Following Part I  of the Look Back at PRC Regulations on Outbound Data Transfer in 2022 regarding the release of Standard Contract Provisions for the Export of Personal Information (Draft for Comment), this Part II of the Look-Back mainly summarizes the 2022 regulation updates below regarding outbound data transfer security assessment in China.

 

On July 7, 2022, the Cyberspace Administration of China (“CAC”) issued the Measures for the Security Assessment of Outbound Data Transfer  (the “Assessment Measures”, 数据出境安全评估办法). The security assessment with the data processors providing important data and personal information collected and generated during operations within the People's Republic of China to the overseas applies to these Assessment Measures. The Assessment Measures comes into force on September 1, 2022.

According to the Assessment Measures, data processors who provide data to the overseas under any of the following circumstances shall apply for the outbound data transfer security assessment to the national cyberspace administration department through the local provincial-level cyberspace administration department:

(1) The data processor provides important data to the overseas;

(2) Key information infrastructure operators and data processors processing personal information of more than 1 million people provide personal information to the overseas;

(3) Data processors who have provided personal information of 100,000 people or sensitive personal information of 10,000 people to the overseas since January 1st of the previous year provide the overseas with personal information;

(4) Other circumstances stipulated by the national cyberspace administration department under which the outbound data transfer security assessment is required.

 

Data processors should conduct the self-assessment of outbound data transfer risks before applying for the outbound data transfer security assessment. At the same time, the Assessment Measures stipulate the key assessment items of the security assessment, the materials that need to be submitted to apply for the outbound data transfer security assessment, and data security protection responsibilities and obligations that should be clarified in the legal documents entered into by the data processors and the overseas recipients. The validity term of passing the outbound data transfer security assessment is 2 years.

 

Subsequently, on August 31, 2022, the CAC released the Guidelines for Application for Outbound Data Transfer Security Assessment (First Edition)  (the “Guidelines”, 数据出境安全评估申报指南（第一版）) . These Guidelines aim to guide and help data processors to orderly apply for outbound data transfer security assessment. These Guidelines explain the application method and application process of the outbound data transfer security assessment, list the requirements for application materials, and provide relevant templates including the template of outbound data transfer security assessment application letter and the outbound data transfer risk self-assessment report.

 

According to the Assessment Measures and the Guidelines, the provincial-level cyberspace administration department conducts the review on completeness of the application materials. After the completeness inspection is passed, the provincial-level cyberspace administration department will submit the application materials to the national cyberspace administration department. The security assessment will be carried out if the application materials are accepted by the national cyberspace administration department upon review.

 

What is worth noting to enterprises involved in self-assessment of outbound data transfer risks is that, according to the template of the undertaking letter in the outbound data transfer security assessment application letter and the template of the outbound data transfer risk self-assessment report, the self-assessment activity stated in the self-assessment report needs to be completed within 3 months before the date of the application for security assessment, and there should be no major changes prior to the date of the application. Therefore, it is recommended that the enterprises should consider on how to properly arrange the self-assessment work and the application time to ensure the validity of the self-assessment report at the time of application for outbound data transfer security assessment.

 

[1] http://www.foundin.cn/en/bbs/board.php?bo_table=ip_trends_en&wr_id=42

[2] Full text can be seen at http://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm (in Chinese only, source from: Cyberspace Administration of China. )

[3] Full text can be seen at http://www.cac.gov.cn/2022-08/31/c_1663568169996202.htm (in Chinese only, , source from: Cyberspace Administration of China. )