China Released Measures of Security Assessment for Data Export: dust settled?

On 7 July 2022, the Cyberspace Administration of China (“CAC”) released the Measures of Security Assessment for Data Export (“Measures”), which will take effect on 1 September 2022. Data processors are allowed six months to complete any rectification required for compliance with the Measures.

In this article, we highlight the key provisions of the Measures and set out our observations and recommendations.

Background

Security assessment (“Security Assessment”) is the regime under which the CAC will scrutinises certain types of data export as required by the Cyber Security Law (“CSL”), Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”). In summary, under the laws the following types of data must be stored locally in China, the export of which will be subject to the Security Assessment:

1. Important data and personal information that have been collected and generated in China and will be exported by the operators of critical information infrastructure (“CII”); and
2. Personal information of processors, who process a certain amount of personal information that reaches the threshold (“Threshold”) set by the CAC.

Under the DSL, the authorities will also publish rules regulating the export of important data that is collected and generated in China and will be exported by data processors that are not CII operators. So far, the central government has published regulations on CII (for our comments on the regulation, please click here) but the sectoral regulators have yet to publish any list the CII operators in their respective sectors. The scope of important data has not been defined either.

In 2017 and 2019, the CAC released three drafts regulations of data export security assessment (including one draft that was not officially made public) and a draft guidance on data export security assessment, but none has been enacted. Among the drafts, we have seen back and forth between a position that all data exports are subject to a governmental security assessment and one that only export of specified categories of data should be assessed for security by the authorities.

In October 2021, the CAC released the draft Measures for public consultation after the PIPL and DSL were promulgated earlier that year (for our comments on the draft Measures, please click here). The final Measures retain most of the requirements under the draft Measures and make some important changes that seek to address the comments from the public.

Key provisions and observations

I. Scope of data exports subject to governmental security assessment

Scope of export

Under the Measures, the Security Assessment applies to “export by the data processors of important data and personal information that is collected and generated in the course of operations in the territory of China”. Apparently, export of important data and personal information collected or generated outside of China will be out of the scope.

It is not clear how the term “generate” will be interpreted, which seems to refer to an artificial process of creating certain information that did not exist or was not recorded. Further clarification from the CAC will be helpful in determining whether a particular type of data will be considered being “generated” in China or which party generated the data. For instance, if certain important data is created through cooperation between both Chinese and foreign entities, in which country should such data be considered “generated” and which party generated the data?

In addition, the term “data processor” is not defined in the Measures or in the DSL, CSL or PIPL. In the draft Administrative Rules of Network Data Security released by the CAC in November 2021, “data processor” is defined as the individual or organisation that independently determines the purpose and means of data processing activities. If this is also the definition adopted by the Measures, it may exclude those processing important data or personal information on behalf of data processors (“Entrusted Parties”) and therefore may also exclude export from the scope of security assessment export from the Entrusted Parties in China to overseas data processors.

Also notably, the Measures do not specify whether the Security Assessment applies to export by a data processor of important data and personal information that are collected and generated by others in their operation process in China. The wording seems to suggest that such important data and personal information are generated and collected by the data processor that exports such data but falls short of making it clear. However, if this is the case, then a loophole may exist if a data exporter exports important data and personal information that is collected or generated by other data processors.

Whilst the DSL does not define important data, the Measures define important data as data that may harm national security, economy, social stability, and public health and safety if it is altered without authorisation, destructed, leaked or illegally acquired or used. We note the detailed scope of important data has yet to be determined by sectoral regulators.

Scenarios subject to Security Assessment

The Measures further lay down detailed scenarios where the Security Assessment applies to data export, which include:

1. export of important data;
2. export of personal information by CII operators;
3. export of personal information by a data processor that processes personal information of 1,000,000 individuals or more;
4. export of personal information by a data processor that from 1 January of last calendar year in aggregate exports (i) personal information of over 100,000 individuals or (ii) sensitive personal information of over 10,000 individuals; and
5. Such other circumstances as designated by the CAC.

Export of important data by a data processor that is not a CII operator now falls in the scope of the Security Assessment, which is an expansion of the position taken by the CSL and DSL that the Security Assessment applies to export of important data by CII Operators. The implications are that so long as the data to be exported includes any important data, however small the amount is, the data processors must apply to the CAC for the Security Assessment.

On the other hand, in relation to personal information export, the Security Assessment will apply not only to the CII operators but also a data processor that processes personal information of 1,000,000 individuals or more. This is in line with the CSL and the PIPL that require a CII operator to apply for the Security Assessment for any export of personal information.

Issues with Threshold

The Measures also set thresholds on the amount personal information to be exported and try to clarify how to calculate the amount of personal information being exported by a data processor by adding a starting date. This means that the exported amount will be calculated for a period of up to two years starting from 1 January of last calendar year on a rolling basis. Data processors should establish a real-time monitoring mechanism to check the amount of personal information being exported. The calculation will restart each year on 1 January.

However, such wording may still give rise to dilemmas and impracticality to data processors in practice. For instance, If the amount of exported personal information reaches the Thresholds of exported personal information in the last a few months of the second year, they may not have enough time to complete the Security Assessment process, and from 1 January of the next year, the calculation will restart. In this scenario, should they stop exporting personal information and wait till 1 January the next year and continue to export personal information if the Thresholds are not triggered in the third year?

