Interpretation of Measures for Security Assessment of Outbound Data (Exposure Draft)
Author: Dr. Wu Weiming & Yao, Xinyu (Laura) 2022-03-23The Cross-border Transfer of important data and personal information is a common scenario for cross-border operations of enterprises. The Cybersecurity Law, Data Security Law and the Personal Information Protection Law of People’s Republic of China have established a security assessment system for the outbound of important data and personal information.
On October 29, 2021, the state Cyberspace Administration of China (hereinafter referred to as the "CAC") issued the Measures for Security Assessment of Outbound Data (Exposure Draft) (hereinafter referred to as the "Exposure Draft ") and seek public comments.
After the Cyber Security Law (effective on June 1, 2017) first stipulated the requirements for cross-border security assessment of data, the CAC issued the Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Exposure Draft) on April 11, 2017 and the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for comments) on June 13, 2019.However, due to the fact that the Data Security Law and the Personal Information Protection Law had not yet been promulgated at that time, the conditions for officially launching the data export security assessment system were not ripe.
With the promulgation of the Data Security Law and Personal Information Protection Law, the legal basis has been gradually clarified, and the society has paid unprecedented attention to the cross-border problem of enterprise data. In this context, the timely launch of the Exposure Draft is conducive to regulating data cross-border activities. Its content deserves the attention of enterprises with data cross-border scenes in order to make preparations in advance.
1.Applicable conditions
The Exposure Draft adopts the way of combining legislation on "exit of personal information and exit of important data" (Article 2 of the Exposure Draft). It integrates the requirements for exit security assessment in the Cyber Security Law, Data Security Law and Personal Information Protection Law, laying a foundation for the unified application of data exit system.
I. Situations requiring safety assessment
According to the draft, there are five situations in which the data cross-border security assessment should be reported to the national cyberspace administration through the local provincial cyberspace administration (Article 4 of the draft). The details are as follows:
(I) where the outbound data are personal information and important data collected and generated by operators of critical information infrastructure;
(II) where the outbound data contains important data;
(III) where a personal information processor that has processed personal information of more than one million people provides personal information overseas;
(IV) where the personal information of more than 100,000 people or sensitive personal information of more than 10,000 people are transferred overseas accumulatively; or
(V) other circumstances under which security assessment of outbound data is required as prescribed by the CAC
II. Legal Significance of “Million” level personal information
The third situation in the above provisions can be understood as the personal information processor who processes personal information to the amount specified by the CAC mentioned in the Personal Information Protection Law. In addition, the Cybersecurity Review Measures stipulates that personal information processors who handle personal information up to one million people must pass the cybersecurity review when they are listed abroad. It can be seen from the above provisions that the personal information of one million people may become an important standard for judging the impact of personal information processing activities on national security.
2. Requirement of assessment
In the Exposure Draft, self-assessment is an obligation that all data processors providing data abroad should fulfill (Article 5 of the Exposure Draft), and the materials to be submitted in the data outbound security assessment also include the data outbound risk self-assessment report. In addition to the self-assessment report, the materials specified in the Exposure Draft also include the declaration, the contract or other legally effective documents to be concluded between the data processor and the overseas receiver, and other materials required for safety assessment (Article 6 of the Exposure Draft). Corresponding relationship between the requirements of self-assessment and safety assessment is summarized in the following table:
Comparison of requirements of self-assessment and safety assessment
Key items of self-assessment (Article 5 of the draft for comments) | Key items of safety assessment (Article 8 of the draft for comments) |
Legality, appropriateness and necessity of the outbound data and the purpose, scope and method of the overseas recipient's processing of the data; | The legality, legitimacy and necessity of the purpose, scope and method of transmitting the data abroad |
Whether the management, technical measures and capabilities of the data processor in the data transfer link can prevent the data leakage, damage and other risks; | —— |
The responsibilities and obligations that the overseas recipient undertakes to assume, and whether the management, technical measures and ability to perform the responsibilities and obligations can ensure the security of the outbound data; | Whether the data protection level of the overseas recipient meets the requirements of the laws, administrative regulations and mandatory national standards of the People's Republic of China; |
The quantity, scope, type and sensitivity of the outbound data, and the risks to national security, public interests and the legitimate rights and interests of individuals or organizations that may arise from the outbound data; Risks of leakage, damage, tampering and abuse of data after the data is transmitted abroad and further transferred, and whether the channels for individuals to maintain their rights and interests in personal information are unblocked; | The quantity, scope, type and sensitivity of the outbound data, and the risks of leakage, tampering, loss, damage, transfer, or of illegal acquisition or illegal use of such data when leaving the country or thereafter; Whether data security and the rights and interests in personal information can be adequately and effectively protected; |
Whether the relevant contract for the outbound data concluded with the overseas recipient fully specifies the responsibilities and obligations for data security protection. | Whether the contract between the data processor and the overseas recipient has made sufficient provisions on the responsibilities and obligations for data security protection; |
—— | The impact policies and regulations on data security protection and network security environment of the country or region where the overseas receiving party is located on the outbound data security; |
—— | Compliance with Chinese laws, administrative regulations and departmental rules; |
—— | Other matters that CAC considered necessary to be assessed. |
3. Contract requirements
For the proposed contract between the data processor and the overseas receiver mentioned in the assessment materials, the Exposure Draft also makes requirements on the contents it should include (Article 9 of the exposure draft), These requirements should be regarded as the essential terms of the contract and also related to the requirements of self-assessment and safety assessment, and can be used as the basis for key matters of assessment, as follows:
I The purpose and method of transmitting the data abroad and the scope of the outbound data; and the purpose and method of data processing by the overseas recipients.
