China’s cyber regulator – the Cyberspace Administration of China (CAC) – yesterday released the final form of the Measures for the Security Assessment of Outbound Data Transfers (数据出境安全评估办法 in Chinese) (Measures).
Summer holidays may need to be delayed with these important Measures going live on 1 September (this year!).
To aid the understanding of tech and other businesses scrambling to implement these rules in less than 2 months, below are some initial thoughts from us on the Measures’ key changes from the autumn draft.
In-scope businesses
Data-rich tech players and large institutions in mainland China dealing with other markets will need to pay attention to the final criteria of the Measures. Security assessments are required to be undertaken as follows:
- Exports of “important data”: We finally have a statutory definition of “important data” after 5 years. Worth the wait? Not really. We still have the vague pronouncement that is open to interpretation in an area where law and geopolitics co-mingle: “any data that, once tampered with, damaged, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety.”
To understand what “may endanger” China in this way, businesses and the frontline officials tasked with making the assessments will be clamouring for release of the Rules for Identification of Key Data. Sticking a neck out though, looking across the definition and the factors for consideration in the identification rules, the scope of important data should be narrow in the context of everyday business.
- Transfers by CII operators and “million+1” processors: Two limbs in the draft measures have been merged, which indicates the authorities’ intention to restrict “big boys (and girls)” rather than most businesses.
Our view is that few foreign-invested businesses will be designated by their supervising regulators as operators of “critical information infrastructure” under last September’s regulations. However, the scope of these operators may flex as regulators around the world are increasingly recognising the criticality of platforms and other private businesses to national economies and social wellbeing in the era of digitalisation.
Relatedly, the threshold of 1 million will inevitably mean assessments are required for large international players: consumer-facing luxury brands that have built CRMs of loyal consumers and financial institutions with funds platforms or other impressive data pools of retail customers, for example. Success in China brings responsibility under the Measures.
- Transfers of personal information above set cumulative thresholds: Last year’s draft rules proposed that exports must be assessed of personal information of more than 100,000 individuals, or sensitive personal information (such as IDs/passports, health or financial information) of more than 10,000 individuals, “cumulatively”.
The Measures “helpfully” clarify the accumulation method as a lookback to 1 January of the previous year. The fixed date of 1 January rather than a rolling 2-year period might seem arbitrary to seasonal operators. For example, a travel operator may have a spike in cross-border business for the festive period and this means that domestic sales teams hold back on sending overseas their December booking data until accumulated data levels are “cleansed” on the turn of 1 January – travel chaos may ensue.
In any case, banks, overseas university admissions offices, international tele-medicine providers and others will need to consider implementing alert systems because these thresholds will bite some serving the vast Chinese population. Not only that, but do businesses have to retain records of transfers for 2 years in case they reach a threshold before 1 January? Or does the rule mean that the assessment applies to all contemplated data exports from point of reaching the threshold to the next 31 December when the activities of the organisation may mean its data export levels drop under the thresholds again? The need to anticipate the trigger and ensure retrospective or prospective compliance with the rules will be an unwelcome burden unless there is further regulatory guidance.
That said, the bottom line should be that not all international businesses will be caught – domestic SMEs and most other foreign-invested businesses should not be impacted.
This is different to the apparent need for all domestic operators doing cross-border business to start thinking about papering data exports once China’s standard contractual clauses (SCCs) are finally released – which should be soon to facilitate compliance with the Measures (see below).
Note: Hong Kong SAR (as well as each of Macau SAR and Taiwan) is a separate territory for the purpose of the Measures. Businesses with Asia HQs coordinating mainland business from Hong Kong are definitely in-scope in terms of exporting data to Hong Kong but operations in Hong Kong itself are not directly subject to these rules as senders of data.
