China releases new measures for security assessments on cross-border data transfers

On 29 October 2021, the Cyberspace Administration of China (“CAC”) released for public comment the “Draft Measures on Security Assessment of Cross-border Data Transfer” (“Draft Measures”), the public comment period is set to last until 28 November 2021. The Draft Measures summarise and elaborate on the cross-border data transfer issues in the Data Security Law and Personal Information Protection Law. Please see below for major points of the Draft Measures.

1. Security Assessment requirement Any data processors have to apply for and go through the Security Assessment (“SA”) in the following circumstances:

• transfers Important Data off-shore;
• processes Personal Information of more than one million data subjects and transfers any Personal Information off-shore;
• transfers abroad, on a cumulative basis, Personal Information of more than 100,000 data subjects or Sensitive Personal Information of more than 10,000 data subjects; or
• other situations when the CAC deems an Security Assessment is needed.

Comparing to the Cybersecurity Law where only Critical Information Infrastructure Operators are required to carry out the SA, the Draft Measures, if implemented, will expand the scope of data processors who have to carry out the SA.

• Self-assessment requirement

Before undertaking any of the above-mentioned restricted cross-border data transfers, the relevant data processor must conduct a self-assessment covering the following:

• the legality, justifiability and necessity of the purpose, scope and methods of the transfer;
• the amount, scope, type and sensitivity of the data to be transferred;
• the risks arising from the transfer and concerning national security, public interest and legal interests of individuals or entities;
• whether the management and technical measures to be adopted during the transfer are able to prevent the data from leakage and damage;
• whether the responsibilities undertaken by the offshore data recipients, and management and technical measures adopted for performing such responsibilities, are able to ensure the security of the data transferred;
• the risks of leakage, damage, loss, falsification and abuse after the transfer;
• whether there are convenient and workable channels for data subjects to exercise their PI protection rights; and
• whether the transferor’s and recipient’s respective data protection responsibilities and obligations have been sufficiently provided for under an offshore data transfer agreement.

• Procedure

• The beforehand self-assessment process is required when an enterprise suspects their data processing activities would be subject to SA. Also, the self-assessment report is needed once CAC identifies that the enterprise has to go through SA regarding their targeted cross-border data transfer activities. Therefore, enterprises should always perform a self-assessment first in compliance with the supervision and inspection of the CAC.
• After receiving the applications, the CAC will notify the enterprise of the result regarding their application in seven days. For accepted cases, the CAC will complete the SA within 45 working days, extendable to 60 days if the situation is complex or supplementary documents are required.
• Any approval is valid for two years, and if certain aspects change in the applicant’s data transfer activities, a new SA should be applied for and conducted.

For more details, contact your CMS client partner or local CMS experts: