China: Measures of Security Assessment for Cross-Border Data Transfer Take Effect
The Cybersecurity Administration of China (CAC), China’s cybersecurity authority, released the Measures of Security Assessment for Data Export ( unofficial English translation ) on July 7, 2022. The measures provide detailed guidance on the security assessment for cross-border data transfer, which supplements the requirements under the Cybersecurity Law of the People’s Republic of China , Data Security Law of the People’s Republic of China , and Personal Information Protection Law of the People’s Republic of China (PIPL). The measures specify under what circumstances a security assessment is required for outbound data transfers and how to apply for the security assessment. In general, the security assessment applies to the export of important data and personal information that are collected and generated in the course of operations in the territory of China by the data processors. The security assessment is a combination of a self-assessment of security and a mandatory CAC security assessment. CAC Assessment According to article 4 of the measures, the CAC assessment is required in the following three specific circumstances and in a catch-all situation: 1. Outbound transfer of important data. The measures, for the first time at the regulation level, define the term “important data” as “any data that, once tampered with, damaged, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety.” (Art. 19.) 2. Outbound transfer of personal information by a critical information infrastructure operator (CIIO) and by a data processor who processes the personal information of 1 million individuals or more. According to article 2 of the Critical Information Infrastructure Security Protection Regulations ( unofficial English translation ), CIIO refers to any important network infrastructure and information systems in important industries and sectors, such as public telecommunications and information services, energy, transportation, water, finance, public services, e-government, national defense technology, etc., that may gravely harm national security, the national economy and people’s livelihood, or the public interest once destructed, damaged, or data-leaked. 3. Outbound transfer of personal information by a data processor who has cumulatively made the outbound transfer of personal information of over 100,000 individuals or sensitive personal information of over 10,000 individuals since January 1 of the previous year. The term “personal information” is broadly defined under the PIPL as “all kinds of information relating to any identified or identifiable natural person, whether it is in an electronic form or any other form, exclusive of any anonymized information.” (PIPL art. 4.) Article 28 of the PIPL defines the term “sensitive personal information” as any personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons, or cause grave harm to personal or property safety. It includes information on biometric characteristics, religious beliefs, specially designated status, health data, financial accounts, and travel records, as well as any personal information of a minor under the age of 14. 4. Other circumstances as prescribed by the CAC. CAC Assessment Procedures The CAC Assessment procedures consist of the following three stages: 1. Application and Acceptance. Once a self-assessment is completed, the applicants must submit an application to a provincial-level CAC, which must within five business days review whether the application materials are complete. If they are complete, the provincial-level CAC will forward them to the national-level CAC. The national-level CAC will decide whether to accept the application materials within seven business days from the date of receipt and will then notify the applicants in writing. (Measures art. 7.) 2. Review. The national-level CAC is required to complete the security assessment within 45 business days from the date of accepting the application but has the power to extend this period in complicated cases or where supplemental materials need to be provided. (Art. 12.) The applicants will be notified in writing of the assessment result, which will be valid for two years from the date of the issuance of the result. (Art. 14.) 3. Reassessment. If the applicants are not satisfied with the decision of the CAC, they may apply for a reassessment within 15 business days from the date of receiving the decision. (Art. 13.) The measures came into effect on September 1, 2022. Data processors must rectify any past noncompliance pertaining to data transfers out of China before March 1, 2023. (Art. 20.) Prepared by Xiaozhu Zhong, Law Library intern, under the supervision of Laney Zhang, Foreign Law Specialist Law Library of Congress, December 13, 2022 Read more Global Legal Monitor articles.