Outbound Data Transfer Security Review Measures

On July 7, 2022, the Cybersecurity Administration of China (“CAC”) issued the Outbound Data Transfer Security Assessment Measures (“Security Assessment Measures”) effective September 1, 2022.¹

Under the Security Assessment Measures, a government-led security assessment will be required in cases of

• Outbound transfer of Important Data by data processors
• Outbound transfer of data by Critical Information Infrastructure Operators (“CIIOs”)
• Outbound transfer of data by Personal Information (“PI”) processors who process PI of 1 million or more persons;
• Outbound transfer of data by PI processors who have in aggregate transferred overseas PI of 100,000 or more persons or Sensitive PI of 10,000 persons or more since January 1 of the previous year.

Under the Data Security Law (“DSL”) and its implementing regulations, “Important Data” is defined as “data which, if disclosed, may affect national security, economic security, social stability or public health and safety, such as undisclosed government information, large-scale information relating to population, population genetics and health, geography and mineral resources, etc.”

Under the Cybersecurity Law (“CSL”) and its implementing regulations, critical information infrastructure (“CII”) is defined to include such industries and sectors as public communications and information services; energy; transportation; water conservancy; finance; public services; E-government; defense technology industry; and other important network facilities and information systems that, if damaged or disabled, or if they suffered a data disclosure, may severely threaten the national security, national economy, people’s livelihood or public interest.

Under the Personal Information Protection Law (“PIPL”), “PI” or “Personal Information” is defined as “all kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding information processed on an anonymous basis.” “Sensitive PI” is defined as “PI which, if divulged or illegally used, is likely to result in damage to personal dignity or the safety of persons or property of natural persons, including such information as biometric identification, religious belief, specific identity, medical and health conditions, financial accounts, location and tracking information, as well as PI of minors under 14.” Sensitive PI is a sub-category of PI subject to enhanced protection under the PIPL.

The Security Assessment Measures define “Outbound Activities” to include: (1) the transfer (or storage) outside of China of relevant data collected or generated by data processors within the territory of China; and (2) data that, while collected or generated within the territory of China and stored in China, can be visited or accessed by overseas entities or persons. The Security Assessment Measures for the first time treat access to data stored in China by foreign entities or persons as outbound data activity. In other words, for multinational companies (“MNCs”) doing business in China, if an overseas parent or affiliate accesses or visits data that an MNC collected or generated in China, it will constitute “data outbound” activity, even if the MNC stores the data in China.

It is important to note that not all data outbound activity will be subject to a government-led security assessment. A government-led security assessment will apply only if the data outbound activity meets one of the conditions as listed above.

In case a government-led assessment applies, companies are also required to conduct a self-assessment before applying for a government-led security assessment with such self-assessment focusing on the following areas:

• The legality and necessity of the purpose, scope, and processing method.
• The volume, scope, type, and level of sensitivity of the data and the potential risks to national security, the public interest and rights of private persons.
• The responsibilities of overseas recipients (whether relevant security measures are adequate).
• The risk of leakage, damage, tampering, abuse, and other risks to outbound data.
• Whether the parties have entered into a security contract for outbound data which provides for comprehensive data protection responsibilities.

Procedures for a government-led security assessment include:

• Application to provincial-level CAC (application documents including application form, self-assessment report and data security contract, etc.)
• Provincial-level CAC to conduct initial review within 5 working days – if formal requirements are met, submit the application to CAC at the central government level for review.
• CAC at the central government level to determine whether to process an application within 7 working days and issue written notice to the applicant.
• If accepted for review, 45 working days review period subject to extension for complicated matters.
• Send written assessment result to the applicant.

According to a press conference hosted by CAC,² if CAC concludes that relevant data outbound activities are not subject to a government-led security assessment, it has the authority to determine not to process an application. In such cases, data processors may engage in data outbound activity through other means prescribed under law. If CAC determines to process an application and if the application passes the data security assessment, data processors are permitted to engage in outbound data activity pursuant to the application. If an application fails to pass the data security assessment, data processors may not engage in data outbound activity with respect to the underlying data.

The government-led security assessment will focus on areas similar to those of the self-assessment, as well as areas such as the impact of data protection regulations and the network security environment in the home country of the data recipient and whether data protection regulations in the home jurisdiction of the overseas data recipient have requirements comparable to those in China. This may indicate more tolerance for transfer of data to member states of the European Union than to the United States.

