Chinese guidelines for security assessments of outbound data transfers
Managing IP is part of the Delinian Group, Delinian Limited, 4 Bouverie Street, London, EC4Y 8AX, Registered in England & Wales, Company number 00954730
Copyright © Delinian Limited and its affiliated companies 2024

Accessibility | Terms of Use | Privacy Policy | Modern Slavery Statement
Cookies Settings
Features

Chinese guidelines for security assessments of outbound data transfers

Sponsored by

Tahota logo.JPG
Charles Feng
Yifan LuLian Xue
June 12, 2023
binary-1695475.jpg

Data security is under increasingly strict supervision in China. Charles Feng, Yifan Lu and Lian Xue of Tahota provide a guide and explain when a security assessment is necessary for a cross-border data transfer

The explosive growth and aggregation of data, as a key element of digital technology, has played a crucial role in facilitating innovative development, had a bearing on national security, and led to a reshaping of enterprises’ compliance on data issues.

The supervision of cross-border data transmission has been on the agenda since the release of the Cybersecurity Law of the People’s Republic of China (CSL) in 2016. And the promulgation of the Outbound Transfer of Data Security Assessment Measures (the Assessment Measures) and their Application Guidelines for Security Assessment of Outbound Transfer of Data (the Application Guidelines) in September 2022 confirmed that China’s legal and regulatory framework for the outbound transfer of data has taken shape and established comprehensive compliance requirements for enterprises that process data.

With a reliance on enterprises declaring outbound transfers of data and conducting risk self-assessments, the Cyberspace Administration of China (CAC) and competent authorities will work together to review and supervise enterprises’ data processing, aiming to maintain a balance between data use and data security.

The Assessment Measures require enterprises to consider the circumstances under which an application for a security assessment is necessary.

1. The legal framework for cross-border data transfers

The CSL, the Personal Information Protection Law (PIPL) and the Data Security Law (DSL) laid the foundation for data protection in the People’s Republic of China (PRC) and regulate cross-border data transfer to and from the country.

The CSL requires that data regarding critical information infrastructure operators (CIIOs) (personal information and critical data) shall be stored within the territory of the PRC and stipulates that a security assessment is necessary where such information and data have to be provided abroad. The government authorised the CAC, together with the competent departments under the State Council, to formulate the security assessment measures.

Subsequently, the PIPL and DSL came into force, further improving the upper-law basis for data security protection in cross-border data transmission issues, expanding the scope of subjects that must declare a security assessment, and adding that personal data processors that process personal information up to a certain quantity specified by the CAC must apply for a security assessment.

These two laws provide general compliance principles on the outbound transfer of data from different perspectives, and the Assessment Measures implement the main issues of these two upper laws and specifically address their application scopes, as well as setting out who must provide a declaration.

Processors of personal data and critical data which falls into the applicable scope according to Article 4 of the Assessment Measures need to make a security assessment declaration to the CAC. Therefore, the different identities of data processors and the types of data they hold affect enterprises’ data compliance.

1.1. Laws and regulations on the cross-border transfer of personal information

Article 38 of the PIPL provides three paths for the cross-border transmission of personal data:

  • A security assessment via the CAC;

  • The certification of personal information protection via a professional institution prescribed by the CAC; and

  • The conclusion of a standard contract with the overseas recipient.

For some personal data processors, their outbound data is also subject to a cybersecurity review. The Cybersecurity Review Measures require that operators of online platforms that hold the personal information of more than one million users going public abroad must declare data-related information to the Cybersecurity Review Office under the CAC.

1.2. Laws and regulations on critical data

In accordance with Article 4 of the Assessment Measures, any critical data provided abroad by data processors should pass a security assessment organised by the CAC. And in response to requests for data from foreign judicial and law enforcement authorities, the DSL requires the approval of the competent Chinese authorities before data that is stored in China can be transferred.

