International companies operating in China should pay close attention to the new edition of guidelines issued by the Cyberspace Administration of China (CAC) regarding the transfer of personal information and important data outside of China. These guidelines as well as the Measures for Security Assessment of Cross-border Data Transfer (Measures) came into effect on September 1.
Consistent with the measures, the guidelines confirm that the CAC-led security assessment applies to cross-border data transfers from China under the following circumstances:
Transfer of important data (any data that, once tampered with, sabotaged, leaked, or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety).
Transfer of personal information by a critical information infrastructure (CII) operator.
Transfer of personal information by a data exporter processing 1 million or more individuals.
Accumulative transfers of personal information exceeding 100,000 individuals since Jan. 1 of the preceding year.
Accumulative transfers of sensitive personal information exceeding 10,000 individuals since Jan. 1 of the preceding year.
Other situations where relevant Chinese laws and regulations require security assessments.
The guidelines explain the procedures and processes for companies to apply for permission to export data out of China and include complete lists of required documents, templates for documents such as security assessment declarations, and application forms.
Companies must provide a copy of cross-border data transfer agreements to be signed with the data recipient(s) outside of China, a self-assessment report on cross-border data transfer risks, as well as some basic documentation on the China-based data exporter (e.g., its business license).
In addition to a general description of data transfer flows (such as an overview of transfer scenarios, transfer purposes, data to be transferred and information on data importers outside of China), certain technical details about cross-border data transmission must be included in the application form.
Specifically, the data exporter needs to specify the data transmission service provider, the number of data transmission lines and bandwidth, and the location of data centers inside and outside of China, as well as IP addresses of such infrastructure.
Since the Cybersecurity Law was approved in 2017, there have been debates on what constitutes cross-border data transfers. Several previous draft regulations issued by the CAC tried to provide some clarification, but those regulations were never finalized. Now the guidelines offer further clarification on how to declare a security assessment to transfer a certain volume of PI or “important” data overseas.
Companies are required to apply for the data security assessment to the central CAC through the provincial CAC branch in the jurisdiction in which they are located. The application must be submitted by sending the hard copy of the application materials and attaching the electronic version in the form of a CD-ROM.
Within five days, the provincial CAC department will check the materials and submit them to the national-level CAC. If they are not complete, the applicant will receive a notice. Subsequently, the central CAC will determine whether to accept the application.
The applicant must supplement or correct any materials or information, or the security assessment will be terminated.
The applicant will receive a notice of the result of the assessment. If there are no objections, the company must then proceed with the cross-border data transfer activities in compliance with relevant laws and regulations. If there are objections, it can apply for re-assessment within 15 days.
Companies must submit in the application for the security assessment documents such as copy of the Unified Social Credit Code, copy of legal representative’s ID card, copy of ID card of person in charge, data export security assessment declaration form, copies of data export-related contracts with overseas recipients and data export risk self-assessment report, among other.
The company is responsible for the self-assessment report and must complete it within three months of the application being submitted. If a third party is involved, the applicant must explain the reason for this and affix the third-party organization’s official seal on any relevant pages.
There are a few important issues that a data exporter must consider when executing a self-assessment, such as whether it is legal, necessary, and appropriate to transfer the data abroad; what is the scope, category, size, and sensitivity of the data to be transferred; and what impact the data transfer may have for China’s national security and public interest.
It should also evaluate whether the data exporter and overseas data recipient can adopt strong organizational and technical measures to protect the data from loss or damage; and whether the cross-border data transfer agreement can provide sufficient data protection.
The guidelines offer a template self-assessment report, which requires the data exporter to provide a wide range of information, including a brief description of the self-assessment, the corporate, investment and business model as well as the data center and IP address of the data exporter, the purpose, category, volume, sensitivity, and related industry sector of the data to be transferred outside China and whether there will be onward data transfers.
Additional information should include a description of data protection capabilities of both the data exporter and foreign data recipient, outline of the data protection regime of the foreign country where the overseas data recipient is based, and key terms of the cross-border data transfer agreement.
The data exporter is also required to analyze the risks associated with the contemplated cross-border data transfer.
The company should include a copy of the cross-border data transfer agreement in the documents submitted to the CAC. In case of an inter-group data transfer where there is no specific agreement, the data exporter is required to provide other documents such as the corporate policy governing cross-border data transfer to illustrate how cross-border data transfers are managed.
The guidelines do not expressly require the cross-border data transfer agreement to be drafted based on the Standard Data Export Contract. However, they require the cross-border data transfer agreement to include certain necessary clauses. An agreement based on the CAC standard contract is likely to be processed quicker given the reviewing officials’ familiarity with that version.
The guidelines provide a template application form, consisting of a standard letter of undertaking stating the data exporter’s commitment to warrant the correctness and accuracy of information delivered, and a prescribed table.
It is required in the guidelines that reference to key terms of the cross-border data transfer agreement in relation to the necessity and purpose of the transfer, overseas storage, onward transfer and remedy mechanism, and liability and dispute resolution should be highlighted or framed in the Application Form with explicit reference to the corresponding page numbers in the agreement.
All documents submitted must have a Chinese version if the original is prepared in a foreign language. Failure to comply with these requirements will risk the application being rejected or delayed.
Noncompliance with the measures and guidelines may expose companies and the executive to significant administrative, civil, and criminal liabilities.
Recently, Chinese authorities have enforced regulations by conducting dawn raids and investigations, removing noncompliant applications, ordering business suspension for rectification, and imposing hefty fines on violating companies and executives.
It is common for multinational corporations to run shared IT infrastructures and applications for their Chinese subsidiaries to share employee or customer data with the global headquarters or affiliates outside China.
With the measures and guidelines in place, these scenarios will fall within the application scope of the mandatory security assessment if the data transfer threshold is met. Foreign companies are encouraged to map out the data flow, assess whether the data activities fall under the guidelines and, if yes, take the necessary compliance actions.
To learn more about our services in China, contact our Head of Business Advisory - Ms. Kristina Koehler-Coluccia at firstname.lastname@example.org.
DISCLAIMER: All information in this article is verified to the best of our ability and is assumed to be correct at time of release; however, Woodburn Accountants & Advisors does not accept responsibility for any losses arising from reliance on the information provided within. The information provided is for general guidance and does not replace specialized advice.