China: the data authority issued its draft rules governing cross-border data transfers, seeking public comments
November 2, 2021
By Donnie Dong
The Cyberspace Administration of China (CAC) published its draft Measures on Security Assessment of the Cross-border Transfer of Data (2021 Draft), seeking public comments. The deadline for submitting the comments falls on November 28, 2021.
Previously, CAC has published two pieces of similar draft regulations in 2017 and 2019. The 2017 Draft (a.k.a. the Draft Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data) addressed the official security assessment of both the cross-border transfer of personal information and that of the “important data”. The 2019 Draft (a.k.a. the Draft Measures on Security Assessment of the Cross-border Transfer of Personal Information) limited itself to be a regulation over the cross-border transfer of personal information only. Neither of these drafts were finalized and formally effected, mainly because the overall framework of the Chinese data security and data protection laws had yet to be formulated at the time.
This year, China promulgated its Data Security Law (DSL, effective September 1, 2021) and Personal Information Protection Law (PIPL, to be effective on November 1, 2021). The general framework of data laws has been established. In this context, the CAC issued the 2021 Draft immediately before the effective day of the PIPL. Obviously, the provisions clarifying the “important data” under the DSL and the provisions addressing the cross-border transfer of personal data under the PIPL enabled CAC to re-visit these issues on a better basis.
Nevertheless, the 2021 Draft obviously needs to be improved, as it has yet to reflect the commercial reality and may not be applicable to certain industries. According to the PIPL, cross-border data transfer includes transfer of data from a Chinese JV or WFOE to its affiliate or parent company outside China. Therefore, the 2021 Draft could widely affect both foreign companies who have operations in China and those China-headquartered multinational corporations. We strongly recommend Chinese and overseas clients to look into it and consider submitting comments before the deadline November 28, 2021.
We set out the key points of the 2021 Draft below.
(In this newsletter, we refrained from offering our own comments to each provision. However, readers are welcome to contact us on preparation of comments tailored for a particular industry.)
- (Article 4 & 10) The official security assessment will be conducted by the CAC, instead of the provincial-level Cyberspace Administrations (in contrast with the 2019 Draft), which means that the CAC wishes to retain its power of approving the cross-border data transfer.
- (Article 4) In the following circumstances, an entity must apply for CAC’s official security assessment before transferring data stored in Mainland China to another country/jurisdiction:
- If the entity is identified by the CAC (under the NSL) to be an operator of critical information infrastructure (CII).
- If the data to be transferred contains “important data” (as defined under the DSL)
- If the company processes personal information of over 1 million individuals, then any transfer of data from the company out of China shall go through the CAC security assessment (even in the situation where the amount of data to be transferred is actually very small)
- If the accumulated number of affected people (whose personal information will be transferred outside China) exceeds 100 thousand
- If the accumulated number of affected people (whose sensitive personal information will be transferred outside China) exceeds 10 thousand.
- (Article 5) Even if an entity does not fall into the above circumstances of official assessment, it shall conduct “self-risk assessment” before it actually transfers data to any recipient outside of the Mainland China – Article 5 of the 2021 Draft listed a broad scope of issues required to be addressed in such a self-risk assessment report.
- (Article 6) For entities who are required to apply for the CAC’s official assessment, they shall submit the self-risk assessment report along with the agreement between the sender and overseas recipient(s) of the data.
- (Articles 7 & 11) The CAC will have up to 67 work days (which would roughly be 3-4 months) to complete the official security assessment from the date of application.
- (Article 8) CAC has a wide discretion on factors to be considered during its official security assessment, including whether the laws in the recipient’s jurisdiction provides a level of protection equal to the PRC laws, regulations and compulsory standards. The CAC may also consider the applicant’s previous compliant records with the PRC laws.
- (Article 9) the agreement of data transfer must contain the following contents:
- purpose, means, scope of the data transfer;
- location and term of storage in other jurisdictions, as well as how the data will be dealt after the purpose is satisfied or the agreement is terminated;
- restrictive clauses preventing the data from being further transferred to third party entities;
- security measures to be conducted when recipient cannot insure the data security due to change of company ownership or changes of legal environment
- terms on liability of breach of contract, and “enforceable” dispute settlement clauses
- a detailed data breach response plan
- Each official security assessment report will be valid for two years; if the data transfer continues, a new application must be filed within 60 days after expiration of the existing report. That said, before the expiration, if (i) there is any change to the purpose, means, scope, category of data to be transferred, (ii) the ownership of the data recipient is changed, or (iii) there is a major change of legal environment in the recipient country, the data sender shall apply for the official assessment again.
- After the official assessment, the CAC is empowered to revoke the approval if it finds that the cross-border transfer is no longer in compliance with the relevant laws and regulations.
In addition to the regulations over the security assessment of cross-border data transfer, the PIPL also designated the CAC to produce the following regulations/guidances, which we believe will be published soon after the effectiveness of the PIPL.
- Procedures and standards for certification of (good) personal information protection
- Standard data transfer agreement to be used for cross-border data transfer
- Specific rules and standards regulating the processing of sensitive data, facial recognition, artificial intelligence
* * * *
Author: Donnie Dong. Admitted to practice law in both the State of New York and China, the author is a Certified Information Privacy Manager by the International Association of Privacy Professionals (CIPM).
This communication is provided as a service to FuJae Partners’ clients and contacts. It is intended for informational purposes only. It is not intended to create an attorney-client relationship or to constitute any form of advertisement.
FuJae Partners – an alliance firm of McGuireWoods LLP