China Releases First Guidelines for Cross-Border Data Transfer Application

On July 7, 2022 the Cyberspace Administration of China (CAC), China's cyberspace regulator, released Measures on Security Assessment for Cross-border Data Transfer. The day before the measure's effective date of September 1, the CAC issued the Guidelines on Application for Security Assessment of Cross-Border Data Transfers (1st edition) to provide guidance and reference on how to perform the security assessment.

The article outlines key provisions in the guidelines

Scope:

Cross-border data transfers cover the following scenarios: 

  • An entity collects or generates data during its operation in China and stores or transfers such data outside China.
  • An entity or individual outside China has remote access to data collected, generated and stored in China by searching, downloading, retrieving or exporting the data.

Applying for a Security Assessment

A Data Processor intending to provide data out of China must apply for a Security Assessment before providing the data under the following circumstances:

  • Outbound transfer of important data by a data processor;
  • Outbound transfer of personal information by a critical information infrastructure operator or a personal information processor that has processed personal information of 1 million or more individuals
  • Outbound transfer of personal information out of China since January 1 of the prior year that consists of the personal information of more than 100,000 individuals, or sensitive personal information of more than 10,000 individuals. 
  • Other situations where relevant Chinese laws and regulations require security assessments

Self-assessment

According to the measures and guidelines, self-assessment is a crucial step for completing the legal procedures for cross-border data transfers.

Throughout the self-assessment, the data exporter is required to consider and address a number of crucial issues.

The guidelines contain a template self-assessment report, which requires the data exporter to provide a wide range of information, including, among others:

  • the legality, legitimacy, and necessity of the outbound data transfer and the data processing by the overseas recipient in terms of purpose, scope, and method; 
  • The corporate, investment and business model as well as the data center and IP address of the data exporter
  • The purpose, category, volume, sensitivity and related industry sector of the data to be transferred outside China and whether there will be onward data transfers
  • Description of data protection capabilities of both the data exporter and foreign data recipient
  • Outline of the data protection regime of the foreign country where the overseas data recipient is based
  • Key terms of the cross-border data transfer agreement.

The data exporter is also required to analyze the risks associated with the contemplated cross-border data transfer, based on which a conclusion should be made.

Key documents

The guidelines mandate other vital documents and information to be submitted to the CAC, including the cross-border transfer agreement, the application form, and other miscellaneous information

The security assessment process

Upon submitting the required information mentioned above, the provincial CAC will have 5 working days to check if all required information has been submitted & completed. If so, the information will be passed on to the central CAC, who, within seven working days, will decide whether to accept the application for security assessment. If accepted, the CAC will complete the security assessment of those materials within 45 working days from the date of the data processor's written notification of acceptance and shall notify the data processor of the assessment results in writing

If the data processor has any objections, it can file a request for reassessment to the national level CAC within 15 working days.

The security assessment is valid for two years.

A reassessment is required if:

  • The security assessment has expired
  • Changes to the overseas data recipient controller
  • Changes to the data storage location or period outside of China
  • Changes to the destination country's data laws and practices.