For almost a decade, China has been developing its cybersecurity and data governance infrastructure by establishing a cohesive framework for managing cybersecurity, data security, and data protection. The Cybersecurity Law (CSL) went into effect in 2017, followed by the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) in 2021. Together, these three pillars complete China’s new data security architecture.
Three days before the PIPL took effect, the Cyberspace Administration of China (CAC) published the “Draft Measures on Security Assessment of Cross-Border Data Transfer” (Draft Measures) for public comment. These Draft Measures designate the scope, procedure and required documents, and the focus and validity period of the security assessment required for transferring personal information and “important data” out of China. This is the CAC’s third legislative attempt to build a cross-border data transfer mechanism in China, as the Draft Measures expand upon the cross-border data transfer requirements found in the CSL, DSL, and PIPL.
In this blog, we’ll take a closer look at the Draft Measures proposed by the CAC and how these requirements relate to those in the CSL, DSL, and PIPL.
Background of the Draft Measures
It is common practice in China for certain laws to be published with broad points, and then practical details are released in separate measures by the government to supplement the current legislation. Although China attempted to do this with the CSL in 2017 and 2019, both efforts failed to be approved or finalized.
The First Draft Measures (on Security Assessments for Outbound Data Transfer of Personal Information and Important Data)
When the CSL was approved in November 2016, there was confusion around Article 37, which requires a security assessment for any outbound data transfers by critical information infrastructure (CII) operators that collect or share personal information or important data. Information regarding these assessments and the definitions for CII, personal information, and important data were not included in the CSL. In April 2017, two months before the CSL took effect, the CAC released its first draft measures on security assessments for the outbound data transfers of personal information and important data. While the measures clarified the missing information, it also expanded the scope of CII operators to include “all network operators,” which is a separate concept under the CSL. This version was never finalized or put into effect.
The Second Draft Measures (on Security Assessments of Cross-Border Transfer of Personal Information)
In June 2019, the CAC released its second draft measures. This version only addressed personal information, failing to acknowledge important data. This omission established that the CAC would treat important data and personal information as separate categories and subject to different requirements. Therefore, the second draft measures only focused on the cross-border transfer of personal information collected within China. Again, these draft measures failed to be passed.
The Third Draft Measures (on Outbound Data Transfer and Security Assessment)
The most recent Draft Measures were released at the end of October 2021, which coincided with the effective date of the PIPL. This version of the Draft Measures provides insights into how the CAC will conduct security assessments, how they will review cross-border data transfers, and the types of contractual provisions that are necessary in contracts that contain cross-border data transfers. If approved, these Draft Measures will set the foundation for the future of national standards regarding cross-border data transfers.
Highlights of the Third Draft Measures
The CSL, DSL, and PIPL all require that a security assessment be performed by the CAC and relevant departments before data can be transferred overseas. However, no further details on the assessment are provided in these laws. The Draft Measures were released to provide additional guidance on the security assessment requirements under all three laws.
Under the Draft Measures, there are two types of data handlers that must always apply for a security assessment when transferring important data or personal information overseas:
- Critical information infrastructure operators (CIIOs)
- Personal information handlers that have processed personal information of more than 1 million individuals
Security assessments will be required for all data handlers when transferring the following types of data overseas:
- Important data
- Personal information of more than 100,000 individuals
- Sensitive personal information of more than 10,000 individuals
Both the PIPL and DSL regulate data handlers, and the reference to CII operators and important data incorporates the requirements from the CSL. However, important data is still undefined within the Draft Measures, which could leave it open to interpretation for the CAC to determine case-by-case whether the data in a cross-border transfer is important or not.
