Chinese guidelines for security assessments of outbound data transfers
Data security is under increasingly strict supervision in China. Charles Feng, Yifan Lu and Lian Xue of Tahota provide a guide and explain when a security assessment is necessary for a cross-border data transfer
The explosive growth and aggregation of data, as a key element of digital technology, has played a crucial role in facilitating innovative development, had a bearing on national security, and led to a reshaping of enterprises’ compliance on data issues.
The supervision of cross-border data transmission has been on the agenda since the release of the Cybersecurity Law of the People’s Republic of China (CSL) in 2016. And the promulgation of the Outbound Transfer of Data Security Assessment Measures (the Assessment Measures) and their Application Guidelines for Security Assessment of Outbound Transfer of Data (the Application Guidelines) in September 2022 confirmed that China’s legal and regulatory framework for the outbound transfer of data has taken shape and established comprehensive compliance requirements for enterprises that process data.
With a reliance on enterprises declaring outbound transfers of data and conducting risk self-assessments, the Cyberspace Administration of China (CAC) and competent authorities will work together to review and supervise enterprises’ data processing, aiming to maintain a balance between data use and data security.
The Assessment Measures require enterprises to consider the circumstances under which an application for a security assessment is necessary.
1. The legal framework for cross-border data transfers
The CSL, the Personal Information Protection Law (PIPL) and the Data Security Law (DSL) laid the foundation for data protection in the People’s Republic of China (PRC) and regulate cross-border data transfer to and from the country.
The CSL requires that data regarding critical information infrastructure operators (CIIOs) (personal information and critical data) shall be stored within the territory of the PRC and stipulates that a security assessment is necessary where such information and data have to be provided abroad. The government authorised the CAC, together with the competent departments under the State Council, to formulate the security assessment measures.
Subsequently, the PIPL and DSL came into force, further improving the upper-law basis for data security protection in cross-border data transmission issues, expanding the scope of subjects that must declare a security assessment, and adding that personal data processors that process personal information up to a certain quantity specified by the CAC must apply for a security assessment.
These two laws provide general compliance principles on the outbound transfer of data from different perspectives, and the Assessment Measures implement the main issues of these two upper laws and specifically address their application scopes, as well as setting out who must provide a declaration.
Processors of personal data and critical data which falls into the applicable scope according to Article 4 of the Assessment Measures need to make a security assessment declaration to the CAC. Therefore, the different identities of data processors and the types of data they hold affect enterprises’ data compliance.
1.1. Laws and regulations on the cross-border transfer of personal information
Article 38 of the PIPL provides three paths for the cross-border transmission of personal data:
A security assessment via the CAC;
The certification of personal information protection via a professional institution prescribed by the CAC; and
The conclusion of a standard contract with the overseas recipient.
For some personal data processors, their outbound data is also subject to a cybersecurity review. The Cybersecurity Review Measures require that operators of online platforms that hold the personal information of more than one million users going public abroad must declare data-related information to the Cybersecurity Review Office under the CAC.
1.2. Laws and regulations on critical data
In accordance with Article 4 of the Assessment Measures, any critical data provided abroad by data processors should pass a security assessment organised by the CAC. And in response to requests for data from foreign judicial and law enforcement authorities, the DSL requires the approval of the competent Chinese authorities before data that is stored in China can be transferred.
1.3. Cross-border data transfer security assessment measures
China’s cross-border data transmission regime includes:
A cross-border data transfer security assessment;
A standard contract for an outbound data transfer;
Professional security certification; and
Other measures specifically provided for by laws.
These four regimes can be chosen in accordance with the circumstances specified in law.
China’s aim of establishing a “centralised, unified, efficient and authoritative data security risk assessment mechanism” and a “data security review system” is stipulated in articles 22 and 24 of the DSL as provisions and principles, but they lack specific guidance.
Article 38 of the PIPL confirmed this point and that it only applied to personal data and does not include other types of data, such as public and commercial data.
Article 37 of the CSL initially clarifies that operators of critical information infrastructures are required to conduct security assessments when providing personal information and critical data abroad. And the Assessment Measures, and their Application Guidelines, further clarify the data types that trigger a CAC security assessment – covering personal information data, critical data, other data, etc. – and refine the provisions of the PIPL and the DSL on outbound data transfer. They also specify the application conditions for a security assessment in three dimensions – declaration subjects, data sensitivity and data quantity – thus making them the most critical and specified regulation on cross-border data transmission.
2. Interpretation of ‘outbound data transfer’
Only with regard to outbound data transfer in the legal sense should enterprises think about which outbound transfer of data mechanism to apply, and then they can consider whether to apply for a data security assessment. Thus, it is critical to define the outbound data transfer.
To determine whether a transfer constitutes an outbound data transfer under the Assessment Measures, it must be analysed from three aspects:
The application subject;
Outbound transfer of data processing; and
Types of declared data.