The key question here is whether the data processors need to stop exporting personal information and apply for the Security Assessment once the exports meet the Thresholds. Based on the provisions of the PIPL and the Measures, the answer seems to be yes, which could be a challenge to business continuity and disrupt operation of normal business functions. The implications for data processors are that they should have a clear vision as to whether and when their processing activities will reach any of the Thresholds. If there is a reasonable possibility that the amount being processed or exported will reach one of the Thresholds in the foreseeable future, the data processors should embark on localising the personal information and be prepared to apply for the Security Assessment once they hit the Threshold.

II. Self-assessment

Before applying for the Security Assessment, the data processors must first conduct a self-assessment. The Measures further set out the key contents of the assessment, including:

1. The legality, legitimacy and necessity of the data export and the purpose, scope and means of the data processing by overseas recipients;
2. The scale, scope, types, and sensitivity of the data to be exported and any risks of the export to national security, public interest, and legal interests of individuals or organisations;
3. Whether the undertakings and the corresponding management and technical measures and capability of the overseas recipient will ensure safety of the data export;
4. The risks of unauthorised alteration, destruction, leak, loss, transfer or illegal acquisition or use of the data during and after the export, and the effectiveness of the channels for individuals to exercise their individual rights to the personal information; and
5. Whether the contract or other documents of equivalent legal effect (“Legal Documents”) to be entered into between the overseas recipient and data processors have adequately provided for the data security protection obligations.

Under the PIPL, personal information processors are mandated to conduct personal information protection impact assessment (“PIPIA”) on the export of personal information. A question arises as to whether a PIPIA under the PIPL will automatically satisfy the requirement for the self-assessment conducted under the Measures. In the absence of clear guidance or prohibition, the data processors may be able to combine the PIPIA and the self-assessment in a single exercise, if they need to apply for the Security Assessment.

III. Security Assessment

Application materials and key considerations

Where the Security Assessment is required, the data processor must submit the following materials:

1. An application letter, the form of which is not specified and should be a standard one to be published by the CAC;
2. A report on the self-assessment of data export risks;
3. The Legal Document that the data processor and the overseas recipients propose to enter into; and
4. Other materials as required by the authorities.

The Security Assessment will focus on the following aspects of the data export to evaluate the risks to national security, public interest and legal interests of individuals and organisations:

1. The legality, legitimacy and necessity of the purpose, scope and means of the data export;
2. The impact of the data security protection laws and policies and cybersecurity environment of the nation or region of the overseas recipient’s domicile on data transfer security and whether the level of data protection of the overseas recipient meets the requirements of the laws, regulations and mandatory national standards of China;
3. The scale, scope, types and sensitivity of the exported data and the risks of unauthorised alteration, destruction, leak, loss, transfer or illegal acquisition or use of the data during and after the export;
4. Whether data security and personal information rights are adequately protected;
5. Whether the Legal Document to be entered into between the overseas recipients and data processors has adequately provided for data security protection responsibilities and obligations;
6. Compliance with Chinese laws, regulations and ministerial rules; and
7. Other items that the CAC considers necessary.

One of the above aspects that requires further guidance is how the CAC will determine whether the data protection level of a particular country or region is adequate. There is no indication that the CAC will publish a whitelist of countries and regions that will be considered meeting the requirements, although a whitelist will be more sensible considering that the data processors may not all be capable of making that assessment. As such, it appears at this stage that the CAC will determine the data protection level on a case-by-case basis.

Procedures and timeline

The CAC at central level will be responsible for conducting the governmental assessment. The data processors must submit the application to the CAC of provincial level, which will have five business days to review completeness of application materials before passing the application on to the central CAC. Incomplete applications will be returned to the applicants, who will also be notified of the supplemental materials that should be provided.

The central CAC will determine and notify the data processors in writing of whether their applications will be accepted within seven workings days of receiving the application. If the application is accepted, the central CAC will organise provincial CACs, governmental ministries and specialised institutions to conduct the Security Assessment.

The central CAC is required to complete the security assessment within 45 working days of accepting the application and has the power to extend the time period in complicated cases or where supplemental or corrected materials need to be provided, after notifying the applicants of the extended period. The data processors will be notified in writing of the assessment result, which will be valid for two years from the date of the issuance of the result. Notably, the Measures remove the 60 business days’ limit on the maximum time period in complicated or prolonged cases, and whole process could now take 57 business days or more.

Reassessment

If a data processor is not satisfied with the decision of the CAC, the data processor may apply for a reassessment with 15 business days of receiving the decision.

The data processors must file an application to reassess the data transfers at least 60 working days before the expiry of the assessment results, if they would like to continue the data exports. However, a reassessment will be required earlier in the following circumstances:

1. There are changes to the purposes, means, scope or types of the data export or the purposes and means of the data processing by the overseas recipient, which impact the security of data export, or extension of overseas storage period of the personal information and important data;
2. There are changes to the data security protection policy and regulations or legal environment of the country or region of the overseas recipient’s domicile or any other force majeure events, or there are changes to the actual control of the data processor or overseas recipient, or the legal document between the data processor or overseas recipient, which may affect data export security; or
3. Other situations that may affect security of data export.