Security assessments once passed will be valid for 2 years. A re-application for a security assessment is required if there is a change in the purpose, scope and processing method or data retention period which affects the security conditions of the outbound data, a change of control of the data processor or the data recipient, a change in the regulations or network security conditions of the home country of the data recipient, or a change in the legal documentation between the data processor and the data recipient which affects the security conditions of the outbound data.

If a data processor intends to continue to export data, a renewal application must be submitted 60 days prior to the expiration of the 2-year term of validity.

The Security Assessment Measures now clearly set out relevant scenarios in which a government-led security assessment will be required. MNCs should be aware that only those data outbound activities that meet the conditions set out in the Security Assessment Measures will be subject to a government-led security assessment. Outbound transfers of ordinary commercial and business data relating to MNCs’ business operations in China are unlikely to trigger a government-led security assessment.

Having said the above, while MNCs themselves are unlikely to be viewed as CIIOs, they should be mindful of the requirements when processing and engaging in outbound transfer of data from Chinese business counterparts which are CIIOs. MNCs also need to pay attention to the type of data they receive from Chinese customers in regulated industries or which are likely to possess Important Data. MNCs which engage in B2C or online platform businesses should be mindful of PI volume thresholds (i.e., the 1 million/100,000/10,000 rule). If a government-led security assessment cannot be avoided, companies may consider having the assessment cover a broad scope of business needs to avoid the need for re-application during the 2-year validity period.

Draft Standard Contract Provisions

On June 30, 2022, CAC issued the draft Standard Contract Provisions on the Outbound Transfer of Personal Information (the “Standard Contract Provisions”) and the Standard Contract Template for public comment through July 29, 2022.³

The draft Standard Contract Provisions address the requirements of a standard contract as one of the alternatives to conduct outbound PI transfers under Article 38 of the PIPL.

Under the draft Provisions, PI processors which meet all of the following criteria are eligible to use a standard contract to conduct outbound PI transfer:

• not a CIIO;
• processing PI of fewer than 1 million persons;
• transferring overseas PI of fewer than 100,000 persons in aggregate since January 1 of the previous year; and
• transferring overseas Sensitive PI of fewer than 10,000 persons in aggregate since January 1 of the previous year.

The contents of a Standard Contract need to include: basic information on the parties; the purpose, scope, and method of PI processing; the type, sensitivity, quantity, retention period, and storage location of the PI; the responsibilities of the PI processor and overseas recipients and technological and administrative measures to prevent security risks; the impact which PI protection regulations in the country of the overseas recipient may have on compliance with the terms of the contract; and the rights of PI subjects, including the channels and methods for protecting such rights; remedies, contract rescission, liability for breach, and dispute resolution.

The standard contract template attached to the draft Provisions further clarifies contract terms. The standard contract template would explicitly require foreign enterprises to accept the jurisdiction of Chinese law, directly addressing the issue of application of law between the two parties in the negotiation process. Such extraterritorial application of Chinese law may discourage outbound data transfers.

In addition to signing standard contracts, PI processors need to conduct a PI protection impact self-assessment in advance with emphasis on the following:

• The legality and necessity of the purpose, scope, and processing method of the PI processor [in China] and the overseas recipient.
• The amount, scope, type, and sensitivity level of the outbound PI and the potential risks to the rights of the PI subjects.
• The responsibilities of the overseas recipient including whether adequate management and technical measures are in place.
• The risk of leakage, damage, tampering, abuse, and other risks to the PI after export.
• The impact which PI protection regulations in the country of the overseas recipient may have on the fulfilment of the standard contract.

PI processors are required, within 10 working days from the effective date of the standard contract, to file the contract with its provincial-level CAC. The standard contract and PI protection impact assessment report need to be included in the filing.

Use of a standard contract to engage in outbound PI transfer will apply mainly to small and medium-sized enterprises which do not constitute a CIIO and process PI below the statutory volume thresholds. The draft Provisions do not seem to have included an exception for MNCs to transfer employee data for purposes of centralized business, human resources and compliance management. It also remains unclear whether a standard contract and government filing is needed each time when an outbound transfer occurs which would otherwise place onerous compliance burdens on companies. The Chinese law requirement of the standard contract would also subject foreign enterprises to Chinese law.