China Releases First Guidelines for Cross-Border Data Transfer Application
September 28, 2022
On July 7, 2022 the Cyberspace Administration of China (CAC), China's cyberspace regulator, released Measures on Security Assessment for Cross-border Data Transfer. The day before the measure's effective date of September 1, the CAC issued the Guidelines on Application for Security Assessment of Cross-Border Data Transfers (1st edition) to provide guidance and reference on how to perform the security assessment.The article outlines key provisions in the guidelinesScope:Cross-border data transfers cover the following scenarios: An entity collects or generates data during its operation in China and stores or transfers such data outside China.An entity or individual outside China has remote access to data collected, generated and stored in China by searching, downloading, retrieving or exporting the data.Applying for a Security AssessmentA Data Processor intending to provide data out of China must apply for a Security Assessment before providing the data under the following circumstances:Outbound transfer of important data by a data processor;Outbound transfer of personal information by a critical information infrastructure operator or a personal information processor that has processed personal information of 1 million or more individualsOutbound transfer of personal information out of China since January 1 of the prior year that consists of the personal information of more than 100,000 individuals, or sensitive personal information of more than 10,000 individuals. Other situations where relevant Chinese laws and regulations require security assessmentsSelf-assessmentAccording to the measures and guidelines, self-assessment is a crucial step for completing the legal procedures for cross-border data transfers.Throughout the self-assessment, the data exporter is required to consider and address a number of crucial issues.The guidelines contain a template self-assessment report, which requires the data exporter to provide a wide range of information, including, among others:the legality, legitimacy, and necessity of the outbound data transfer and the data processing by the overseas recipient in terms of purpose, scope, and method; The corporate, investment and business model as well as the data center and IP address of the data exporterThe purpose, category, volume, sensitivity and related industry sector of the data to be transferred outside China and whether there will be onward data transfersDescription of data protection capabilities of both the data exporter and foreign data recipientOutline of the data protection regime of the foreign country where the overseas data recipient is basedKey terms of the cross-border data transfer agreement.The data exporter is also required to analyze the risks associated with the contemplated cross-border data transfer, based on which a conclusion should be made.Key documentsThe guidelines mandate other vital documents and information to be submitted to the CAC, including the cross-border transfer agreement, the application form, and other miscellaneous informationThe security assessment processUpon submitting the required information mentioned above, the provincial CAC will have 5 working days to check if all required information has been submitted & completed. If so, the information will be passed on to the central CAC, who, within seven working days, will decide whether to accept the application for security assessment. If accepted, the CAC will complete the security assessment of those materials within 45 working days from the date of the data processor's written notification of acceptance and shall notify the data processor of the assessment results in writingIf the data processor has any objections, it can file a request for reassessment to the national level CAC within 15 working days.The security assessment is valid for two years.A reassessment is required if:The security assessment has expiredChanges to the overseas data recipient controllerChanges to the data storage location or period outside of ChinaChanges to the destination country's data laws and practices.