1.3. Cross-border data transfer security assessment measures

China’s cross-border data transmission regime includes:

  • A cross-border data transfer security assessment;

  • A standard contract for an outbound data transfer;

  • Professional security certification; and

  • Other measures specifically provided for by laws.

These four regimes can be chosen in accordance with the circumstances specified in law.

China’s aim of establishing a “centralised, unified, efficient and authoritative data security risk assessment mechanism” and a “data security review system” is stipulated in articles 22 and 24 of the DSL as provisions and principles, but they lack specific guidance.

Article 38 of the PIPL confirmed this point and that it only applied to personal data and does not include other types of data, such as public and commercial data.

Article 37 of the CSL initially clarifies that operators of critical information infrastructures are required to conduct security assessments when providing personal information and critical data abroad. And the Assessment Measures, and their Application Guidelines, further clarify the data types that trigger a CAC security assessment – covering personal information data, critical data, other data, etc. – and refine the provisions of the PIPL and the DSL on outbound data transfer. They also specify the application conditions for a security assessment in three dimensions – declaration subjects, data sensitivity and data quantity – thus making them the most critical and specified regulation on cross-border data transmission.

2. Interpretation of ‘outbound data transfer’

Only with regard to outbound data transfer in the legal sense should enterprises think about which outbound transfer of data mechanism to apply, and then they can consider whether to apply for a data security assessment. Thus, it is critical to define the outbound data transfer.

To determine whether a transfer constitutes an outbound data transfer under the Assessment Measures, it must be analysed from three aspects:

  • The application subject;

  • Outbound transfer of data processing; and

  • Types of declared data.

2.1. Data processors

The entity that is subject to a data security assessment is the data processor. According to Article 2 of the Assessment Measures, the assessment shall apply to critical data and personal information collected and generated in China which is to be provided abroad.

Although the Assessment Measures do not provide a definition of ‘data processor’, in the PIPL and the definition of data processor in the Regulations on the Administration of Network Data Security (Draft for Public Comments), it shall refer to an individual or entity that is able to determine the purpose and means of data processing.

Normally, if an individual provides personal information abroad, it is the overseas recipient of the data, not the personal information provider, that independently decides the purpose and means of data processing. Therefore, the individual, as the personal data provider, is not obligated to declare. When the individual provides personal information to the offshore data processor, and since the data is not provided abroad by a data processor within China, the offshore data processor is not required to apply for a security assessment.

Nonetheless, foreign data processors are still required to comply with the provisions of the PIPL due to the cross-border collection of the PRC’s personal information. In light of this, the mere outflow of data may not fall within the regulatory scope of the Assessment Measures.

2.2. Outbound transfer of data

As mentioned in Article 1 of the Application Guidelines, the outbound transfer of data includes the following:

  • A data processor transmits and stores data that has been collected and generated in China in other jurisdictions; and

  • Data collected and generated by a data processor and that is stored in the PRC but available to overseas institutions, organisations or individuals to access or download.

2.3. Types of data subject to declaration

Pursuant to Article 4 of the Assessment Measures, the types of data that shall be subject to declaration include critical data and personal data provided abroad by CIIOs or by data processors that process the personal information of more than one million persons, or by data processors that have accumulatively exported the personal information of at least 10,000 people since January 1 of the previous year.

Therefore, only the critical data or certain personal information in compliance with Article 4 of the Assessment Measures shall be subject to a security assessment. When enterprises carry out outbound business, they need to pre-evaluate their outbound transfer of data and determine whether it falls within the scope of the application conditions.

3. CIIOs and critical data

According to Article 4 of the Assessment Measures and the above analyses, whether an enterprise’s outbound data should be declared to the CAC depends on:

  • The nature of the processor(whether it is a CIIO);

  • The nature of the data (whether it is critical data); and

  • The quantity of personal information.

