China Adopts Measures on Security Assessment for Data Export | Pillsbury Winthrop Shaw Pittman LLP

Security assessment for data export, which was discussed in detail in the Cyber ​​Security Law (as of June 1, 2017, see our previous alert), the Data Security Law (from September 1, 2021, see our previous alert) and the Privacy Act (from November 1, 2021 see our previous alert), requires Critical Information Infrastructure (CII) operators and contractors that process personal information above a certain threshold must pass a security assessment by the CAC before exporting certain personal data and information. The measures establish the legal regime of security assessment for data export and will have a significant impact on business operators in China who process and export important data or certain amounts of personal information overseas.

1. Scope of the measures

A security assessment is required before a data processor exports data overseas if it is in one of the following circumstances:

See chart.

Please note that data export includes not only the scenario where data collected and generated within the PRC is transferred and stored outside the PRC, but also the scenario where a foreign entity or individual is granted permission to access or use the data stored in the RPC. PRC.

II. Safety assessment procedures

1. Self-assessment

Before a subcontractor requests a data export security assessment from the CAC, it is required to carry out a self-assessment with a focus on the following aspects:

  1. the legality, legitimacy and necessity of the purpose, scope and methods of exporting the data, and the processing of the data by the foreign recipient;
  2. the scale, scope, type and sensitivity of the data export, and the risks to national security, the public interest, or the legitimate rights and interests of individuals or organizations, caused by such data export ;
  3. the duties and obligations that the foreign recipient undertakes to fulfill, and whether the organizational and technical measures and capacities of the foreign recipient can guarantee the security of the data export;
  4. the risks that the data will be tampered with, destroyed, disclosed, lost, transferred, unlawfully obtained, or unlawfully used during and after the data export, and whether there is an effective channel to protect personal information rights and interests ;
  5. whether the responsibilities and obligations for data security protection are fully agreed in the relevant contracts or other legally binding documents to be concluded with the foreign recipient (legal instrument); and
  6. other issues that may affect the security of data export.

2. Government assessment requirements and timeline

a. Submission of materials
After a data controller completes the self-assessment and before entering into a formal legal instrument with the foreign recipient, if they determine that the proposed data export meets any of the thresholds summarized in the section I above, he must submit (i) a request letter, (ii) the self-assessment report, (iii) the proposed legal instrument, and (iv) any other material necessary for the assessment of the safety at the relevant provincial level of the CAC (provincial CAC).

b. Chronology
The provincial CCC has up to five business days to review the application materials and determine if the application materials are complete. Once approved, the Provincial CKC will forward the application materials to the National CKC. The CAC has up to seven business days to review the application materials to determine whether it accepts the application and will send a written notice to the Data Controller. The CAC, within 45 working days from the date of sending the written notice of acceptance to the data controller, will carry out the security assessment.

Thus, the total government security assessment review period is 57 business days if the application materials are complete and acceptable to the CCC. However, the government assessment period may be extended for a reasonable amount of time if there are complications or if additional or corrected documents are required. Due to the lack of an explicit limit on the extended period, the CAC has the discretion to extend its review and assessment for as long as it deems necessary.

If a Data Processor disagrees with the results of the assessment, they may, within 15 business days of receiving the results of the assessment, request the CAC for a reassessment, and the results of the reassessment will be final.

vs. Subject of the examination
The key factors that will be considered by the CAC when conducting the security assessment are similar and broader than those in the self-assessment described above, including the impact of policies and regulations of data security protection, as well as the network security environment of the country or region where the foreign recipient is located and the security of the data to be exported.

3. Other notable requirements

The result of the security assessment is valid for two years. A data controller is also required to resubmit a government security assessment request in certain circumstances, such as when the purpose of the cross-border data transfer has changed..

III. Our findings and recommendations

The measures also apply not only to domestic Chinese enterprises that export data out of China in cross-border transactions, but also to the transfer/sharing of data by Chinese subsidiaries of multinational corporations (MNCs) to their overseas headquarters. and their subsidiaries within the same MNC Group. This happens on a daily basis as the sensitive personal information of employees of the China operations of foreign companies or organizations is transferred to the overseas head office for human resource management purposes or when the information of customers/suppliers/distributors based in China are exported for commercial purposes. Multinationals operating in China should take the measures seriously and start reviewing their cross-border data transfer practices as soon as possible with the advice of a lawyer.

The Measures provide a grace period of six months from the effective date of the Measures (September 1, 2022) for a data processor to rectify data exports that occurred before September 1, 2022, but do not comply with the requirements of the Measures. We suggest that multinational companies which have operations and subsidiaries in China and which have obtained or have access to important data and/or personal information from China which will cause each of its subsidiaries in China to evaluate, with the advice of A lawyer, if his cross-border data transfer is subject to the Measures and CAC Government Security Assessment review examines the following key elements:

  • if it is a Critical Information Infrastructure (CII) operator;
  • if it processes and exports important data;
  • if it processes the personal information of one million or more people;
  • whether it has transferred the personal information of 100,000 or more individuals on a cumulative basis since January 1 of the previous year; and
  • whether it has transferred sensitive personal information of 10,000 or more people on a cumulative basis since January 1 of the previous year.

If the data controller in China meets any of the above thresholds, the cross-border data transfer will be subject to CAC government self-assessment and security assessment before the data is transferred out of from China as part of a cross-border transfer.

On the other hand, if and only if none of the thresholds listed above are met, the data controller in China can rely on a data sharing/transfer agreement with the foreign recipient without the CAC government security assessment. In particular, on June 30, 2022, the CAC published the draft Standard Contract Provisions for Cross-Border Transfers of Personal Information (Draft Provisions, “《个人信息出境标准合同规定(征求意见稿)》” in Chinese). According to the draft provisions, a standard data sharing/transfer contract can only be invoked for cross-border data transfer if a data processor in China does not meet any of the thresholds listed above (as further detailed in Section I in this article). The draft provisions and an attached draft model contract set out the main provisions that should be included in the model contract for cross-border data sharing. In addition, the draft provisions require a data controller to conduct a privacy impact assessment (which is a self-assessment) before transferring personal information overseas. The transitional provisions also require the data controller to file both the standard form contract and the report of its privacy impact assessment with the relevant provincial CAC within 10 business days of commencement. force of the standard contract. Unlike the government security assessment described in Section II of this alert, this is a filing process rather than an approval process with the government authority.

In addition, on June 24, 2022, China’s National Information Security Standardization Technical Committee released the Practical Guidelines for Cybersecurity Standards – Specification for Security Certification of Cross-Border Processing of Personal Information (Specification certification, “《网络安全标准实践指南-个人信息跨境处理活动安全认证规范》” in Chinese), which takes effect on the same date. According to the certification specification, which is a national standard rather than a law or mandatory regulation, certification may be obtained for (i) the cross-border processing of personal information between subsidiaries or affiliates of a multinational or the same economic entity; or (ii) the analysis and evaluation of behavior Chinese natural persons outside the PRC. Thus, if the PRC subsidiary of a multinational in China does not reach any of the thresholds listed above (section I of this article), the Chinese subsidiary of the multinational ionale may also apply to obtain a security certification from a certification unit in China for the cross-border transfer of data with its subsidiaries abroad in accordance with the requirements of the certification specifications. However, neither the Certification Specification nor any other published regulations have identified any specific institution qualified to perform such certification.

Source link