Hello privacy pros! Greetings from Beijing!
First of all, Happy Spring Festival to those who celebrate the Chinese Lunar New Year! May the Year of the Rabbit bring health, happiness, success and prosperity to you and your loved ones!
In my last Asia-Pacific Digest I discussed an important policy (briefly referred to as the 20 Data Measures) issued by the State Council, China’s central government, promoting the investment and development of the digital economy. The momentum remains, evidenced by a circular promulgated by the State Council 18 Jan. requesting multiple key governmental departments and regional authorities further support foreign investors in setting up research and development centers in China. The R&D Circular supports scientific and technological innovations, encourages the introduction of talents from the world, enhances the protection of intellectual property rights and adopts various measures ranging from financial funding, tax incentives and relaxation of customs procedures to facilitate R&D activities.
In terms of data flow, the R&D Circular explicitly supports the cross-border transfer of R&D data following the applicable laws and regulations. The R&D Circular calls for high efficiency in performing security assessments for cross-border transfer of important data and personal information to promote the safe, orderly and free flow of R&D data, while emphasizing compliance with legal requirements under China’s Cybersecurity Law, Data Security Law, Personal Information Protection Law and other related regulations. The Cyberspace Administration of China is assigned to lead the implementation of this policy, with support from the Ministry of Industry and Information Technology, the Ministry of Public Security and local governments. From the R&D Circular, it seems R&D data may enjoy a shorter timeline or some flexibilities when going through the security assessment for cross-border data transfer, but it remains to be seen whether any fast-track scheme will be applicable.
It is worth noting, on 18 Jan. the Beijing branch of the Cyberspace Administration of China released a notice that it granted the first two approvals to the security assessment of cross-border data transfer projects. The first two approved projects are a collaboration research project between the Beijing Friendship Hospital and the Medical Centre of Amsterdam University and Air China’s cross-border data arrangements for its business operations. It is interesting to note the research project between the Beijing Friendship Hospital and the Medical Centre of Amsterdam University is one of the first two approved projects, which seems to resonate with the R&D Circular.
The Beijing CAC notice also states the administration has responded to over 700 consultation calls and provided assistance to more than 270 entities since 1 Sept., 2022. With the guidance and support from the Beijing CAC, 16 Beijing-based business organizations in key industries of social media, medical care, financial, automobile and aviation have submitted to the Beijing CAC for security assessment. Of those entities, 10 have passed the completeness inspection of their submission materials. The Beijing CAC urges those entities to take remediation actions immediately if they have conducted the regulated data activities but have not started the mandatory security assessment.
The Beijing CAC notice seems to suggest a few takeaways:
- The industries of social media, medical care, financial, automobile and aviation appear to be the focus of regulators.
- Though only a small number of companies have passed the approval or initial assessment by the Beijing CAC, moving forward the Beijing CAC will speed up the review and approval process and more projects will pass the security assessment.
- If they have not yet started, companies should take compliance actions as soon as possible before the 28 Feb. deadline, in accordance with the security assessment rules.
- The Beijing CAC took the lead in implementing the new security assessment rules. The CAC authorities in other provinces and municipalities will follow suit and are likely to tighten up the regulation and enforcement against noncompliance after the grace period expires 28 Feb.
Hope you have enjoyed this note. Until next time!