[Co-Author: Lin Xia]
The much-anticipated Security Assessment Measures for Outbound Data Transfers (hereinafter referred to as “the Measures“) of China has already come into effect on September 1, 2022, and on the eve of the effective date, the Cyberspace Administration of China has published the Application Guidelines on Security Assessment of Outbound Data Transfers (Version 1)” (hereinafter referred to as “ the Guidelines “) to be used in conjunction with the Measures. Thus, the “security assessment” mentioned in the Cyberspace Security Law, Data Security Law and Personal Information Protection Law has finally been put into practice. Whether and how to conduct the security assessment of outbound data transfers has become an important compliance issue for many enterprises involved in the outbound data transfer scenarios, especially for multinational enterprises in China.
In this article, the author will briefly explain the Measures and the Application Guidelines from the perspective of the scope of application of the Measures, the security assessment process, the required materials and suggestions on corporate compliance.
I. Application scope
What are the outbound data transfers scenarios specified in the Measures? According to Article 2 of the Measures and Article 1 of the Guidelines, outbound data transfers include two types of scenarios, one is voluntary outbound transfer, i.e. data collected and generated by data processors in their daily operations are transmitted and stored abroad, a common scenario in practice is that domestic entities provide data to overseas entities through software including e-mail, FTP, cross-border VPN, API and other transmission channels, as well as hardware including USB flash drives, mobile hard drives, and even portable laptops loaded with data, or data uploaded or stored by domestic entities when using overseas servers; another scenario-passive outbound transfer is that the data collected and generated by data processors are stored within the territory, and institutions, organizations or individuals outside China can inquire, retrieve, download and export them. A common scenario in practice is that foreign entities obtain data by accessing public web pages, servers, databases or information systems deployed within the territory by domestic entities. Compared with the case of voluntary outbound transfer, the passive outbound transfer of data is more easily ignored by enterprises.
What kind of circumstances requires an application for security assessment? According to Article 4 of the Measures, when one of the following four conditions is met, it is necessary to apply for assessment in accordance with the provisions of the Measures.
(1) Outbound transfer of important data by a data processor;
(2) Outbound transfer of personal information by a critical information infrastructure operator or a personal information processor who has processed the personal information of more than 1,000,000 people;
(3) Outbound transfer of personal information by a personal information processor who has made outbound transfers of the personal information of 100,000 people cumulatively or the sensitive personal information of 10,000 people cumulatively since 1 January of the previous year; or
(4) Other circumstances where an application for the security assessment of an outbound data transfer is required as prescribed by the national cyberspace administration authority.
However, the current effective laws and regulations, national standards and guidelines do not further clarify and explain the unspecified parts of the Measures (such as what belongs to important data, the calculation criteria for the amount of personal information, etc.), and at this stage, enterprises still need to refer to the published draft of the relevant national standards for information security technology to make judgments, which at the same time also poses a challenge for enterprises to conduct internal checks on data compliance in a short period of time.
II. Application for security assessment
If an enterprise, after sorting, falls into the scope of application of the Measures, what process should be followed to carry out the data security assessment?
The Measures specifies the specific process of security assessment. Self-assessment should be conducted in the first step. The self-assessment report and other required materials should be submitted to the provincial-level cyberspace administration authority who will complete a formality examination and decide whether to transfer them to the national cyberspace administration authority within five working days of the date of receipt of the application materials. The national cyberspace administration authority shall determines whether or not to accept within 7 working days after receipt, and complete the security assessment and inform the applicant of the results in 45 working days after the issuance of the notice of acceptance. The entire application process takes a minimum of 57 working days. The pending period will be further extended if the material needs to be supplemented or corrected.
So after sorting the application process, here comes the next question: what materials should be prepared by the enterprises that need to file the application?
Article 6 of the Measures stipulates the materials to be submitted for security assessment, while the Guidelines further specify and provide the corresponding templates. The application materials to be submitted mainly include the identity information of the applicant, the authorization letter for the responsible person handling the application, the application form, the outbound data transfer contracts or other legal documents signed with the data recipient, the self-assessment report and other supporting materials. It is worth mentioning that the application form requires the data processor to provide basic information about itself, the legal representative, the person in charge of data security and the management organization, the information of the responsible person handling the application, the business, purpose, mode, link of outbound data transfer, the information about the outbound data, the information of the overseas recipient and the information of the person in charge of data security and the management organization of the recipient, and the data processor is required to explain its compliance with Chinese laws, administrative regulations and departmental rules and regulations.
The published Guidelines also come with a template for a self-assessment report, which requires data processors to explain and assess their basic situation, outbound data, and data security assurance capabilities. And the basic situation and data security assurance capability of the foreign recipient should be assessed. At the same time, it should also explain what corrective measures have been taken and what kind of effects has been achieved for the problems and risks identified in the assessment.
It should be noted in particular that the security assessment is not once-and-for-all. The assessment results are valid for two years from the date of adoption, and if an enterprise still has data outbound activities after two years, it should re-apply the security assessment 60 working days before the expiration of the assessment results. Thus, it can be seen that regular data security assessment will become one of the regular data compliance tasks for enterprises with cross-border transmission needs. At the same time, the Measures give enterprises that have not yet conducted security assessments a six-month period for rectification, requiring enterprises that fall within the scope of application to complete rectification within six months from the effective date of the Measures.
III. Suggestions on Enterprise compliance
Outbound data transfer has become a key aspect of compliance that needs to be given special attention in the process of enterprise operation, and enterprises’ outbound data transfer compliance requires comprehensive and effective identification of outbound data, continuous monitoring and supervision of outbound data transfer path and outbound interface, and establishment of outbound data transfer management system, so as to realize comprehensive and regular outbound data transfer compliance management of enterprises. Therefore, based on the above content introduction, we suggest that enterprises should start data compliance management work based on the following aspects as soon as possible.
1. The application form published in the Guidelines requires clear information about the person responsible for data security work and management organization for both data processors and foreign recipients. In order to carry out the security assessment on outbound data in a more orderly and efficient manner, it is recommended that enterprises that have not yet appoint a person responsible for data security work and management organization should have them as soon as possible and clarify their work responsibilities, work procedures, etc. For companies falling into the scope of application of the Measures, it is recommended that permanent positions be set up because security assessments need to be conducted on a regular basis.
2. As the rectification period given to enterprises by the Measures is only 6 months, and the pending period is also long, for enterprises with outbound data transfer needs, it is recommended to carry out internal combing, estimate the overall scale of data transfer, and decide whether to apply for security assessment as early as possible. Moreover, since the materials to be submitted involves a lot of information about the overseas recipient, while the enterprise conducts internal combing, it should also carry out parallel communication with the overseas recipient and the basic paperwork to avoid excessive time and effort due to poor communication.
3. In the template provided by the Guidelines, data processors need to explain their “data security management capabilities, including management and organizational system and system building, the implementation of the system of the whole process management, classification and grading, emergency response, risk assessment, personal information protection, etc. For enterprises that have not systematically carried out data compliance work before, they should develop a data security management framework and data compliance rules and regulations that meet the aforementioned requirements as soon as possible, not only to meet the requirements of laws and regulations, but also to promote the effective and smooth implementation of data compliance work. The Measures has merely 20 articles, and the Guidelines are only a few pages long, but they involve a lot of data compliance work, which brings great challenges to the compliance work of enterprises. In the digital era, we cannot and should not swim against the current, but should comply with the requirements of the times, pay attention to data compliance work and implement it carefully.