The grace period for China’s outbound data security assessment has ended. What should multinational companies do next?
March 10, 2023
By Donnie Dong
We reported in September 2022 that the Cyberspace Administration of China (CAC), China’s data regulator, issued a regulation titled Measures for the Security Assessment of Outbound Data Transfers (Assessment Measures) and Guide to Applications for Security Assessment of Outbound Data Transfers (First Edition). The Assessment Measures allowed a six-month grace period for companies to review their practice of data transfer from China to overseas and to determine if they meet the thresholds of seeking CAC’s security assessment and approval before sending personal information outside of China.
Now the grace period has passed by the end of February 2023. So far, there is no clue that CAC would extend the grace period.
When should the CAC security assessment apply
According to the PRC Personal Information Protection Law (PIPL), the data senders need to satisfy one of the following regulatory requirements: (1) seeking CAC approval after its “cross-border data security review, (2) reaching a data transfer agreement with each data recipient by applying CAC’s Standard Contractual Clauses (SCCs, read our client alert on SCCs here), or (3) obtaining certification by a certifier appointed by CAC.
CAC has yet to formalize a scheme for the certifier approach, so currently, the available options are the above (1) and (2). CAC has confirmed that Option (1) and Option (2) are mutually exclusive. Namely, in the following situations, CAC’s security review is required.
– the data sender is an operator of critical information infrastructure or a controller of the “important data” as defined under the PRC Data Security Law;
– the data sender controls more than 1 million people’s data; or
– the data sender has transmitted over 100,000 people’s personal data or 10,000 people’s sensitive personal data during the last calendar year.
According to an announcement by Beijing Cyberspace Administration (Beijing CAC). There have been 48 Beijing companies filed applications for outbound data security assessment. Among them, two received formal approval from CAC; five have been accepted by CAC pending issuing formal approval, while the rest are pending conclusion.
Shanghai Cyberspace Administration (Shanghai CAC) disclosed that until January 2023, they received 67 applications for the outbound data security assessment. Among them, 35 applications have been forwarded to CAC – according to the Assessment Measures, all security assessments shall be performed by the headquarters of CAC. The provincial CAC agencies play the role of reviewing formalities. According to Shanghai CAC, the applicants are mostly in the retailing, automotive, finance, and pharmaceutical sectors. However, the Shanghai CAC did not disclose whether and how many companies’ applications have been approved by CAC.
Risks in failure to timely file for security assessment
CAC and its local subsidiaries are now urging enterprises in the security assessment category to submit applications. Violation of PIPL and CAC regulations could lead to a fine of up to CNY50 million (approximately USD 7.2 million) or 5% of the violator’s annual revenue, under the authority’s discretion.
Further, given CAC’s broad discretion in performing its investigation against a violator, the violator’s business could be heavily impacted even before the CAC issues a fine ticket. See our observation titled What Do We Learn from The DiDi Case?
What should the MNCs do next?
The PRC regime differs from Europe or America’s regarding the outbound data security review. Each multinational company with a significant presence in China should develop a wise and practical compliance strategy by working with experienced advisors.
This could include:
– As soon as practical, engage an experienced advisor to launch an internal review of existing cross-border data transmission practice
– Minimize the volume and frequency of cross-border data transfer to a level of need – at this stage, the CAC generally believed that cross-border data transfer should be limited to the level strictly necessary to a company’s business operation
– Where necessary and based on the advisor’s comments, form a workforce collaborating legal, compliance, human resource, business development, client service, procurement, and/or public relationship functions to identify and prioritize data sharing demands
– Based on the review of data transfer practice and the advisor’s comments, revise existing data compliance documents, both internal policies and external privacy notices
– After minimizing the volume and frequency of cross-border data transfer, if thresholds of the CAC data security assessment are still met, prepare an internal self-assessment report (CAC requires this for each assessment application). CAC and its provincial-level subsidiaries in major cities have issued guidelines or outlines on detailed requirements of self-assessment and application. Applicants shall work with local counsels to prepare the required documents and communicate with the local CAC before applying.
Please contact us to tailor an action plan for your business in China. Send us an email to firstname.lastname@example.org, stating your name, title, affiliation, your interested question, and your available time slots to book a time.
* * * * *
This communication is intended for informational purposes only and not to create an attorney-client relationship or constitute any form of advertisement.
* * * * *
Author: Donnie Dong is a partner of FuJae Partners and a Certified Information Privacy Manager (IAPP/CIPM). He regularly advises MNCs, unicorns, and start-ups on cross-border intellectual property, data privacy, and related investment and dispute resolution matters.