Outbound Data Transfer Security Assessment Measures

published on 10 August 2022

by Felix Engelhardt

This article is the fourth part of the article series Cross-border Data Transfer in China and is dedicated to security assessment measures for cross-border data transfers.

The fast, secure and smooth transfer of data of all kinds between companies in China and abroad is essential at almost all levels, whether in the context of transnational research and development projects, for operational business or in the course of corporate transactions, to name just a few important examples.

The regulatory superstructure in the People's Republic of China has so far raised more questions than answers. Recent developments regarding the possibility of certifying certain data transfers, as well as the safeguarding of such transfers through government-mandated standard contracts, have provided limited clarity for the transfer of personal data abroad.

To conclude our three-part series of articles on recent legal developments in cross-border data transfers from China, in this third part we would like to introduce the highly anticipated Outbound Data Transfer Security Assessment Measures ("Measures"), the final version of which was released by the Cyberspace Administration of China ("CAC") on July 7, 2022.

Work on regulations to implement the basic data export ban from China's Cybersecurity Law ("CSL") began as early as 2019, but at that time, a corresponding draft was still limited to the transfer of personal information. After the CSL was complemented in 2021 by the other two pillars of China's network and data regulation, namely the Data Security Law ("DSL") and the Personal Information Protection Law ("PIPL"), the CAC saw the need to revise the old draft implementing regulations from 2019 to reflect the changed legal situation. A draft of the Measures was published in October 2021 for public comment until November 28, 2021. The final version now published is essentially the same as the draft.

Outbound Data Transfer Security Assessment Measures

At their core, the Measures mandate mandatory government security review by CAC in advance of certain cross-border data transfer activities, namely when

the data transferred is so-called "important data";
personal information is transferred either by critical information infrastructure operators or by data processors that process information from more than 1 million individuals;
data processors have transferred personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals since January 1 of the previous year;
other CAC regulations require a prior security review before exporting data.

It should be noted that in the above cases, not only a transfer abroad of data collected or generated in China triggers an obligation to apply for the security clearance, but also access from abroad to data stored in China.

If the transfer falls under one of the listed categories, an application must be submitted to the locally responsible subdivision of the CAC, providing the following documents:

completed application form;
a risk assessment report;
legal document for transfer between transferor and transferee abroad;
other documents deemed necessary by CAC.

The risk assessment to be carried out by the transferor itself must take into account aspects such as the types and volume of data to be transferred, the risks of the transfer to national security, the public interest or rights and interests of individuals and organizations, and the technical and organizational capabilities of the data recipient.

According to the Measures, the "legal document" to be concluded with the recipient may be a contract or any other document with legal effect regulating the respective obligations and responsibilities for data security, but at least

the purpose, manner and scope of the data transfer abroad;
location and duration of data storage abroad, as well as measures for handling the data transferred abroad when the storage period is reached, the agreed purpose is fulfilled or the legal document is terminated;
restrictions for the recipient to disclose the exported data to third parties;
security measures to be taken if there is a significant change in the recipient's actual control authority or scope of operations, or if changes in data protection policies and regulations or the cybersecurity environment of the recipient's country or region, or other force majeure circumstances, result in difficulties in ensuring data security;
remedies, liability, dispute resolution;
measures and channels for individuals to assert their rights.

Once the documents have been submitted, the security review procedure is – in simplified terms – as follows:

review of documents by local CAC authority for completeness (5 days);
if complete, forward to national CAC; if not complete, notify applicant and request correction;
preliminary review by CAC whether to initiate security review and notify applicant accordingly (7 days);
conduct security review involving relevant national and local authorities, institutions, organizations, etc. (45 days, extension possible in complicated cases or if documents are subsequently submitted/corrected);
written notification to the applicant of the result of the security review;
if applicant disagrees with result, possibility of reconsideration by CAC (within 15 days from the date of receipt of the first reconsideration result).

Should the CAC approve the transfer, this positive decision is valid for two years to the extent of the review. Should the circumstances underlying the data transfer change during these two years, the transferors are obliged to submit a new request for data transfer. The same applies after the expiration of the two years, provided that the respective data export is to be continued. In addition, the CAC may prohibit the transfer on its own initiative even after it has been approved once, should relevant changes have occurred in the meantime. In this case, the transferor can only submit a new application after taking the necessary corrective measures.

Violations of the obligations under the Measures may be sanctioned in accordance with the CSL, the DSL, the PIPL, or under criminal law provisions.

Our Opinion and Recommendations

Since the measures in their final form are essentially the same as the 2021 draft, there are no major surprises. It can be assumed that a large number of comments were received within the deadline (an exact number was not published by the CAC). However, the only marginal deviations in the final version indicate how unwilling the Chinese government is to deviate from its clear line in this highly sensitive area of security and economic policy.

Key questions such as the scope of "important data" remain despite (or perhaps because of) only a very general definition in the Measures. With the exception of the automotive industry, companies remain in the dark about which of their diverse data will qualify as "important" and thus be subject to the more stringent requirements of relevant laws and regulations (including the Measures). Moreover, it is not entirely clear how the cut-off date of January 1 of the previous year will be applied to calculate the thresholds. Nor can it be said with certainty which "other documents with legal effect" may satisfy the requirements of the Measures. Finally, it is not clear whether and how detailed the applicant will be informed about the content of the security review or will only be informed about the result. The latter is more likely.

The Measures grant companies a transition period of 6 months for data transfers that began before the Measures come into force on September 1, 2022. This period is very short and puts pressure on companies to review all data exports and secure them in accordance with the requirements of the Measures. Due to the uncertainty regarding "important data", all companies operating in China can only be strongly recommended to proactively conduct a self-assessment at least in the first step, in order to make any necessary adjustments in a second step and to coordinate the new situation with relevant data recipients abroad.