On 7 July 2022, the Cyberspace Administration of China released the Measures for the Security Assessment of Cross-border Data Transfer (hereinafter referred to as the Measures). The Measures, which represent another approach to the management of cross-border transfer of data, will come into force from 1 September 2022; a six-month transition period will be given to data processors and operators for adjustment.

Building on the overarching legal framework of the Cybersecurity Law (2016), the Data Security Law (2021) and the Personal Information Protection Law (2021), the Measures represent a supporting role for managing cross-border data transfer. Apart from the Measures, governmental authorities also released the Certification Requirements for Cross-border Transmission of Personal Information and the Provisions on Standard Contracts for Cross-border Transfers of Personal Information (draft for comments) to improve the efficiency and ensure protection of cross-border transfer of data. The main difference among the three documents lies in their objectives and applicability. Specifically, the objectives of the Measures mainly relate to national security and public interest; in terms of applicability, all data processors and operators that fall under the scope of the regulation must necessarily apply for security assessment before transferring data overseas – whereas it is not mandatory for data processors or operators for transfer activities outside the scope of the Measures, as they can choose either the certification process or the adoption of standard contract clauses, based on their needs and requirements.

The following is a summary of key points that foreign enterprises shall pay attention to:

  • Definition of cross-border data transfer activities. Cross-border data transfer activities stipulatedin the Measures refer to i) cross border transfer or storage of data generated or collected by data processors within the territory of China; and (ii) accessing to those data by overseas institutions, organizations or individuals. Hence, the physical storage of data in overseas servers is not an exclusive prerequisite for the applicability of the Measures: as long as foreign institutions, organizations or individuals have access to the data generated and collected within the territory of China, the activities involved will fall under the scope of the Measures. However, it is not clarified whether the Measures also apply to the activities of foreign actors that are subject to Article 3 of the Personal Information Protection Law.
  • Application scenarios. The Measures apply to four types of cross-border data transfer activities: (i) cross-border transfer of key data; (ii) cross-border transfer of personal information by CIIOs or personal information processors which deal with the personal information of more than one million individuals; (ii) since January 1 of the previous year, cross-border transfer of personal information accumulatively exceeding the threshold of 100,000 individuals or sensitive personal information of more than 10,000 individuals; (iv) other types of cross-border data transfer activities deemed necessary by the national cybersecurity authorities. In short, the Measures only apply to cross-border transfer activities when the data itself is key, or when the personal information processor is sizable enough that may pose threat to the national or public interest. To date, the detailed lists for identifying key data in different sectors have not yet been finalized and disclosed.
  • Security assessment. The security assessment is mainly aimed at assessing: (i) the legality, legitimacy and necessity of the purpose, scope and method of cross-border data transfer; (ii) the impact that the data security protection policies, regulations and network security of the country or region where the overseas recipient is located have on the security of the data transferred, and whether the data protection level of the overseas receiver meets the requirements of China’s laws and administrative regulations and mandatory national standards; (iii) the scale, scope, type and sensitivity of the data transferred, as well as the risks of data tampering, destruction, leakage, loss, transfer or illegal acquisition and use during and after the transfer process; (iv) whether data security and personal information rights and interests can be fully and effectively protected; (v) whether the legal documents drawn up by the data processor and the offshore receivers fully stipulate the responsibilities and obligations of data security protection; (vi) compliance with Chinese laws, administrative regulations and departmental rules; (vii) other items deemed necessary by national cybersecurity authorities. All in all, the Measures require that the data transferred abroad is protected according to the same level of protection within China, in a bid to guarantee national security and public interest through extraterritorial reach.
  • Application process. Before applying for security assessment, data processors are required to carry out self-assessment regarding the risks of transfer activities. After receiving the application from data processors, cybersecurity authorities at provincial-level will forward the application to national-levelcybersecurity authorities, which will decide whether to accept the application within seven days.  Once accepted, the assessment will take 45 workdays, or longer in light of specific circumstances. Only data processors which pass the security assessment will be allowed to transfer data overseas. Under normal circumstances, the assessment shall be renewed every two years; nevertheless, within the validity period, if any of the circumstances specifically stipulated in the Measures that may pose threat to the data transferred take place, the data processor shall re-apply for the assessment.

In a nutshell, the Measures are targeting specific types of activities with the aim of safeguarding national security and public interests. Any activities or data processors/operators falling under the scope of the Measures will have to pass the security assessment by national authorities – before initiating cross-border data transfer activities. The application process and assessment details have been elaborated in the Measures. Considering that the transition period granted by the Measures is only six months from the September 2022, all relevant actors are advised to make corresponding adjustment in accordance with the requirement and apply for the assessment as soon as possible.