In the past several months, China has witnessed some key regulatory developments in its cross-border data regime. This is evidenced by the promulgation of the long-awaited Measures for Security Assessment of Outward Data Transfer with the effective date of Sept. 1, the release of a new set of TC260 specifications for certification of cross-border transfer of personal information, and the issuance of the consultation draft of the standard contract for cross-border data transfer.

On the eve of the measures coming into force, the Cyberspace Administration of China issued the Guidelines on Application for Security Assessment of Cross-Border Data Transfers (1st Edition) to provide detailed guidance and reference on how to perform the security assessment. Both the measures and the guidelines went into effect Sept. 1 and will have significant implications for international companies and their operations in China.

This article outlines key provisions in the guidelines and discusses what compliance actions companies should consider from a practical perspective.

Cross-border data transfers subject to CAC-led security assessment

Consistent with the measures, the guidelines reaffirm that the CAC-led security assessment applies to cross-border data transfers from China under the following circumstances:

  • Transfer of important data.
  • Transfer of personal information by a critical information infrastructure operator.
  • Transfer of personal information by a data exporter processing 1 million or more individuals.
  • Accumulative transfers of personal information exceeding 100,000 individuals since Jan. 1 of the preceding year.
  • Accumulative transfers of sensitive personal information exceeding 10,000 individuals since Jan. 1 of the preceding year.
  • Other situations where relevant Chinese laws and regulations require security assessments.

Since the effectiveness of the Cybersecurity Law in 2017, there have been debates on what would constitute cross-border data transfers. Several previous draft regulations issued by the CAC tried to provide some clarifications, but those draft regulations were never finalized. Following the release of the measures, CAC officials commented at a media conference that remote access to data stored in China is deemed as a cross-border data transfer. Now the guidelines provide the further clarification that cross-border data transfers cover the following scenarios:

  • An entity collects or generates data during its operation in China and stores or transfers such data outside China.
  • An entity or individual outside China has remote access to data collected, generated and stored in China by searching, downloading, retrieving or exporting the data.

From a practical perspective, it is not unusual for multinational corporations to run shared IT infrastructures and applications for their Chinese subsidiaries to share employee or customer data with the global headquarters or affiliates outside China. It is also not unusual for the head office to have remote access to the data stored in China. Now with the measures and guidelines in place, those usual business scenarios will fall within the application scope of the mandatory security assessment if the data transfer threshold is met. International companies are strongly advised to map out the data flow, assess whether the data activities fall under the guidelines and, if yes, consider what compliance action to take.

Self-assessment and the report

Under the measures and the guidelines, self-assessment is a must-have step for completing the legal procedures for cross-border data transfer.

When carrying out the self-assessment, the data exporter is required to consider and address a number of crucial issues. For example: whether it is legal, necessary and appropriate to transfer the data abroad; what is the scope, category, size and sensitivity of the data to be transferred; what impacts the data transfer may have for China’s national security and public interest; whether the data exporter and overseas data recipient are capable of adopting strong organizational and technical measures to protect the data from loss or damage; and whether the cross-border data transfer agreement can provide sufficient data protection.

The guidelines contain a template self-assessment report, which requires the data exporter to provide a wide range of information, including, among others: (i) a brief description of the self-assessment, (ii) the corporate, investment and business model as well as the data center and IP address of the data exporter, (iii) the purpose, category, volume, sensitivity and related industry sector of the data to be transferred outside China and whether there will be onward data transfers, (iv) description of data protection capabilities of both the data exporter and foreign data recipient, (v) outline of the data protection regime of the foreign country where the overseas data recipient is based, and (vi) key terms of the cross-border data transfer agreement.

The data exporter is also required to analyze the risks associated with the contemplated cross-border data transfer, based on which a conclusion should be made.

Please note the guidelines impose a strict timeline on the self-assessment. CAC authorities will only accept the self-assessment report if the assessment is completed within three months before the date of application and there are no significant changes in the related data handling activities up to the application date.

Other key documents required for the security assessment

The guidelines mandate other vital documents and information to be submitted to the CAC, including the cross-border data transfer agreement, the application form, and miscellaneous information such as the data exporter’s unified social credit code and copies of the personal ID of the legal representative and case handler of the data exporter.

Cross-border data transfer agreement

A copy of the cross-border data transfer agreement must be included in the deck submitted to the CAC to kick off the security assessment. In case of an inter-group data transfer where there is no specific agreement, the data exporter is required to provide other documents like the corporate policy governing cross-border data transfer to illustrate how cross-border data transfers are managed.

The guidelines do not expressly require the cross-border data transfer agreement to be drafted based on the Standard Data Export Contract (which was released by the CAC in June 2022 for public consultation and shares some similarities with the EU’s General Data Protection Regulation standard contractual clauses). However, the guidelines do require the cross-border data transfer agreement to include certain necessary clauses, and an agreement based on the CAC standard contract is likely to be processed quicker given the reviewing officials’ familiarity with the CAC standard version.