If the outbound data contains ‘critical data’ or involves personal information provided by a CIIO, the outbound security assessment will be triggered regardless of the amount of outbound transfer data. Therefore, it is critical to determine whether an enterprise constitutes a CIIO and whether the data operated by the enterprise is considered as critical data by the competent authorities.

However, at present, the rules and lists of CIIOs and critical data for most industries have not been published, and any specific rules or detailed documents have not been issued by the competent authorities to give enterprises relevant guidance, and no further explanation has been provided on how to calculate each threshold that triggers a security assessment. So there is still large uncertainty for enterprises and issues must be determined on a case-by-case basis, and in communication with regulators. However, enterprises can refer to the following information.

3.1. The identification of CIIOs

According to the Regulations on the Security Protection of Critical Information Infrastructure, the rules and lists of CIIOs are formulated by the competent departments of each industry. The National Cybersecurity Inspection Guide issued in June 2016 provides three reference criteria for the identification of CIIOs:

  • The identification of critical business;

  • The identification of information systems or industrial control systems which support the critical business; and

  • The identification of CIIOs based on the dependence degree of critical business on information systems or industrial control systems, as well as the possible damage caused by a cybersecurity incident due to a problem with the information systems.

3.2. Identification of ‘critical data’

Article 1 of the Application Guidelines reaffirms that a security assessment is mandatory when an outbound data transfer involves industrial ‘critical data’.

According to the Assessment Measures, ‘critical data’ refers to data that may affect national security, economic or social stability, or public health once tampered with, damaged, leaked, or otherwise illegally obtained or used.

The only industrial regulation that addresses the critical data issue is the Certain Provisions on Automotive Data Security Management (for Trial Implementation), which clearly enumerate critical data in the automotive industry. For enterprises in other industries, in the absence of a critical data catalogue, whether there is critical data involved requires enterprises to make their own determination through communicating with regulators case by case.

The Information Security Technology: Critical Data Identification Rules (Draft for Comments) issued by the National Information Security Standardisation Technical Committee in April 2022 provide 19 factors to be considered for the identification of critical data. They can be mainly divided into four general categories, as follows.

  • Data concerning national security interests, such as that which:

    • Directly affects national sovereignty, regime security, the political system, ideological security, including data used to implement social mobilisation;

    • Directly affects territorial security and national unity; or

    • Reflects the basic situation of the country’s natural resources, including undisclosed territorial land, territorial waters, and airspace data.

  • Strategic economic-related data, such as that which:

    • Directly affects the market economy or the security of the national economic lifeline, such as data supporting the core business of an industry or the field in which the critical infrastructure is located, or the production in critical industries;

    • Reflects the global economic operation or economic operation in key areas, the status of financial activities, or the competitiveness of an industry;

    • Can cause public safety accidents or affect citizens’ lives; and

    • Can lead to group activities or affect the emotions and perceptions of groups, such as undisclosed statistical data, commercial secrets of key enterprises, or information related to the production process of hazardous chemicals and the storage locations of hazardous materials.

  • Data related to natural resources and environmental reserves, development and supply, such as that reflecting water resources, energy resources, land resources, mineral resources and other resources, as well as data related to undisclosed hydrological observation, undisclosed arable land area or quality changes, etc.

  • Other data, such as:

    • That which reflects China’s language, history, customs and habits, or national values, including information on historical and cultural heritage; and

    • Undisclosed governmental data, intelligence data, law enforcement and judicial data, and undisclosed statistical data, etc.

Other industries without specific provisions may refer to the above criteria and communicate with their industrial authorities.

Though personal information alone is generally not considered critical data, it may be regarded as critical data when it reaches a certain scale; for example, if the personal information is sufficient to reflect the population and health situation of a certain area.

The identification of ‘critical data’ constitutes the core of the security assessment, and the CAC will assess the critical data along with the competent authorities, or require enterprises to provide their self-evaluation on whether to process critical data. Therefore, enterprises need to be aware of the identification of critical data on the basis of their actual business, referring to standards on data classification in various industries to make their own judgement and take the initiative to declare.