Practicalities of preparing for the assessment
Helpfully, the final rules clarify that the self-assessment under the Measures is only mandatory before applying for a regulator assessment. Businesses that do not meet the triggers above will still need to conduct personal information protection impact assessments under the Personal Information Protection Law (but most international players can comply through a similar approach to that followed for their GDPR data protection impact assessments).
While the documents to be filed for the regulator-led assessment remain unchanged from the draft rules (i.e. an application form, self-assessment report, and a copy of the contract or other terms to be entered into between the domestic sender and the recipient outside of China), the application form is not annexed to the Measures. Businesses will need sight of this form soon to commerce gathering of the information required to complete it, organising translations where needed, etc.
In a change to the draft rules, filings are to be made to provincial-level CACs, which will confirm the completeness of the pack before escalating it to the central CAC. But, will each provincial CAC have its own form and other filing requirements, which adds complexity for businesses operating in multiple locations?
Nature of the assessment
The substance of the self-assessment and the CAC’s assessment are not greatly changed under the Measures, but some points jump out:
- In-transit protection: The final form of the Measures emphasises assessment of the risks to the data during transfer. Reinforcing China’s recently launched data security management certification scheme, the regulator’s expectation is clearly hardening that domestic businesses must have robust encryption and other security protocols in place and have more oversight of service providers involved in data flows. Some businesses may need to accelerate infrastructure upgrades and ensure audit rights are available to them under service contracts.
- Binding obligations: Doubling-down on the release last week of the draft of the SCCs, the Measures seem clear that legally binding documentation should be concluded between the data exporter and overseas recipients. Therefore, agreeing terms that follow the principles of the certification specification (which some see as akin to Europe’s Binding Corporate Rules) or the SCCs is likely a must.
Discussions with counterparties on this papering exercise will need to start soon for any transfers to be initiated after the Measures launch. Even harder, retrospective papering seems necessary for transfers likely requiring rectification under the 6-month retroactive application of the Measures.
- Transfer impact assessments: The Measures mandate that the CAC will be charged with assessing the impact of the data security laws and network security environment of the data’s destination territory. However, for a data exporter to understand the data protection capabilities of an offshore counterparty would seem to require it to conduct an assessment – at least in part – analogous to the transfer impact assessments that multinational organisations are now familiar with under the European Essential Guarantees for surveillance measures. Or could the Chinese authorities help facilitate cross-border business with a similar innovation to that seen from the Japanese data watchdog with helpful pro forma assessments for certain key markets?
For now, the cost and time burden for cross-border business will increase and the characterisation of the US’s data security ecosystem under these assessments remains to be seen with it unlikely to have a comprehensive federal data privacy law until at least 2023.
Regulatory process
A welcome change to the Measures is that provincial-level CACs will first review applications. They can hopefully filter incomplete filings to allow central CAC officials to focus on the substantive assessment processes, for which they will still ordinarily have 45 days to issue an acceptance notice.
However, as an additional hurdle to clearance, the state CAC has a second right of refusal of the application materials after the preliminary review of its provincial colleagues. Central CAC can also take beyond the originally proposed 60 days to review complicated cases. In sum, the period before which a business receives notice that an application has ultimately been rejected may be prolonged.
While this uncertainty is tempered by a new right for organisations to appeal decisions within 15 days, as the reassessment conducted by the same CAC is then final, a different result in sensitive circumstances of national security seems unlikely.
Next steps
(GO, GO, GO! Why are you still reading this?)
More rulemaking is needed to fill the gaps highlighted above, as well as others. Industry-level rules are expressed to prevail over the Measures so those should be expected in short-order, unless departments choose to first see how the Measures bed down. It is known that the likes of the China Securities Regulatory Commission are formulating further rules for exports of financial data. Businesses are advised to rally behind larger chambers of commerce and prolific industry associations like ASIFMA to get views across.
Crucially though, businesses harnessing the ever-digitalising economy to do cross-border business with China will need to assess whether they are caught by the Measures. If so, compliance programmes need rapid upgrading. We are here to help!