China's Measures for Security Assessment for Outbound Data Transfer
As a supplementary measures for China's Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, China's Cybersecurity Administration conducted a consultation for the Measures for Security Assessment for Outbound Data Transfer (called "Measure" in this article) last year. The consultation ended in Nov 2021. The Measures were passed on 19 May 2022 and came into effect on 1 Sep 2022. The Measure is the first step to formalize the process for pre-export risk assessment and continuous monitoring during the export.
It should be noted that the "data" referred in this Measure, as well as the data referred in the Cybersecurity Law and the Data Security Law, are not limited to personal identifiable information as we typically discuss in this group. The data could include financial data, operational data (e.g. energy consumption, cargo fleet volume, etc.) or other data related to business activities (e.g. materials inventory) that maybe relevant to national security.
According to the Measures, all data processors (not to be confused with the processor as defined in GDPR, but all organizations who process data) who has the need to transfer data, which are collected or produced during business operations, outside of China shall:
(1) conduct a risk assessment;
The risk assessment shall include the following:
- purpose, method and scope of the transfer;
- the level of protection by the data protection laws at the destination country / region;
- the quantity, scope, categories of the data to be transferred, and the risks that these data could be breached, altered, lost, damaged, or subsequently transferred;
- the level of protection of the agreement between the data processors and the receiving party (see (3) below);
- how the relevant China laws are complied;
- other items to be assessed as required by the Cybersecurity Administration.
(2) application to the corresponding Cybersecurity Administration office regarding the risk assessment results if one or more of the following applies:
- processing of personal data and important data belong to the operators of key information infrastructures (e.g. Telcos)
- the data contains important data (although what is important is not defined in the Measures)
- transferring any number of personal data by data processors who processes over 1 million personal data;
- transferring accumulatively over 100,000 personal data or 10,000 sensitive personal data since 1 Sep 2021
- other condition as deemed appropriate by the Cybersecurity Administration. The Administration will inform the data processor whether the application is approved.
(3) establish an agreement between the data processor and the party receiving the data stipulating the responsibilities of both parties. The agreement shall include the following:
- purpose , scope and method of the transfer as well as the purpose of the receiving party;
- where the data are to be stored, its retention period, and handling of these data upon completion of the processing or termination of the agreement;
- binding clauses regarding sub-processing of the data by the receiving party;
- the security measures if the receiving party undergoes significant material change (e.g. Management re-organization), or changes of data protection law of the country / region where the receiving party resides;
- binding clauses regarding breaching of the agreement;
- emergency responses if data breach occurs;
(4) review the risk assessment and renew the application every two years.
Along with the Measures, a risk assessment report template, guidelines for the application, and an application form were also released.
Article provided by INPLP member: Chris Yau (SGS Hong Kong Limited, Hong Kong)
Dr. Tobias Höllwarth (Managing Director INPLP)