4. Procedures

According to the Assessment Measures, the provincial cyberspace administrations shall review the application materials and if they are found to be complete, the provincial cyberspace administration will forward the application materials to the CAC. The procedure is as follows.

  • Step 1 – the data processor shall complete a self-assessment three months before the date of the application, and there must be no material change as of the date of the application.

  • Step 2 – the data processor shall declare a security assessment for an outbound data transfer, with the submission of the following materials:

    • A declaration form;

    • A self-assessment report on the risks of the outbound data transfer;

    • The legal documents to be completed by the data processor and the overseas recipient; and

    • Other materials necessary for a security assessment.

  • Step 3 – the cyberspace administration at the provincial level shall complete an examination of the completeness of the declaration materials within five working days after receipt of the declaration materials.

  • Step 4 – the declaration materials will be submitted to the CAC if they are complete, and the CAC will decide whether to accept the declaration and notify the data processor in writing within seven working days after receipt of the declaration materials.

  • Step 5 – the CAC shall conduct and complete the security assessment within 45 working days after issuing a written notice of acceptance to the data processor. If the situation is complicated, or supplementary or corrected materials are needed, the assessment may be extended appropriately.

  • Step 6 – the data processor shall be informed of the assessment results in writing. The assessment results will be valid for two years, according to Article 14 of the Assessment Measures.

The data processor shall re-apply for a security assessment if there is any change of circumstance affecting data security – for example, in the purpose, methods, scope, or type of the data provided abroad – within the valid period.

5. Application materials and key points

The Application Guidelines set forth more specific requirements on the application materials for a security assessment of an outbound data transfer.

The additional materials include the following:

  • A Unified Social Credit Code certificate;

  • An identity document of the legal representative;

  • An identity document of the authorised representative for filing the application;

  • The power of attorney for the authorised representative for filing the application (template);

  • The Application Form for Security Assessment of Data Export (template), including the letter of undertaking and the Application Form for Security Assessment of Data Export;

  • The contract or another legally binding document to be executed by the data processor and the overseas recipient with respect to the data export;

  • The Risk Self-Assessment Report on Data Export (template); and

  • Any other supporting material.

The Assessment Measures are designed to control the risk after outbound data transmission and to ensure that overseas recipients provide the same level of data protection. For this purpose, enterprises should show their cross-border data transmission scenarios, the data types involved, and their protection measures to the CAC when applying for a data security assessment. Enterprises are advised to review and refine the data, as well as the supporting materials, to avoid having to provide further information.

In addition, as required by the Assessment Measures, enterprises are obliged to ensure the authenticity, completeness, accuracy and validity of all the submitted materials.

6. Comments and suggestions

The Assessment Measures and their Application Guidelines reflect the increasingly strict supervision of the Chinese government concerning data security. Enterprises are required to pay more attention to their data compliance when carrying out cross-border business. With regard to cross-border data transfers, it is advisable to:

  • Pre-evaluate the situation, in accordance with the relevant laws and regulations;

  • Promptly check and review the data and cross-border scenarios;

  • Conduct a risk self-assessment in advance;

  • Rectify the weak points that may cause information leakage; and

  • Select a suitable path for the transfer.

If the outbound transfer is found to be subject to an application for a security assessment, the entity is obliged to make a declaration to the CAC within the required period, so as to decrease its data compliance risk. The Assessment Measures allow a six-month remedy period during which the data processor shall complete rectification so that an outbound transfer of data implemented before the promulgation of the Assessment Measures can achieve compliance. Owing to the time constraint, early action is highly recommended.

In January 2023, the CAC confirmed that a first entity has passed the outbound transfer of data security assessment in Beijing. Subsequently, data security-related regulations in various industries will continue to be issued and implemented, which will further protect and promote the security assessment in this regard, and be worthy of the attention of foreign companies engaged in cross-border business.