2.1. Data processors
The entity that is subject to a data security assessment is the data processor. According to Article 2 of the Assessment Measures, the assessment shall apply to critical data and personal information collected and generated in China which is to be provided abroad.
Although the Assessment Measures do not provide a definition of ‘data processor’, in the PIPL and the definition of data processor in the Regulations on the Administration of Network Data Security (Draft for Public Comments), it shall refer to an individual or entity that is able to determine the purpose and means of data processing.
Normally, if an individual provides personal information abroad, it is the overseas recipient of the data, not the personal information provider, that independently decides the purpose and means of data processing. Therefore, the individual, as the personal data provider, is not obligated to declare. When the individual provides personal information to the offshore data processor, and since the data is not provided abroad by a data processor within China, the offshore data processor is not required to apply for a security assessment.
Nonetheless, foreign data processors are still required to comply with the provisions of the PIPL due to the cross-border collection of the PRC’s personal information. In light of this, the mere outflow of data may not fall within the regulatory scope of the Assessment Measures.
2.2. Outbound transfer of data
As mentioned in Article 1 of the Application Guidelines, the outbound transfer of data includes the following:
A data processor transmits and stores data that has been collected and generated in China in other jurisdictions; and
Data collected and generated by a data processor and that is stored in the PRC but available to overseas institutions, organisations or individuals to access or download.
2.3. Types of data subject to declaration
Pursuant to Article 4 of the Assessment Measures, the types of data that shall be subject to declaration include critical data and personal data provided abroad by CIIOs or by data processors that process the personal information of more than one million persons, or by data processors that have accumulatively exported the personal information of at least 10,000 people since January 1 of the previous year.
Therefore, only the critical data or certain personal information in compliance with Article 4 of the Assessment Measures shall be subject to a security assessment. When enterprises carry out outbound business, they need to pre-evaluate their outbound transfer of data and determine whether it falls within the scope of the application conditions.
3. CIIOs and critical data
According to Article 4 of the Assessment Measures and the above analyses, whether an enterprise’s outbound data should be declared to the CAC depends on:
The nature of the processor（whether it is a CIIO);
The nature of the data (whether it is critical data); and
The quantity of personal information.
If the outbound data contains ‘critical data’ or involves personal information provided by a CIIO, the outbound security assessment will be triggered regardless of the amount of outbound transfer data. Therefore, it is critical to determine whether an enterprise constitutes a CIIO and whether the data operated by the enterprise is considered as critical data by the competent authorities.
However, at present, the rules and lists of CIIOs and critical data for most industries have not been published, and any specific rules or detailed documents have not been issued by the competent authorities to give enterprises relevant guidance, and no further explanation has been provided on how to calculate each threshold that triggers a security assessment. So there is still large uncertainty for enterprises and issues must be determined on a case-by-case basis, and in communication with regulators. However, enterprises can refer to the following information.
3.1. The identification of CIIOs
According to the Regulations on the Security Protection of Critical Information Infrastructure, the rules and lists of CIIOs are formulated by the competent departments of each industry. The National Cybersecurity Inspection Guide issued in June 2016 provides three reference criteria for the identification of CIIOs:
The identification of critical business;
The identification of information systems or industrial control systems which support the critical business; and
The identification of CIIOs based on the dependence degree of critical business on information systems or industrial control systems, as well as the possible damage caused by a cybersecurity incident due to a problem with the information systems.
3.2. Identification of ‘critical data’
Article 1 of the Application Guidelines reaffirms that a security assessment is mandatory when an outbound data transfer involves industrial ‘critical data’.
According to the Assessment Measures, ‘critical data’ refers to data that may affect national security, economic or social stability, or public health once tampered with, damaged, leaked, or otherwise illegally obtained or used.
The only industrial regulation that addresses the critical data issue is the Certain Provisions on Automotive Data Security Management (for Trial Implementation), which clearly enumerate critical data in the automotive industry. For enterprises in other industries, in the absence of a critical data catalogue, whether there is critical data involved requires enterprises to make their own determination through communicating with regulators case by case.
The Information Security Technology: Critical Data Identification Rules (Draft for Comments) issued by the National Information Security Standardisation Technical Committee in April 2022 provide 19 factors to be considered for the identification of critical data. They can be mainly divided into four general categories, as follows.
Data concerning national security interests, such as that which:
Directly affects national sovereignty, regime security, the political system, ideological security, including data used to implement social mobilisation;
Directly affects territorial security and national unity; or
Reflects the basic situation of the country’s natural resources, including undisclosed territorial land, territorial waters, and airspace data.
Strategic economic-related data, such as that which:
Directly affects the market economy or the security of the national economic lifeline, such as data supporting the core business of an industry or the field in which the critical infrastructure is located, or the production in critical industries;
Reflects the global economic operation or economic operation in key areas, the status of financial activities, or the competitiveness of an industry;
Can cause public safety accidents or affect citizens’ lives; and
Can lead to group activities or affect the emotions and perceptions of groups, such as undisclosed statistical data, commercial secrets of key enterprises, or information related to the production process of hazardous chemicals and the storage locations of hazardous materials.
