In addition to the two developments we reported on in our last blog post, on July 7, 2022, the long-waited, final version of the Measures for Security Assessment of Cross-border Data Transfer (《数据出境安全评估办法》, “Measures”) were released by the Cyberspace Administration of China (“CAC”).  With a very tight implementation schedule, the Measures will take effect on September 1, 2022.  The full text of the Measures can be found here (currently available only in Mandarin Chinese).

In this blog, we highlight a few key takeaways from the final Measures.

(1) Who must carry out a security assessment?

According to Article 4, an entity that transfers data out of China must apply for a security assessment if any of the following criteria are met:

  • the entity transfers “important data” out of China – the Measures define “important data” as “any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety;”
  • the entity transfers of personal information out of China as (1) a critical information infrastructure (CII) operator, or (2) a data processing entity that processes personal information of over one million individuals;
  • the entity transfers personal information out of China since January 1 of the previous year that consist of (1) the personal information of more than 100,000 individuals, or (2) the sensitive personal information of more than 10,000 individuals; or
  • under other circumstances specified by the CAC.

These thresholds remain unchanged from those provided in the draft version of the Measures issued in October 2021.

(2) How should a security assessment be carried out and what is the timeline?

Under Article 5 of the Measures, data processing entities need to carry out a self-assessment before they can apply through provincial CACs for a security assessment to be carried out and approved by the CAC at the central level.

Upon receipt of the application, a provincial CAC must confirm whether the application materials are complete within 5 working days.  If the application package is complete, the provincial CAC will pass on the application to the central CAC. 

The CAC will inform the applicant in writing whether an application has been accepted within 7 working days of receipt.

After an application is officially accepted, the CAC is required to conclude the assessment and make a decision within 45 working days.  For complex cases or where additional application materials are required, this period can be extended, and the CAC needs to notify the applicant of the estimated time extension.  

If the applicant is not satisfied with the assessment result, it can apply to the central CAC for a re-evaluation within 15 working days from receipt of the result.  The re-evaluation result will be considered the final conclusion.

(3) What materials are required for a security assessment?

Article 6 of the Measures requires data processing entities to submit the following materials when applying for the security assessment:

  • application form;
  • self-assessment report for cross-border data transfers;
  • the agreement or other legally binding documents to be entered into between the data processing entity and the recipient outside of China; and
  • other materials required for the security assessment.

The Measures set forth detailed requirements with respect to the matters to be considered in both the self-assessment and the formal assessment.  The Measures also stipulate the contents that must be included in the agreement to be entered into between the parties.  Although the application form is yet to be released, an applicant would likely need to demonstrate in the application materials its compliance with the substantial criteria for the security assessment in the Measures, such as the lawfulness, legitimacy and necessity of the purpose, scope, method and other aspects required to justify the cross-border data transfer.

(4) How often do companies need to carry out a security assessment?

The assessment result is valid for 2 years.  A data processing entity may also need to re-submit an application in certain circumstances, such as where the cross-border data transfer purpose has changed.

(5) Is there a grace period?

The Measures will take effect on September 1, 2022.  For cross-border data transfers that are carried out before that date, the rectification must be completed within 6 months.  It is not quite clear whether the 6-month rectification period would also apply to cross-border data transfers that commence after September 1, 2022.  Regardless, the grace period is relatively short, especially for companies that may have complicated data flows out of China.  

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.

Yan is named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Yan is a Certified Information Privacy Professional (CIPP/Asia) by the International Association of Privacy Professionals and an active member of the American Bar Association’s Section of Antitrust Law.

Photo of Xuezi Dan Xuezi Dan

Xuezi Dan is an associate in the firm’s Beijing office. Her practice focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China.

She also has experience…

Xuezi Dan is an associate in the firm’s Beijing office. Her practice focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China.

She also has experience advising clients on general corporate and antitrust matters.