China’s new framework for regulating data transfers is beginning to take shape. On October 29, 2021, China’s cybersecurity regulator, the Cyberspace Administration of China (CAC), published draft guidelines outlining when and how data controllers must undergo a security assessment before transferring data out of China pursuant to the country’s recently-issued data privacy and security laws. The published guidelines come just days before China’s new omnibus privacy law, the Personal Information Protection Law (PIPL), takes effect, and at a time when the Chinese government is taking increasingly aggressive steps to regulate tech companies processing consumer data. The deadline for public comments on the new draft guidelines is November 28, 2021.
Which Companies Would the Guidance Apply To?
The guidelines would require data controllers to submit a security assessment to the CAC of their local province when seeking to export data and any of the following applies: (1) critical information infrastructure operators collect personal information and “important data” (defined as data that poses a threat to China’s national and economic interests or impacts the rights of individuals and organizations, and has an “obvious cascading effect” across a range of industries or enterprises); (2) the transfer data contains important information; (3) data controllers who process personal information of one million people transfer personal data abroad; (4) data controllers cumulatively transfer personal information of more than 100,000 people or sensitive personal information of more than 10,000 people abroad; (5) other situations the CAC determines require a security assessment.
While the CAC is still expected to release standard contractual clauses (SCCs) as another method of complying with the data transfer obligations under the PIPL, these draft guidelines make clear that certain data controllers who meet these criteria must undergo a security assessment regardless of whether they rely on SCCs for data transfers.
What Would the Guidelines Require?
Before data controllers who meet these criteria submit their application to the relevant authorities, they must conduct a risk assessment that, similar to Data Protection Impact Assessments under the European General Data Protection Regulation (GDPR), considers the necessity, purpose, and method of the data transfer; the quantity, scope, and sensitivity of the data; the sufficiency of the technical and organizational measures of the overseas data importer to prevent loss or damage to the data; the responsibilities and obligations of the overseas data importer; the risks to the data from onward transfers and ability of data subjects to continue to exercise their data subject rights; and the sufficiency of the data processing contract that the data exporter has signed with the data importer.
The guidance also describes what information should be included in the data processing contracts between the parties, including (1) the purpose, method, and scope of the transfer; (2) the location and duration of data storage overseas; (3) clauses restricting onward transfers; (4) the security measures the data importer will put in place to protect the data; (5) liability for breaches of these data security protection obligations; and (6) mechanisms for data subjects to exercise their rights.
Data controllers submitting a data export security assessment to the authorities for review must submit a declaration form, self-assessment report, and the contract signed between the data exporter and importer. The authorities will review the application materials within seven business days to determine their sufficiency, taking into account whether the data protection laws of the country of the data importer meet the standards required under Chinese law. For the export of important data, the CAC will also solicit the opinions of relevant industry authorities.
The draft guidelines anticipate that the authorities’ security review should be completed, in most cases, within 45 days of submission of the materials, and the results of the assessment would be valid for two years. This period could be shortened however, if, for example, there are changes in the legal environment in the country of the data importer that may affect the security of the data.
The draft guidelines conclude by noting that violations of these provisions constitutes a crime, and those violating the law will be held criminally responsible. The guidance does not yet detail what the criminal penalties will be for violations.
Companies potentially subject to these guidelines should take note of the robustness of some of these requirements, and should be on the lookout for the final guidelines that will be issued after the comment period has closed.