Application form

The guidelines provide a template application form, consisting of a standard letter of undertaking and a prescribed table.

The standard letter of undertaking sets out the data exporter’s commitment to warrant the correctness and accuracy of information delivered and comply with Chinese law for data collection and processing.

Business organizations should note the specific format requirements when preparing the deck for the security assessment. It is required in the guidelines that reference to key terms of the cross-border data transfer agreement in relation to the necessity and purpose of the transfer, overseas storage, onward transfer and remedy mechanism, and liability and dispute resolution should be highlighted or framed in the Application Form with explicit reference to the corresponding page numbers in the agreement. All documents submitted to the CAC must have a Chinese version if the original documents are prepared in foreign languages. Failure to comply with these requirements will risk the application being rejected or delayed.

Security assessment process

The data exporter shall apply to the provincial-level CAC by submitting the self-assessment report, application form, copy of the cross-border data transfer agreement and other required information as discussed above. The provincial CAC will have five working days to check if the materials are in order and complete. If yes, they will pass the deck to the central CAC. Within seven working days of receipt, the central CAC will review and decide whether to accept the application for security assessment. If accepted, the central CAC will conduct the review and if specific industry expertise is needed, the central CAC will liaise with relevant industry regulators to conduct the security assessment together.

Generally speaking, the central CAC review will take 45 working days, which can be extended for complicated cases. At the end of the assessment, the central CAC will issue a written notification with the assessment outcome. Outcome options are “assessment not applicable,” “passing the assessment” or “not passing the assessment and no transfer allowed.” Within 15 working days of the outcome notification, the data exporter has the right to apply to the central CAC for reassessment, the result of which is final.

The security assessment is valid for two years and a reassessment is required upon expiry A reassessment is also required should there be changes to the overseas data recipient controller, the data storage location or period outside China, or the destination country’s data laws and practices. It is therefore important for business organizations to set up a monitoring system to ensure that proper actions will be taken timely and adequately.

Legal liability and enforcement

As an essential set of implementing rules under China’s Cybersecurity Law, Data Security Law and Personal Information Protection Law, noncompliance with the measures and guidelines may expose companies and the executive to significant administrative, civil and criminal liabilities.

China’s central and local regulators have been active in taking enforcement actions, including conducting dawn raids and investigations, removing noncompliant applications, ordering business suspension for rectification, and imposing hefty fines on violating companies and executives. The augmented enforcement trend is anticipated to continue in months and years to come.

Practical considerations

Since China’s Cybersecurity Law became effective in 2017, international companies have faced significant challenges on how to address the China-related cross-border data transfer complications and how to perform the security assessment as a practical matter, partly due to a highly dynamic and complex legal regime and the lack of detailed implementing rules. Now with the formal adoption of the measures and the guidelines as of Sept. 1, this significant development is an applaudable step that can provide much-needed guidance and clarifications on what and how business organizations can do to manage the cross-border data transfer risk. The regulators also have a better and stronger toolbox for enforcing the security assessment requirements and cracking down on noncompliance.

From a practical perspective, business organizations are advised to consider the following steps for better compliance:

  1. Understand the new requirements under the measures and guidelines, analyze what major impacts the new requirements would have for their business operations in China, and establish and update the compliance strategy that is aligned with the company’s business objectives and compliance priorities.
  2. Map out the China-related data inventory and data flows to understand what kind and how much of the data is transferred from the Chinese subsidiaries to the headquarters or affiliates outside China, and whether there is any remote access to the data stored in China.
  3. Conduct a self-assessment to evaluate whether existing or future cross-border data transfers fall within the application scope of the mandatory CAC-led security assessment under the measures and the guidelines. If the answer is yes, prepare the self-assessment report and other necessary application materials by following the content, format and timeline mandated under the guidelines.
  4. Even if the answer to the above self-assessment is no, still perform the self-assessment and have the self-assessment report in place, which can act as effective self-defense and provide good evidence to show that the company has completed a proper risk evaluation.
  5. Prepare and review the cross-border data transfer agreement and maintain a holistic and coordinated approach to balance the group company’s global mechanism and the local Chinese law nuisances.
  6. In case the cross-border data transfer triggers the CAC-led security assessment, plan ahead and leave a reasonable time to prepare the submission materials. Leverage the experience of professional advisors, given the broad scope and large volume of required information from both the data exporter in China and the data recipient outside China.
  7. Seek necessary support and guidance from provincial CAC authorities, as some provincial CAC departments have set up a hotline to receive queries from business organizations and provide support on security assessment.
  8. Put a proper monitoring and updating mechanism in place, as the company will need to do a new assessment every two years or in case of a change of data storage location or the change of foreign destination country’s data laws.
  9. Last but not least, keep a close watch on China’s legislative and enforcement developments, as important rules on the identification of important data and critical information infrastructures are expected to be finalized and issued in 2022 will have significant impacts on the cross-border data transfer mechanism.