With the enactment of China’s Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL), security management and assessment of cross-border data transfer became a key issue. Following these three laws, China’s Cyberspace Administration (CAC) published the Measures on Data Export Security Assessment (Draft for Comments) on October 29, 2021, which provides supplementary rules for data export compliance.
Under the CSL, the data export security assessment requirement is limited only to Critical Information Infrastructure Operators (CIIOs). The Draft Measures following the DSL Regulation extends the data export security assessment obligation from CIIOs to all data processors and specifies that data processors must conduct security assessments when transferring important data and personal information generated and collected in China to foreign countries.
The structure of the security assessment is a combination of self-assessment and government security assessment. In other words, all data processors should conduct a self-assessment of data export risk before transferring data abroad. If certain conditions are met, data processors should also report the data export security assessment to the CAC through the provincial cyberspace department at their location.
The conditions that trigger a government security assessment for data export include that (a) the data processor belongs to the group of specific identities, i.e. processors that process personal data of more than one million individuals, or CIIOs, (b) the data to be exported contains important data, (c) the data to be exported cumulatively exceeds the personal data of 100,000 individuals or the sensitive personal data of 10,000 individuals, and (d) other circumstances specified by China’s cyberspace administration exist.
For a foreign company, it is less likely that it will be identified as a specific identity. But if the data to be exported constitutes important data, which is specified by the industry standards and in the event of damage may affect the national security, or reaches a certain amount of personal data or sensitive personal data, the foreign enterprise is also required to declare a security assessment to the CAC. Even if a security assessment is not required to be declared, foreign companies are required to conduct a self-assessment prior to exporting data.
Although the Measures Draft has not yet entered into force, we expect the regulations and measures related to cross-border data transfer to be implemented quickly in the coming months. Foreign companies established in China should as early as possible conduct data mapping to identify important data and personal information that fall within the scope of data export controls, and set up a cross-border data transfer compliance system and prepare the legal documents required, such as templates for self-assessment reports and documents needed for declaring government security assessment.