assessment: Upon acceptance of the application, the CAC will, depending on the case, organize the relevant departments of the State Council, provincial-level cyberspace authority and specialized institutions to conduct the security assessment. The data processor will be notified in writing of the assessment result.
(d) Re-assessment and termination of a data export: If the validity period of the assessment result has expired or certain circumstances of the re-assessment have occurred during the validity term, the data processor should re-apply for a security assessment. If any data export activity which has already passed the security assessment no longer meets the security requirements for outbound data transfers, such activity should be terminated upon written notice from the CAC.
Focused areas for self-assessment and security assessment
The focused areas of self-assessment and security assessment are similar, mainly covering the following six aspects and other matters to be assessed as deemed by the CAC:
(a) the legality, legitimacy, and necessity of the cross-border data transfer in terms of the purpose, scope, method, etc.;
(b) the impact of data security protection policies and legislation and the cybersecurity environment of the country or region where the overseas recipient is located on the security of the outbound data; whether the data protection level of the overseas recipient meets the requirements of the laws and administrative regulations and the mandatory national standards of the People's Republic of China;
(c) the quantity, scope, type, and sensitivity of the outbound data, and the risks of the data being tampered with, damaged, leaked, lost, relocated or illegally acquired or used during and after the cross-border data transfer;
(d) whether data security and personal information rights and interests can be sufficiently and effectively ensured;
(e) whether the data security protection responsibilities and obligations are sufficiently stipulated in the Legal Document executed between the data processor and the overseas recipient; and
(f) compliance with China's laws, administrative regulations and departmental rules.
Legal document to be signed by both parties
The legal document to be executed between the data processor and the overseas recipient should be submitted to the cyberspace authority for a security assessment application. The Measures further require that the data security protection responsibilities and obligations be clearly stipulated in the legal document, and set out specific items that should be contained. This includes the purpose and method of the outbound data transfer and the scope of the data, the purpose and method of the data processing by the overseas recipient, and the measures to handle the data transferred overseas upon the expiration of the retention period, the completion of the agreed purpose, or the termination of the legal document.
In terms of content, the legal document under the Measures is not completely consistent with the standard contract (draft). In terms of formality, the legal document may also include other legally binding documents in addition to contracts. The specific requirements for the contract content will remain to be further explained and confirmed by the CAC.
Timelines for security assessments
The CAC should, within seven working days of the date of receipt of the application materials from the local cyberspace authority, determine whether to accept the application, and complete the security assessment within 45 working days of the date of the written notification of acceptance. If the case is complicated or there are materials that need to be supplemented or corrected, this period may be extended as appropriate and the data processor should be notified of the extension.
Circumstances for reapplying for a security assessment
Passing a security assessment for a data export is valid for two years. The circumstances for reapplying for a security assessment under the Measures include: (a) If the data processor needs to continue the data export activity after the expiration of the validity period, it should reapply for the assessment within 60 working days of the expiration date; (b) Any circumstance that may affect the security of the outbound data occurs during the validity term, such as a change to the purpose, method, or scope of the data export; (c) In the case whereby the CAC requires a data processor to terminate the data export and the data processor has a need to continue the data export, it should reapply for a security assessment after completing the rectification.