Companies operating in China should be attentive to the Measures on Security Assessment of Cross-Border Data Transfers (Measures), published on July 7, 2022, as they take effect as early as September 1, 2022.
Among other things, the Measures require data processors to conduct a security assessment when: 1. Providing critical data outside of China. 2. They are operators of critical information infrastructure and processors of personal data of more than one million people. 3. They have transferred personal data of 100,000 people or sensitive personal data of 10,000 people abroad since January 1 of the previous year.
Even if the above circumstances do not apply, it is still advisable for companies to obtain security certification in accordance with the specifications for the transfer of smaller amounts of personal data. Alternatively, standard contractual clauses can be signed with the recipient abroad. In addition, a Personal Information Security Impact Assessment (PISIA) is required prior to exporting the personal data.
As the measures set a rectification period until Feb. 28, 2023, we recommend that companies operating in China should first conduct a data mapping during this period to highlight and review existing data transfer practices. This may involve categorizing the personal data and non-personal data to be processed, determining the amount, scope and sensitivity, as well as the purpose, method and period of storage. The establishment of an internal evaluation system of personal data and important data processed and transferred is also useful in this context. Companies should also already start revising and improving internal existing legal documents with regard to security certification or standard contractual clauses.