On July 7, 2022, the Cybersecurity Administration of China ("CAC") issued the Measures for Security Assessment for Cross-Border Data Transfers (" Security Assessment Measures"), which took effect on September 1, 2022. The Security Assessment Measures provide that before engaging in any further cross-border data transfer activities, certain categories of data processors will need to pass a security assessment conducted by the Cybersecurity Administration of China . Many data processors are trying to get ahead of the requirements set forth by the Measures for Security Assessment for Cross-Border Data Transfers in order to ensure that their ordinary cross-border data transfers can continue without interruption. Having the first two examples of CAC security assessment approval serves as a positive sign that the process is being implemented and that companies are able to successfully pass the security assessments.

First Approved Cases

The first cross-border data transfer approved under these new rules has been issued by the Beijing office of the Cyberspace Administration of China (Beijing CAC), approving a data export by the Beijing Friendship Hospital of the Capital Medical University. According to the report, the data will be received by Amsterdam University Medical Center for purposes of a joint multi-center clinical research project in colorectal medicine.

The Beijing CAC also recent approved a data export security assessment from Air China, though no more details on that transfer are so far available.

The public information on these security assessments does not give much insight into the CAC's criteria for approval, but the existence of these cases is a strong indication that this system of security assessments for outbound data transfers will be rigorously enforced, and that all data processors will need to review their compliance position.

Note also that both of these cases relate to state-affiliated entities, which will be under enhanced compliance pressure, especially with regards to data exports. However, the law applies equally to private companies, and we expect to see more reports of private company security assessments in the near future. This is despite the ongoing ambiguity about what may constitute "important data" and "critical information infrastructure operators", both of which are key triggers for the security assessment requirement.

Recap – When is security assessment required

For a full review, please refer to our previous article on this (see: http://blog.galalaw.com/post/102i31p/involved-in-outbound-data-transfers-from-chinathe-time-to-determine-your-securit).

In short, all data transfers out of China must now follow one of three procedures in order to be legal, under Article 38 of the Personal Information Protection Law. Security assessment is the most onerous, reserved for the most sensitive data or situations. It applies to the following:

  • All cross-border transfers of "important data"
  • The cross-border transfer of personal information ("PI") by a "critical information infrastructure operator" ("CIIO")
  • The cross-border transfer of PI by a processor that has processed the PI of more than 1,000,000 people ever; and
  • The cross-border transfer of PI by a processor that has (a) transferred the PI of more than 100,000 people cross-border since Jan 1 of the previous year; OR (b) transferred the "sensitive PI" of more than 10,000 people cross-border since Jan 1 of the previous year.

Where these triggers are not present, companies may choose to conclude the China standard contractual clauses for cross-border data transfer (SCCs) or seek Personal Information Protection Certification.

The SCCs, which are still in the draft stage, serve as a legally binding agreement between the parties involved in the transfer of PI and outline the measures and obligations required to protect the transferred data. They will function similar to SCCs from other jurisdictions (i.e. under GDPR). PI Protection Certification means that the processor and its proposed transfer will be assessed and approved by a designated assessment institution (see the Practical Guide to Cybersecurity Standards – Specifications on Security Certification for Cross-Border Personal Information Processing Activities (V2.0-202212), issued by the National Information Security Standardization Technical Committee ).

However, it is important to note that both the SCCs and certification processes have yet to be finalized, and the implementation details for both procedures remain somewhat unclear at this time.

How long does the security review take?

The security review process for outbound data transfer from China is a multi-step process that can take several months to complete. It typically involves conducting a self-assessment and preparing a report thereof within 3 months, followed by submitting the application to the Cybersecurity Administration of China (CAC). The CAC review process can take at least 45 working days, although this timeline may be extended if the application is incomplete or if the self-assessment report is deemed unsatisfactory.

It is important to note that the exact timeline for the security review process can be impacted by a variety of factors, including the type and amount of data being transferred, the specific requirements of the regulators, and the company's compliance with the legal requirements under the Security Assessment Measures and relevant data and security laws. Companies should work closely with legal and compliance experts to understand the requirements and timeline for the security review process in order to ensure that their cross-border data transfer activities are conducted in compliance with the law.

Additional Guidance

To make the process easier for applicants, local CACs have provided their own guidance and support. For instance, the Shanghai CAC has issued explanations on form and content inspections and other application-related matters in two sets of guidelines. The Zhejiang CAC, on the other hand, has published guidelines outlining the necessary requirements for an outbound data transfer security assessment application.

Applicants can seek additional clarification and understanding by contacting the local CACs through their hotlines for inquiries. From our experience, seeking guidance from the local CAC, either through inquiries or on-site guidance, can be beneficial for the approval process.

Conclusion:

The recent approval of these first two security assessments for outbound data transfers is a clear indication that the long-contemplated system for controlling cross-border data transfers is maturing. Companies can expect more enforcement going forward. In instances where mandatory review by the CAC is not required, companies can avail themselves of alternative options, such as utilizing security certification or the SCCs.

However, as the procedures for these alternate options are still being finalized, it is currently uncertain which approach will be the most efficient and effective method for multinationals to handle PI transfers. Many companies are beginning to build the China SCCs (even in draft form) into their privacy policies and data transfer agreements, or adding provisos to accommodate the SCCs once they are finalized. In addition, companies are encouraged to keep abreast of the latest developments on cross-border data transfer practices, as this is a rapidly evolving area of Chinese law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.