China – Cyberspace Administration of China announces the Measures for Security Assessment of Data Exports
Browse this blog post
Related news and insights
Blog Post: 13 June 2023
Publications: 02 March 2023
Blog Post: 01 February 2023
Publications: 22 July 2022
Who must carry out an assessment?
Businesses must carry out a data export security self assessment where they:
- are transferring 'important data' overseas;
- are critical information infrastructure operators transferring personal information outside China;
- are handling personal information of more than 1 million people and transferring personal information outside China;
- since 1 January the previous year, have transferred outside China either: (1) personal information of more than 100,000 individuals, or (2) the sensitive personal information of more than 10,000 individuals; or
- fall within the circumstances where security assessment for overseas transfer of data is required by CAC.
The assessment must be accompanied by legal documents specifying:
- the purpose, method and data scope of the data being transferred, and the purpose and method of the data processing by the overseas recipient;
- the location and period of data storage overseas, and the measures for re-importing the data on completion of the processing purpose, expiry of the storage period, or termination of the agreement;
- binding requirements for recipients regarding onward transfers;
- security measures to be taken on the occurrence of certain significant events, including regarding the control of business of the recipient or the legal regime in the destination;
- remedial measures, liability for breach of contract and dispute resolution methods; and
- action to be taken in relation to actual or anticipated breaches.
The data exporter must carry out an initial self-assessment before applying to their provincial CAC for a CAC led data export security assessment. The provincial CAC will then review the application before submitting it to the CAC, which will respond within 45 working days from the time it accepts the application for assessment. However, allowing for the pre-acceptance process with the provincial CAC, businesses will need to apply at least 60 working days before the intended transfer date.
The self-assessment must address all issues affecting the security of the data export including:
- the legitimacy, legitimacy, and necessity of the purpose, scope, and method of data export and data processing by overseas recipients;
- the scale, scope, type, and sensitivity of the data, the potential risks of its export to national security, public interests and the interests and rights of individuals or organisations;
- the recipient's responsibilities and obligations and organisational and technical measures and its ability to protect the data;
- the risks to the security of the data and to the existence of a smooth channel for the protection of personal information rights and interests; and
- the comprehensiveness of the data export document in providing data security.
The CAC assessment will address the above matters and other matters deemed necessary by the national CAC.
Refreshing the Assessment
The assessment needs to be refreshed after 2 years or earlier if there are any changes in circumstances that affect the security of outbound data; in particular from any changes in:
- the purpose, method, scope, and type of data, or the purpose and method of data processing by the overseas recipients, or extension of the period for which the data is to be stored; or
- changes in the data security protection policies, regulations and network security environment of the country or region where the overseas recipient is located, or other significant events impacting security, including force majeure event, change of control of the data exporter or overseas recipients, or amendments to the legal documents entered into between the data exporter or overseas recipients.
The Measures are available here (in Mandarin only).
This publication is prepared by Anita Anand of aosphere and Susana Ng of Allen & Overy Hong Kong office. Services in relation to the laws of the People’s Republic of China are provided by Allen & Overy LLP’s joint operation firm, Shanghai Lang Yue Law Firm.
The publication is relevant for all businesses (i) having operations in China; (ii) which target Chinese nationals in the provision of goods or services; or (iii) which monitor and analyse the behaviours of PRC nationals.