Topics

FeaturesTahota Law Firm
Charles Feng B&W.jpg
Charles Feng
Senior partner Tahota Law Firm
Contact
Mr. Feng is a reputable intellectual property (IP) and data law expert with substantial experience in IP law, data protection law, and antitrust law with reputable international and Chinese law firms. He focuses on IP litigation, trademark enforcement, and patent portfolio management, as well as cyber law-related matters.

Mr. Feng has represented numerous foreign clients from the US, the EU, and Japan at various levels of courts, as well as administrative organs in China. He is particularly experienced in addressing clients' commercial needs in the areas of IP litigation, arbitration, and prosecution, including patents, copyrights, trademarks, domain names, unfair competition, and trade secrets.

In addition to his work in the courtrooms, he has been involved in IP transactional work, including the drafting, negotiation, and enforcement of IP assignment or licensing agreements. Mr. Feng and his team have also represented multinationals in dealing with their legal matters in relation to cybersecurity, privacy, and data protection.
YL
Yifan Lu
Tahota Law Firm
LX
Lian Xue
Tahota Law Firm
Contact
more from across site and ros bottom lb

More from across our site

MIP+ WcW 680x383 Reputation@2x.png
What Corporates Want: depth of team
High-earning businesses place most value on the depth of the external legal teams advising them, according to a survey of nearly 29,000 in-house counsel
Sukanya Sarkar, April 26, 2024
Awards
AwardsKilpatrick.jpg
Kilpatrick Townsend wins big at Managing IP Americas Awards 2024
Kilpatrick Townsend was recognised as Americas firm of the year, while patent powerhouse James Haley won a lifetime achievement award
Rani Mehta, April 26, 2024
Patents
AI inventor
AI & inventorship: Comparing patenting in the US & UK
Partners at Foley Hoag and Kilburn & Strode explore how US and UK courts have addressed questions of AI and inventorship
John Lanza, April 26, 2024
Patents
CSR.jpg
Weekly take: In-house must push IP firms towards sustainability
In-house lawyers have considerable influence over law firms’ actions, so they must use that power to push their external advisers to adopt sustainable practices
Sukanya Sarkar, April 26, 2024
Patents
Personnel recruitment and a magnet attracts good employee leader
This week on MIP: Partner move insights, Marks & Clerk to face commissions trial
We provide a rundown of Managing IP’s news and analysis from the week, and review what’s been happening elsewhere in IP
Max Walters, April 26, 2024
Trade Secrets
The contract has been crossed out with a red pen. Vector illustration.The concept of termination old, refusal contract. Failed deal. Violation of conditions commercial agreement. Expired treaty.
‘Non-stop’ client talks: how firms are reacting to FTC’s non-compete ban
Counsel say they’re advising clients to keep a close eye on confidentiality agreements after the FTC voted to ban non-competes
Rani Mehta, April 25, 2024
Patents
TT story.png
Talent Tracker quarterly report: Paul Hastings and Spencer Fane make waves in 2024
Data from Managing IP+’s Talent Tracker shows US firms making major swoops for IP teams, while South Korea has also been a buoyant market
Rani Mehta, April 25, 2024
Awards
WIBL EMEA shortlist announced logo
Women in Business Law Awards EMEA 2024: shortlist announced
The finalists for the 13th annual awards have been announced
John Harrison, April 25, 2024
Patents
Document checking, agreement or contract validation, financial or budget analysis, search for document files concept, businessman manager holding big magnifying glass checking document paper.
How briefings shakeup could shape PTAB arguments
Counsel reveal how a proposal to create separate briefings for discretionary denials at the USPTO could affect their PTAB strategies
Rani Mehta, April 24, 2024
Patents
UK Supreme Court
Marks & Clerk to face ‘secret commissions’ case at trial
The UK Supreme Court rejected the firm’s appeal against an earlier ruling because it did not raise an arguable point of law
Max Walters, April 24, 2024
Gift this article