On 1 September 2022, the Measures of Security Assessment for Data Export (Measures) which was released by the CAC on 7 July 2022 took effect, indicating that the security assessment regime set out by the Cybersecurity Law (CSL), the Data Security Law (DSL) and the PIPL has been established.
Under the Measures, the Security Assessment applies to “export by the data processors of important data and personal information that is collected and generated in the course of operations in the territory of China”. Apparently, export of important data and personal information collected or generated outside of China will be out of the scope. But the remote access from a foreign jurisdiction is considered as an export of personal information (PI) to that jurisdiction.
The Measures also lay down detailed scenarios where the Security Assessment applies to data export, which include:
Before applying for the Security Assessment, the data processors must first conduct a self-assessment. The Measures set out the key contents of the self- assessment, including:
Where the Security Assessment is required, the data processor must submit the following materials, including:
The Security Assessment will focus on the following aspects of the data export to evaluate the risks to national security, public interest and legal interests of individuals and organisations:
The data processors must submit the application to the CAC of provincial level, which will have 5 working days to review completeness of application materials before passing the application on to the central CAC.
The central CAC is required to complete the security assessment within 45 working days of accepting the application and has the power to extend the time period in complicated cases or where supplemental or corrected materials need to be provided, after notifying the applicants of the extended period. The data processors will be notified in writing of the assessment result, which will be valid for two years from the date of the issuance of the result and the whole process could take 57 working days or more.
Where the export activities fall into the scenarios where a security assessment is required, data exporters have to apply for the security assessment and get the assessment approval, or they may be fined by the regulators according to the CSL, the DSL and the PIPL, which could be up to the higher of 50 billion CNY or 5% of last year’s turnover. Considering the short grace period, the data processors affected by the Measures should take immediate actions to ensure compliance.
The CAC has released the Guidelines on the Application for Security Assessment for Data Export and several provincial CAC (incl. Beijing, Tianjin, Hebei, Shanghai, Jiangsu and Zhejiang) have provided contact detail for consultation. It is expected that more law enforcement actions will emerge since the 6-month grace period has passed.
On 28 September 2023, the CAC released the draft Regulation for Administering and Promoting Cross-border Data Flow (“Draft Regulation”) for public consultation, which proposes to make substantial changes to the current data export regime.
The CAC released the Draft Regulation to implement the central government’s policy of boosting economic growth and foreign investment and to address concerns over the burdensome and complex compliance obligations under the current Data Export Regime.
The Draft Regulation exempts a wide range of data export activities from the entire Data Export Regime and, by amending the Thresholds, significantly reduces the number of data exporters that are required to apply for the Governmental Assessment.
If the Draft Regulation is implemented as it is, then many data exporters will be released from all or part of their obligations under the current Data Export Regime.
For our comments on the Draft Regulation, please see here.
*Information is accurate up to 27 November 2023