Draft data export security assessment procedures released 

Almost on the eve of China’s new Personal Information Protection Law coming into force today(!!!), the country’s cybersecurity regulator – the Cyberspace Administration of China (CAC) – released a revised iteration of its draft Measures for the Security Assessment of Outbound Data.

Finally, over 4 years after the seminal Cybersecurity Law was launched, it seems the market is now getting closer to understanding the key rules that will govern the regulatory security assessment process through which businesses in mainland China can apply to transfer certain data on cross-border basis – including to affiliates and regional HQs in Hong Kong SAR.

For some enterprises, the new draft will represent a welcomed change to previous iterations that concerned international stakeholders all the way to the WTO. That said, while 2019’s blanket application of a security assessment to all data exports has been limited under these new measures to 5 different scenarios (as described below), the content of the new draft measures will largely not surprise market watchers who are familiar with previous consolidation drafts proposed in 2017 and 2019.

Some points jump out and are worth discussing.

Key triggers

The Data Security Law (DSL) and Personal Information Protection Law (PIPL) left power to China’s regulators to formulate rules which dictate to which organisations security assessments would be applied. The uncertainty has unsettled those that recognise that China – as for other markets, including arguably the EU – has been moving towards data localisation as a default principle. However, with the categories of transfer that are proposed to be subject to the Chinese regulators’ review, can international business breathe a sigh of relief following the release of these new measures? These categories are:

  • Transfers by CII operators: See our previous note suggesting most international businesses might escape this categorisation under other recent regulations, but must await guidance from their industry regulators to know more definitively.
  • Transfers containing “important data”: See our previous assessment of the draft guidelines leaked in September on the meaning of important data. Although yet to be catalogued by industry regulators, this concept should generally not constitute most MNCs’ everyday data, but it is unclear if, for example, organisations can be “tainted” by partnering with or providing services to large state-owned businesses that share their sensitive data.
  • Processors of more than 1 million individuals’ personal information: To be read as applying these transfer restrictions to most platforms in China’s vast digital economy, as well as large consumer-facing brands boasting CRMs and other data pools that all CEOs crave.  
  • Transfers of personal information of more than 100,000 individuals cumulatively: This is a large number that in itself would only catch a handful of mega overseas headquartered employers like Foxconn in a granular survey report on employees, for example. However, the vagueness of “cumulatively” needs to be clarified by regulators – a 12-month cumulative period, as seen in earlier rules, could catch large manufacturers, banks and others over the course of a year.
  • Transfers of sensitive personal information of more than 10,000 individuals cumulatively: A lower figure corresponding to the sensitivity of the data at sake (such as ID scans where used for secure app registrations, or financial information). The uncertainty attached to “cumulatively” may put some international healthcare providers and medical device manufacturers on notice, as well as some foreign-invested schools with minors’ personal information on their servers.
  • Other transfers as specified to be required by the CAC: Although a common catch-all, some businesses may worry that this could be used in one-off instances will little predictability.

Checks that are balanced?

If the transfer falls within any of the categories above, the CAC will require a regulatory security assessment to be performed. First businesses must conduct a self-assessment (and, indeed, this is required before any data export regardless of categorisation). This self-assessment seems to be an enhanced form of the personal information impact assessments that are already mandated for cross-border transfers under the PIPL (and, in practice, the impact assessments will likely be subsumed into this self-assessment when it comes to data exports). The self-assessment report will then be submitted together with an application form and a copy of the contract or other legally binding documents between the sender and the overseas recipient.

Two immediate questions arise:

Transfer impact assessment with Chinese characteristics? 

One of the factors to be considered in the self-assessment is the “risk of leakage, damage, tampering and abuse of data after the data is transmitted abroad and further transferred, and whether there are clear channels for individuals to maintain their rights and interests attached to their personal information”. Although the security circumstances relating to the method of transfer and the recipient of the data could be part of this assessment, it seems that part of it could also be analogous to the transfer impact assessments that international organisations run against the European Essential Guarantees for surveillance measures (albeit that the test under China’s new rules would not be limited to personal information).

Further rationale for including that sort of TIA analysis in the self-assessment report stems from the fact that the regulators’ own assessment (based on the report and other application materials) will focus on assessing the risks that the data export activities may bring to national security, public interest, and the legal interests of individuals or organisations. In particular, this analysis should pay attention to the “impact of the policies and regulations on data security protection and the network security environment of the country or region where the overseas recipient is located on the security of the outbound data”. While the weighting of different factors is not clear under the new rules, what is even less clear is how the CAC could make assessments of various overseas’ data security and privacy regimes without help. Therefore, including analysis in the applicant’s self-assessment report might seem a wise move to facilitate the PRC authority’s positive assessment (particularly for recipients in the US, which is as of today the last of the 3 big trade blocs without a federal law privacy regime)?

Contractual outline serves as a hint to China’s SCCs? 

As in the draft 2019 measures, the CAC lays out a framework for the contractual terms to be entered by the sender with the offshore recipient. Provisions must cover the scope of data shared; the purpose and method of transfer and processing overseas by the receiver; the location and duration of data storage; the way data will be handled after arrangements end or are terminated; restrictions on on-sending of data; imposition on the recipient of protections to maintain the security guarantee mandated under the PIPL; allocation of liabilities; breach reporting obligations; and enquiry handling channels for data subjects.

While prescriptive, international organisations would probably prefer to work with this list of requirements for cross-border data transfer agreements, rather than wait for the unknown of the CAC’s template contract that is due to be introduced as the most practical (in theory) transfer mechanism under the PIPL. Adapting existing internal agreement templates (if and where needed) to a list of high-level requirements would seem a less intrusive exercise than comparing internal templates to a rigid pro-forma from the authority. As such, is a CAC template actually still needed? And, if so, when can it be expected because it remains the option of choice for most enterprises – all of which are compelled to continue to operate in a “grey area” without the template being available.

Time is of the essence

Following submission of an application for approval, the CAC will issue a notice of acceptance (at least on paper) within 7 business days. Depending on all submission materials being adequate for a full review, the CAC promises to give the assessment result with 45 business days for simple cases and up to 60 working days for complex cases. This is much longer than the 15 days that the authorities afforded themselves under the 2019 measures and maybe reflects a growing appreciation of the workload that the regulators might take on with these new rules (and other developments such as the Cybersecurity Review Measures).

Successful approvals will remain valid for 2 years for as long that there are no changes to internal or external factors material to the assessment just conducted. The new draft rules do not require annual reviews as seen in a previous draft, but businesses are generally required under the DSL and PIPL to undertake regular risk assessments on their compliance position. Legal and compliance teams will therefore need to monitor business processes and ensure communication and escalation protocols are adhered to to stay on top of the forthcoming obligations.

Next steps

These new assessment rules are under consultation but, as the third iteration of these draft rules, it is fair to expect them not to change greatly. Indeed, the article below expects the measures to come into force relatively rapidly after the consultation period ends at the end of November.

Some more granular guidance would be expected eventually to replace a draft guideline published in 2017, but the timing for this is unknown. Looking at the 2017 guidance again though, this does set out further details on how to consider the impact of numerous factors that remain valid under the framework of the new rules. As such, international business should be gearing up for implementation of the new rules sooner rather than later, and in a tweaked rather than re-written form.

Watch this space!