On October 29, 2021, the Cyberspace Administration of China (“CAC”) published the Security Assessment Measures of Data Cross-border Transfer (Draft for Comments) (the “New Draft Measures”) for public comments.
The New Draft Measures intends to set up clear implementation rules for the general principles of data cross-border transfer set forth in the Cyber Security Law, the Data Security Law and the Personal Information Protection Law. Although the current draft may be subject to further revisions before finalization, the following potential impacts of the New Draft Measures are worthy of attention:
- Possibility to trigger assessment by the PRC government may impact the daily operations of many multinational companies.
Article 4 of the New Draft Measures specifies five scenarios under which data cross-border transfer will trigger safety assessment by the central CAC or the relevant provincial branch of CAC (as applicable):
(1) Cross-border transfer of personal information (“PI”) or important data collected or generated by the operators of critical information infrastructures;
(2) Cross-border transfer of data containing important data;
(3) Cross-border transfer of PI by a processor who has processed PI of one million or above;
(4) Cumulative cross-border transfer of PI of 100,000 or above or sensitive PI of 10,000 or above;
(5) Other scenarios as specified by CAC.
Among the abovementioned five triggers, for many multinational companies in the PRC, the third and the fourth ones are most relevant to their daily operations, where these multinationals might need to transfer PI of its users, customers, suppliers and employees to their overseas headquarters or global data processing centers. For compliance purpose, these multinationals might need to start to closely audit and monitor existing, ongoing and future transfer and storage of PI from the PRC, and assess and prepare for possible application of safety assessment by the PRC authorities.
Please note that the current formulation of the triggers under Article 4 still need further clarification. For example, (i) the definition of “important data” needs to be further specified; (ii) whether the one-million threshold mentioned above is calculated on per person basis or per unit basis, and (iii) when a person’s PI is updated, how such updated PI is treated when calculating the 100,000 and 10,000 thresholds mentioned above.
We recommend companies (not just multinational companies, but certain domestic companies as well) in industries of internet, e-commerce, retail, logistics, life science and healthcare to carefully assess the impact of this New Draft Measures on their daily operations with respect to the PIs they are collecting and processing from the PRC.
- Preparation of the application for safety assessment requires integrated efforts within multinational companies.
Article 6 of the New Draft Measures requires the following documents to be submitted for safety assessment by the governmental authorities:
(1) Application form;
(2) Risk self-assessment report of data cross-border transfer;
(3) Contracts or other legally binding documents between data processors and foreign recipients (collectively, the “Contracts”);
(4) Other documents for the safety assessment as requested.
Among the application documents, it is clear that the risk self-assessment report is of critical importance to the safety assessment’s application. The New Draft Measures lists several key matters that shall be included in the risk self-assessment report, including:
(a) Legality, reasonability, necessity for data cross-border transfer;
(b) Details of target data to be transferred and risk assessment of such transfer to national security, public interests and individual rights;
(c) Technical efforts in protecting the security of the target data;
(d) Post-transfer data protection and maintenance; and
(e) Contractual obligations of the foreign recipients.
The comprehensive scope and contents of such risk self-assessment report obviously require in-depth collaboration between different departments and teams within a multinational company as well as with its outside vendors involved in processing such PI. The conclusion of such self-assessment report itself requires the applicant to have fully committed of and been dedicated to protection of any PI under the PRC laws. This might be a challenging but necessary task for the compliance and legal teams of many multinational companies in the PRC.
- Safety assessment might become ongoing compliance obligations for multinational companies
The New Draft Measures provides that the review period of an application is 45-60 working days following the acceptance of the complete application. According to Article 12 of the New Drafted Measures, once a safety assessment is completed and approval is granted, such approval is valid for a two-year period. Once such two-year validity period expires, any subsequent data cross-border transfer (of same data) would require another safety assessment, 60 working days prior to such expiry.
During the two-year period, if there is any substantial change in the data to be transferred cross-border, including changes of the nature and scope of such data, changes in usage by the overseas receiver, extension of storage period, or changes in legal environmental, control or contractual arrangement of the overseas receiver, a new safety assessment is applicable.
Although the New Draft Measures is not crystal clear if within the aforesaid two-year period any substantive change of the data would trigger another assessment (i.e. increase of PI due to increase of users), it is certainly true that that such safety assessment will become ongoing compliance obligations, instead of a one-time job, for any applicable multinational companies, as long as their operations involve data cross-border transfer from the PRC.