II The place and duration of overseas storage of the data, as well as the measures to deal with the data after the storage period expires, the purpose agreed upon is completed or the contract is terminated;
III Restrictive clauses restricting the overseas recipient from re-transferring the data transmitted abroad to other organizations or individuals;
IV Security measures that shall be taken in case of any substantial change in the actual control right or business scope of the overseas recipient, or any change in the legal environment of the country or region where the overseas recipient is located, which makes it difficult to guarantee data security;
V Liabilities for breach of the data security protection obligations and binding and enforceable dispute resolution clauses;
VI Properly carrying out emergency response in case of data leakage and other risks and ensuring the smooth channels for individuals to safeguard their personal information rights and interests.
For the contract signed for data outbound, it should be noted that it is different from Article 38 of the Personal Information Protection Law. Article 38 of the Personal Information Protection Law stipulates that a personal information processor may sign a standard contract formulated by the CAC with an overseas receiver to achieve the purpose of transferring personal information outside the country. The circumstances of signing standard contracts stipulated in Article 38 are for personal information processors who do not need to conduct data outbound security assessment. The standard contract here belongs to a different concept from the guidance on the contents of the contract in Article 9 of the Exposure Draft.
4. Legal Liability
Those who fail to fulfill the obligation of data outbound security assessment need to apply the provisions of the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law (Article 17 of the Exposure Draft). The relevant legal responsibilities are summarized in the following table:
Comparison of relevant legal liability provisions
LAW | Applicable subject | Data type | Legal liability for failure to perform safety assessment obligations |
Cybersecurity Law, | Critical information infrastructure operators | Personal information and important data | The competent authority shall order such operator to make rectifications A fine ranging from CNY 50,000 to CNY 500,000 shall be imposed in case of refusal to make rectifications or of severe circumstance, and further penalties such as suspension of related business, winding up for rectification, shutdown of website, and revocation of business license may be imposed by competent authority. A fine ranging from CNY 10,000 to CNY 100,000 shall be imposed on the supervisor directly in charge and other directly liable persons. |
Data Security Law | Data processer | Important data | it/he will be ordered by the relevant competent authority to make rectifications and given a warning, and may be concurrently fined not less than CNY 100,000 but not more than CNY 1 million, and the person directly in charge and other directly liable persons may be fined not less than CNY 10,000 but not more than CNY 100,000; if the circumstances are serious, it/he will be fined not less than CNY 1 million but not more than CNY 10 million, and may be ordered to suspend the relevant business, stop the business for rectification, and its/his relevant business permit or business license will be revoked. The person directly in charge and other directly liable persons will be fined not less than CNY 100,000 but not more than CNY 1 million. |
Personal Information Protection Law | Personal information processer | Personal information | Give a warning to it and confiscate its illegal gains. Any application that illegally processes personal information shall be ordered to suspend or terminate the provision of services; if it refuses to make corrections, a fine of not more than CNY 1 million shall be imposed on it concurrently; and a fine of not less than CNY 10,000 but not more than CNY 100,000 shall be imposed on the person directly in charge and other directly liable persons. |
Summary
The Exposure Draft is a refinement of the data outbound system in the Cybersecurity Law, Data Security Law and Personal Information Protection Law of People’s Republic of China, it integrates the cross-border security assessment requirements of different types of data and sets the direction for the development of self-assessment and security assessment. Enterprises and other entities should pay close attention to the subsequent revision or promulgation of this consultation to reasonably plan their own data outbound activities.