Data related to natural resources and environmental reserves, development and supply, such as that reflecting water resources, energy resources, land resources, mineral resources and other resources, as well as data related to undisclosed hydrological observation, undisclosed arable land area or quality changes, etc.
Other data, such as:
That which reflects China’s language, history, customs and habits, or national values, including information on historical and cultural heritage; and
Undisclosed governmental data, intelligence data, law enforcement and judicial data, and undisclosed statistical data, etc.
Other industries without specific provisions may refer to the above criteria and communicate with their industrial authorities.
Though personal information alone is generally not considered critical data, it may be regarded as critical data when it reaches a certain scale; for example, if the personal information is sufficient to reflect the population and health situation of a certain area.
The identification of ‘critical data’ constitutes the core of the security assessment, and the CAC will assess the critical data along with the competent authorities, or require enterprises to provide their self-evaluation on whether to process critical data. Therefore, enterprises need to be aware of the identification of critical data on the basis of their actual business, referring to standards on data classification in various industries to make their own judgement and take the initiative to declare.
According to the Assessment Measures, the provincial cyberspace administrations shall review the application materials and if they are found to be complete, the provincial cyberspace administration will forward the application materials to the CAC. The procedure is as follows.
Step 1 – the data processor shall complete a self-assessment three months before the date of the application, and there must be no material change as of the date of the application.
Step 2 – the data processor shall declare a security assessment for an outbound data transfer, with the submission of the following materials:
A declaration form;
A self-assessment report on the risks of the outbound data transfer;
The legal documents to be completed by the data processor and the overseas recipient; and
Other materials necessary for a security assessment.
Step 3 – the cyberspace administration at the provincial level shall complete an examination of the completeness of the declaration materials within five working days after receipt of the declaration materials.
Step 4 – the declaration materials will be submitted to the CAC if they are complete, and the CAC will decide whether to accept the declaration and notify the data processor in writing within seven working days after receipt of the declaration materials.
Step 5 – the CAC shall conduct and complete the security assessment within 45 working days after issuing a written notice of acceptance to the data processor. If the situation is complicated, or supplementary or corrected materials are needed, the assessment may be extended appropriately.
Step 6 – the data processor shall be informed of the assessment results in writing. The assessment results will be valid for two years, according to Article 14 of the Assessment Measures.
The data processor shall re-apply for a security assessment if there is any change of circumstance affecting data security – for example, in the purpose, methods, scope, or type of the data provided abroad – within the valid period.
5. Application materials and key points
The Application Guidelines set forth more specific requirements on the application materials for a security assessment of an outbound data transfer.
The additional materials include the following:
A Unified Social Credit Code certificate;
An identity document of the legal representative;
An identity document of the authorised representative for filing the application;
The power of attorney for the authorised representative for filing the application (template);
The Application Form for Security Assessment of Data Export (template), including the letter of undertaking and the Application Form for Security Assessment of Data Export;
The contract or another legally binding document to be executed by the data processor and the overseas recipient with respect to the data export;
The Risk Self-Assessment Report on Data Export (template); and
Any other supporting material.
The Assessment Measures are designed to control the risk after outbound data transmission and to ensure that overseas recipients provide the same level of data protection. For this purpose, enterprises should show their cross-border data transmission scenarios, the data types involved, and their protection measures to the CAC when applying for a data security assessment. Enterprises are advised to review and refine the data, as well as the supporting materials, to avoid having to provide further information.
In addition, as required by the Assessment Measures, enterprises are obliged to ensure the authenticity, completeness, accuracy and validity of all the submitted materials.
6. Comments and suggestions
The Assessment Measures and their Application Guidelines reflect the increasingly strict supervision of the Chinese government concerning data security. Enterprises are required to pay more attention to their data compliance when carrying out cross-border business. With regard to cross-border data transfers, it is advisable to:
Pre-evaluate the situation, in accordance with the relevant laws and regulations;
Promptly check and review the data and cross-border scenarios;
Conduct a risk self-assessment in advance;
Rectify the weak points that may cause information leakage; and
Select a suitable path for the transfer.
If the outbound transfer is found to be subject to an application for a security assessment, the entity is obliged to make a declaration to the CAC within the required period, so as to decrease its data compliance risk. The Assessment Measures allow a six-month remedy period during which the data processor shall complete rectification so that an outbound transfer of data implemented before the promulgation of the Assessment Measures can achieve compliance. Owing to the time constraint, early action is highly recommended.
In January 2023, the CAC confirmed that a first entity has passed the outbound transfer of data security assessment in Beijing. Subsequently, data security-related regulations in various industries will continue to be issued and implemented, which will further protect and promote the security assessment in this regard, and be worthy of the attention of foreign companies engaged in cross-border business.