Measures for Security Assessment of Outbound Data Exposure Draft
The cross-border transfer of important data and personal information is a common scenario for cross-border operations of enterprises. The Cybersecurity Law, Data Security Law and the Personal Information Protection Law have established a security assessment system for the outbound transfer of important data and personal information.
On October 29, 2021, the state Cyberspace Administration of China (CAC) issued the Measures for Security Assessment of Outbound Data (Exposure Draft) (the “Exposure Draft”) and sought public comments.
After the Cybersecurity Law (effective on June 1, 2017) first stipulated the requirements for cross-border security assessment of data, the CAC issued the Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Exposure Draft) on April 11, 2017 and the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comments) on June 13, 2019. However, due to the fact that the Data Security Law and the Personal Information Protection Law had not yet been promulgated at that time, the conditions for officially launching the data export security assessment system were not ripe.
With the promulgation of the Data Security Law and Personal Information Protection Law, the legal basis has been gradually clarified, and society has paid unprecedented attention to the cross-border transfer problem of data held by enterprises. In this context, the timely launch of the Exposure Draft is conducive to regulating data cross-border activities. Its content deserves the attention of enterprises with cross-border data activities in order to make preparations in advance.
I. Applicable Conditions
The Exposure Draft adopts the method of combining legislation on "exit of personal information and exit of important data" (Article 2 of the Exposure Draft). It integrates the requirements for exit security assessment in the Cyber Security Law, Data Security Law and Personal Information Protection Law, laying a foundation for the unified application of the data exit system.
1. Situations Requiring Safety Assessment
According to the Exposure Draft, there are five situations in which the data cross-border security assessment should be reported to the national cyberspace administration through the local provincial cyberspace administration (Article 4 of the Exposure Draft). The details are as follows:
(1) where the outbound data comprises personal information and important data collected and generated by operators of critical information infrastructure;
(2) where the outbound data contains important data;
(3) where a personal information processor that has processed personal information of more than one million people provides that personal information to entities overseas;
(4) where the personal information of more than 100,000 people or sensitive personal information of more than 10,000 people are transferred overseas accumulatively; or
(5) other circumstances under which security assessment of outbound data is required as prescribed by the CAC.
2. Legal Significance of “Million” Level Personal Information
The third situation in the above provisions can be understood as the personal information processor who processes personal information to the amount specified by the CAC mentioned in the Personal Information Protection Law. In addition, the Cybersecurity Review Measures stipulates that personal information processors who handle personal information up to one million people must pass the cybersecurity review when they are listed abroad. It can be seen from the above provisions that the personal information of one million people may become an important standard for judging the impact of personal information processing activities on national security.
II. Requirement of Assessment
In the Exposure Draft, self-assessment is an obligation that all data processors providing data abroad should fulfill (Article 5 of the Exposure Draft), and the materials to be submitted in the data outbound security assessment also include the outbound data risk self-assessment report. In addition to the self-assessment report, the materials specified in the Exposure Draft also include the declaration, the contract or other legally effective documents to be concluded between the data processor and the overseas receiver, and other materials required for safety assessment (Article 6 of the Exposure Draft). The corresponding relationship between the requirements of self-assessment and safety assessment is summarized in the following table:
Comparison of requirements of self-assessment and safety assessment
III. Contract Requirements
For the proposed contract between the data processor and the overseas receiver mentioned in the assessment materials, the Exposure Draft also makes requirements on the contents it should include (Article 9 of the Exposure Draft), These requirements should be regarded as the essential terms of the contract and also related to the requirements of self-assessment and safety assessment, and can be used as the basis for key matters of assessment and are as follows:
1. The purpose and method of transmitting the data abroad and the scope of the outbound data; and the purpose and method of data processing by the overseas recipients;
2. The place and duration of overseas storage of the data, as well as the measures to deal with the data after the storage period expires, the purpose agreed upon is completed or the contract is terminated;
3. Restrictive clauses restricting the overseas recipient from re-transferring the data transmitted abroad to other organizations or individuals;
4. Security measures that shall be taken in case of any substantial change in the actual control right or business scope of the overseas recipient, or any change in the legal environment of the country or region where the overseas recipient is located, which makes it difficult to guarantee data security;
5. Liabilities for breach of the data security protection obligations and binding and enforceable dispute resolution clauses;
6. Properly carrying out emergency response in case of data leakage and other risks and ensuring the smooth channels for individuals to safeguard their personal information rights and interests.
For the contract signed for data outbound, it should be noted that it is different from Article 38 of the Personal Information Protection Law. Article 38 of the Personal Information Protection Law stipulates that a personal information processor may sign a standard contract formulated by the CAC with an overseas receiver to achieve the purpose of transferring personal information outside the country. The circumstances of signing standard contracts stipulated in Article 38 are for personal information processors who do not need to conduct data outbound security assessment. The standard contract here belongs to a different concept from the guidance on the contents of the contract in Article 9 of the Exposure Draft.
IV. Legal Liability
Those who fail to fulfill the obligation of data outbound security assessment need to apply the provisions of the Cybersecurity Law, Data Security Law and Personal Information Protection Law (Article 17 of the Exposure Draft). The relevant legal responsibilities are summarized in the following table:
Comparison of Relevant Legal Liability Provisions
V. Summary
The Exposure Draft is a refinement of the data outbound system in the Cybersecurity Law, Data Security Law and Personal Information Protection Law, it integrates the cross-border security assessment requirements of different types of data and sets the direction for the development of self-assessment and security assessment. Enterprises and other entities should pay close attention to the subsequent revision or promulgation of this consultation to reasonably plan their own data outbound activities.
China is not alone in having concerns regarding data protection. The EU for example has their GDPR regime for the protection of data transmitted outside of the EU, including the use of Standard Contractual Clauses (SCCs) pre-approved by the EU. A similar approach can also be found in the UK with the UK International Data Transfer Agreement and Addendum also providing standard contractual clauses for use with cross-border data transfers.
