The Cyberspace Administration of China (CAC) released the draft Security Review Measures for Cross-Border Data Transfer (the Draft Security Review Measures) for public comments on 29 October 2021 – shortly before the effective date of the Personal Information Protection Law (PIPL), 1 November 2021.
The three pillars of China’s cyber security and data legislation – the Cyber Security Law (CSL, effective on 1 June 2017), the Data Security Law (DSL, effective on 1 September 2021), and the PIPL – all impose some restrictions on cross-border transfers of data and require governmental security reviews as a condition for transferring data overseas in certain situations.
The Draft Security Review Measures provide some clarity on the questions we discuss in this article.
Who needs to do a security review?
- Operators of critical information infrastructures (CIIs);
- Any entity transferring “important data” outside China;
- Any personal information handler who processes personal information of 1 million individuals or more;
- Any entity that has, in aggregate, provided personal information of more than 100,000 individuals, or sensitive personal information of 10,000 individuals outside of China; and
- Other circumstances prescribed by the CAC.
As mentioned in our previous article “Am I a CII operator?” – New regulation in China provides more clarity, companies will receive a notice if they are identified as operators of CIIs. However, the exact scope of “important data” remains unclear.
What will the review process look like?
Before transferring data outside China, a company must conduct a self-assessment of the risks. Following the self-assessment, it needs to file a review application to the CAC together with, among other items, an application letter, the self-assessment report, and the contract to be entered into with the overseas recipient.
The CAC will decide whether to accept the application within 7 working days. If accepted, the application will be approved (or rejected) within 45 working days in ordinary cases, or within 60 days in complicated cases.
What are the review criteria?
The Draft Security Review Measures seek to protect individual rights and interests, safeguard national security and public interests, as well as promote the secure and free cross-border flow of data. When reviewing a data transfer application, the CAC will consider various factors, including,
- the legality, appropriateness and necessity of the purpose, scope, and method for such cross-border data transfer;
- the data security policies and legislations and the cyber security environment of the recipient’s country/region;
- whether the recipient meets the protection standards set by Chinese laws, regulations and mandatory national standards;
- the amount, scope, types, and sensitivity of the transferred data;
- the risks of leakage, tampering, loss, destruction, transfer, illegal access, or misuse during and after the transfer; and
- whether the data transfer agreement contains adequate provisions on obligations and responsibilities to protect data security.
What must a data transfer agreement include?
A data transfer agreement for security review must include:
- the purposes for and methods of the transfer, the scope of transferred data, the data processing purposes and methods of the overseas recipient;
- the location and period of data storage outside China, the measures to be adopted after the storage period or after the contract term expires or the processing purposes are fulfilled;
- restrictions on the overseas recipient’s transfer of such data to other parties;
- security measures to be adopted when the control or business scope of the recipient, or the legal environment in the recipient’s country/region, changes;
- liability for breach of security obligations, and binding and enforceable dispute resolution clauses; and
- emergency response plans and open channels to protect individual rights and interests.
The Draft Security Review Measures have not prescribed a set of standard contractual clauses that must be entered into by the security review applicant. It would appear that the applicant will be allowed to have some flexibility to decide the form and content of its own data transfer agreement with the recipient.
However, we still expect a standard form data transfer agreement to be published by the CAC for data handlers who are not subject to the governmental security reviews under the Draft Security Review Measures (i.e., companies who are not CII operators or do not process “important data” or large amounts of personal data). Those companies may rely on the standard form data transfer agreement to be published as its legal basis to transfer data overseas, without applying for and completing the governmental security review.
What happens after the CAC completes the review?
The CAC will approve or reject the data transfer application based on the results of the security review. Approval will be valid for 2 years. Companies would need to reapply for approval at the end of the term of validity or if there is a material change in the relevant circumstances (e.g., transfer purposes, scope of transferred data, legal environment in the recipient’s country, or the control of the applicant or the recipient).
When will the Draft Security Review Measures become effective?
The current draft is open for public comments until 28 November 2021. After that, the CAC will review comments received and may revise the Draft Security Review Measures. There is no published timeline on when the measures will be finalized or become effective.
Our take
There are still uncertainties arising from several aspects of the security review regime (e.g., what time period will be used for calculating the aggregate amount of personal information transferred by a company outside of China? However, whatever the finalized review threshold is, the Draft Security Review Measures seem to have conveyed a clear message that companies that reach the review threshold should expect regular, case-by-case governmental review exercises in China if they plan to transfer data outside China. As such, companies should start reviewing their data practices in China to assess their risk levels if they have not done so already.
We will keep monitoring future developments and provide further updates.
