Privacy & Data Protection

China: Security Assessment

Latest developments

On 1 September 2022, the Measures of Security Assessment for Data Export (Measures) which was released by the CAC on 7 July 2022 took effect, indicating that the security assessment regime set out by the Cybersecurity Law (CSL), the Data Security Law (DSL) and the PIPL has been established.

Summary

Under the Measures, the Security Assessment applies to “export by the data processors of important data and personal information that is collected and generated in the course of operations in the territory of China”. Apparently, export of important data and personal information collected or generated outside of China will be out of the scope. But the remote access from a foreign jurisdiction is considered as an export of personal information (PI) to that jurisdiction.

The Measures also lay down detailed scenarios where the Security Assessment applies to data export, which include:

  • Export of important data;
  • Export of personal information by critical information infrastructure (CII) operators;
  • Export of personal information by a data processor that processes personal information of 1,000,000 individuals or more;
  • Export of personal information by a data processor that from 1 January of last calendar year in aggregate exports (i) personal information of over 100,000 individuals or (ii) sensitive personal information of over 10,000 individuals; and
  • Such other circumstances as designated by the CAC.

Before applying for the Security Assessment, the data processors must first conduct a self-assessment. The Measures set out the key contents of the self- assessment, including:

  • The legality, legitimacy and necessity of the data export and the purpose, scope and means of the data processing by overseas recipients;
  • The scale, scope, types, and sensitivity of the data to be exported and any risks of the export to national security, public interest, and legal interests of individuals or organisations;
  • Whether the undertakings and the corresponding management and technical measures and capability of the overseas recipient will ensure safety of the data export;
  • The risks of unauthorised alteration, destruction, leak, loss, transfer or illegal acquisition or use of the data during and after the export, and the effectiveness of the channels for individuals to exercise their individual rights to the personal information; and
  • Whether the contract or other documents of equivalent legal effect to be entered into between the overseas recipient and data processors have adequately provided for the data security protection obligations.

Where the Security Assessment is required, the data processor must submit the following materials, including:

  • An application letter, the form of which is not specified and should be a standard one to be published by the CAC;
  • A report on the self-assessment of data export risks;
  • The legal document that the data processor and the overseas recipients propose to enter into; and
  • Other materials as required by the authorities.

The Security Assessment will focus on the following aspects of the data export to evaluate the risks to national security, public interest and legal interests of individuals and organisations:

  • The legality, legitimacy and necessity of the purpose, scope and means of the data export;
  • The impact of the data security protection laws and policies and cybersecurity environment of the nation or region of the overseas recipient’s domicile on data transfer security and whether the level of data protection of the overseas recipient meets the requirements of the laws, regulations and mandatory national standards of China;
  • The scale, scope, types and sensitivity of the exported data and the risks of unauthorised alteration, destruction, leak, loss, transfer or illegal acquisition or use of the data during and after the export;
  • Whether data security and personal information rights are adequately protected;
  • Whether the Legal Document to be entered into between the overseas recipients and data processor has adequately provided for data security protection responsibilities and obligations;
  • Compliance with Chinese laws, regulations and ministerial rules; and
  • Other items that the CAC considers necessary.

The data processors must submit the application to the CAC of provincial level, which will have 5 working days to review completeness of application materials before passing the application on to the central CAC.

The central CAC is required to complete the security assessment within 45 working days of accepting the application and has the power to extend the time period in complicated cases or where supplemental or corrected materials need to be provided, after notifying the applicants of the extended period. The data processors will be notified in writing of the assessment result, which will be valid for two years from the date of the issuance of the result and the whole process could take 57 working days or more.

How could it be relevant for you?

Where the export activities fall into the scenarios where a security assessment is required, data exporters have to apply for the security assessment and get the assessment approval, or they may be fined by the regulators according to the CSL, the DSL and the PIPL, which could be up to the higher of 50 billion CNY or 5% of last year’s turnover. Considering the short grace period, the data processors affected by the Measures should take immediate actions to ensure compliance.

Next steps

The CAC has released the Guidelines on the Application for Security Assessment for Data Export and several provincial CAC (incl. Beijing, Tianjin, Hebei, Shanghai, Jiangsu and Zhejiang) have provided contact detail for consultation. It is expected that more law enforcement actions will emerge since the 6-month grace period has passed.

On 28 September 2023, the CAC released the draft Regulation for Administering and Promoting Cross-border Data Flow (“Draft Regulation”) for public consultation, which proposes to make substantial changes to the current data export regime.

The CAC released the Draft Regulation to implement the central government’s policy of boosting economic growth and foreign investment and to address concerns over the burdensome and complex compliance obligations under the current Data Export Regime.

The Draft Regulation exempts a wide range of data export activities from the entire Data Export Regime and, by amending the Thresholds, significantly reduces the number of data exporters that are required to apply for the Governmental Assessment.

If the Draft Regulation is implemented as it is, then many data exporters will be released from all or part of their obligations under the current Data Export Regime.

For our comments on the Draft Regulation, please see here.

*Information is accurate up to 27 November 2023

Privacy & Data Protection - Explore further sections

Explore other chapters in the guide

Data as a key digital asset

Crypto assets

AI as a digital asset

Privacy & Data Protection

Cybersecurity

Digital Identity and Trust Services

Consumer