The three laws also define CII as “important industries and fields” and consider loss of function or data leakage within these entities to be a risk to national security and public interest. Although not specifically detailed, the industries and fields that China may consider CII include:
- Public Services
- National Defense
- Water Conservancy
- Science and Technology
- Public Communication and Information Services
The main cross-border data transfer requirement imposed by the Draft Measures is the security assessment (the Draft Measures do not prescribe a set of standard contractual clauses the must be entered into by the security review applicant). However, before an entity can apply to the CAC for a security assessment, a self-assessment analyzing the risks of any potential cross-border data transfers must first be conducted.
The risk self-assessment must focus on the following key points:
- The lawfulness, legitimacy, necessity, purpose, scope, and method of the cross-border data transfer.
- The quantity, scope, type, and sensitivity of the data transferred abroad; and the risks the cross-border transfer poses to national security, public interests, and the legitimate rights and interests of individuals or organizations.
- Whether there are proper safeguards in place (technology, capabilities, management processes) to mitigate data leakage, damage, and risks during the cross-border data transfer.
- The responsibilities and obligations that the receiving overseas party must undertake to receive such data, and whether there are processes in place to enforce such obligations.
- The data leakage, damage, tampering, abuse, and other risks after cross-border transfer and re-transfer, and whether individuals will be able to exercise their rights and interests.
- Whether the relevant contracts on cross-border data transfers fully specify the responsibilities and obligations for data security protection.
In order to have a security assessment completed, entities must submit their self-assessment, a written application, a copy of the contract between the data handler and the overseas recipient, and any other materials required for a full review as determined by the CAC. The data transfer agreement between the data handler and data recipient would need to include:
- The purpose, method, scope, retention period, or types of data being transferred.
- The location where data will be stored outside of China and the data retention period (and the measures to be adopted after the storage period has ended or the contract term expires).
- Restrictions on the transfer of data to other entities or individuals.
- Security measures to be adopted when control over the data being transferred changes or relevant foreign laws or regulations change.
- Liability for breach and security violations, and binding and enforceable dispute resolution clauses.
- Emergency response plans to protect individual rights and interests in the event of a data leak or other breach.
Within seven days of submitting these documents, the CAC will either deny the assessment request or issue a written notice that a security assessment will be conducted.
After accepting the application, the CAC will organize the relevant departments of the State Council, provincial cyberspace administrations, and specialized agencies to conduct the security assessment. The security assessment will then be completed by the CAC within 45 to 60 business days of receiving the written notice.
Once the security assessment is completed, the results will be valid for two years, absent of any changes to the purpose, method, scope, recipient, or other changes to the recipient countries laws affecting the security of the data. After two years, the data handler will need to resubmit the security assessment 60 days prior to its expiration, otherwise all data export activities will be out of compliance.
Comparison of Penalties
Non-compliance with the CSL, DSL, and PIPL all subject companies to significant fines, which depend on the violation and its severity. Since the Draft Measures are designed to supplement the current legislations, they do not contain their own penalties for violations and do not currently impose any additional penalties for the three existing laws. Below, we take a closer look at the various penalties imposed by the CSL, DSL, and PIPL and how they compare.
Cybersecurity Law (CSL)
Violations by CIIOs for storing or providing network data outside of China:
Data Security Law (DSL)
Violations where important data is transferred across borders:
If violations are grave:
|Personal Information Protection Law (PIPL)||
Violations in the processing of personal information, or where personal information is processed without fulling the proper obligations:
If corrections are refused:
If violations are grave:
|The Draft Measures||
Perhaps the third time’s the charm for the CAC’s cross-border data transfer mechanism. Although there are likely to be revisions to these draft measures, the initial comment period ended at the end of November 2021, and there is currently no published timeline on when the measures will be finalized or if they will be approved. Given that both the DSL and PIPL went into effect only a few months after their passing, it’s important for organizations to be prepared for the time and resources needed to implement the requirements of the Draft Measures if approved. While understanding and complying with the various requirements of the CSL, DSL, and PIPL can be challenging, the Draft Measures should provide a clear, streamlined way to securely manage cross-border data transfers in the future.
Want more insights into the latest privacy news?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.