The Measures include “force majeure events” as one of the circumstances where a reassessment is required but does not provide any further guidance as to how to determine a force majeure event has happened. We note that force majeure is a contractual law concept, and under the Civil Code parties to the contract are allowed to be exempted from performing some or all of their obligations, if continuous performance has been rendered impossible. However, it is unclear how this civil law concept will be interpreted in the context of administrative regulations in the absence of a contract between the applicant and the CAC.

The CAC may have contemplated that the reassessment should apply, if a force majeure event has rendered impossible the performance of the Legal Document between the data processors and the overseas recipients. Whilst the reasoning may be a valid one, the current wording does not provide any express support for such an interpretation, except that in the Legal Document must provide for the security measures that the overseas recipient should take in the case of a force majeure event.

Another interpretation is that any unforeseeable, unavoidable and insuperable events happening in the foreign country or region may have made it impossible to maintain protection of the data at the expected level. If this is the case, the regulation should have given more guidance as to what will be considered a force majeure event and in what circumstances such force majeure event will require a reassessment, in the absence of which it will be difficult for data processors will need to make their own evaluation.

IV. The data export contract

Both the Security Assessment and the self-assessment have put a great emphasis on the Legal Document to be entered into between the data processors and the overseas recipients. In particular, the Measures have set out the mandatory contents for such contracts, which include:

1. The purpose, means and scope of the data export and the use and means of the data processing by the overseas recipient;
2. The location and period of the overseas storage of the data and the disposal measures upon the expiry of the storage period, fulfilment of the processing purpose or termination of the Legal Document;
3. Requirements restricting the overseas recipients from transferring the data to other organisations or individuals;
4. Security measures to be taken upon material change of actual control or business scope of the overseas recipient, or changes to the data security protection regulation and cybersecurity legal environment of the country or region of the overseas recipient’s domicile or such other force majeure event which render it difficult to ensure data security;
5. Remedial measures and liability for breaching data security obligations and dispute resolutions clauses; and
6. Requirement to take contingency measures in the event of unauthorised alteration, destruction, leak, loss, transfer or illegal acquisition or use of data and the ensure that individuals have channels and means of to exercise rights to their personal information.

Interestingly, the PIPL provides that personal information processors may adopt a “standard contract” on personal information export, and the CAC released the draft standard contract on 30 June this year. It is unclear whether signing the standard contract will automatically satisfy the above requirements. Apparently, for export of important data, the data processor and overseas recipient will need to sign a contract prepared by the parties in the absence of a standard contract.

The Measures also require the Legal Document to restrict subsequent transfers after the data export but do not specify what the restrictions will be. It is likely that the overseas recipients will need to sign a contract with transferees to impose certain data protection obligations on the transferees, but it remains a question as to whether signing a contract will be considered adequate.

V. Grace period

The Measures require all data processors to complete rectification and comply with the requirements for data export thereunder within six months (“Grace Period”) of the Measures taking effect on 1 September 2022.

However, the Measures do not specify the criteria by which a data processor will be considered to have achieved compliance. In particular, does it mean that data processors subject to the Security Assessment must obtain a decision from the CAC before the end of the Grace Period? If so, the timeframe for remediation actions by the data processors and the Security Review process would extremely tight. The CAC should be prepared to receive and process a large volume of applications for the Security Assessment in the next a few months and consider whether the backlog of applications could result in a failure of the CAC to complete the Security Assessments before the end of the Grace Period.

It is also possible that compliance with the Measures is determined by whether the data processors have filed an application for the Security Assessment by the end of the Grace Period, which seems to be a more reasonable approach. Either way, the CAC should clarify whether a data processor should be held liable for violating the Measures, if it continues to export data while waiting for the decision of the CAC.

In addition, for data processors of important data, the timeline would appear even more challenging given that the scope of important data is not clear. Even if the CAC and sectoral regulators can provide detailed guidance for identifying important data in the next a few months, the data processors will have an even shorter timeframe to complete the remediation and application process.

Our Recommendations

With the tight timeframe for compliance with the Measures, data processors should start to take actions immediately. We would recommend that data processors in China take the following actions:

1. Assessing or re-assessing their data inventory and determine whether their processing and exporting activities have triggered or will trigger the Security Assessment; and if so
2. Localising the storage of the data;
3. Establishing a record of data exports and foreign recipients and starting to notify them of the requirement for entering into the Legal Document with them;
4. Preparing and entering into the Legal Document with overseas data recipients;
5. Conducting the self-assessment pursuant to the Measures and take remediation actions to address issues that could impact data export security;
6. Preparing materials for the Security Assessment and submit formal application to the CAC; and
7. Applying for a reassessment if necessary.

Conclusion

Despite the ambiguities and issues that could prove to be problematic in implementation, the Security Assessment has now become an enforceable requirement for certain data processors in China. The Measures have provided for a short Grace Period, and therefore data processors affected by the Measures should take immediate actions to ensure compliance.