Update China Desk 07/2022 | Update Data Protection
China’s New Regulation on Outbound Data Transfer
China speeds up its ambition in building data sovereignty and digital moat, in particular by following EU’s footprint of GDPR and in awareness of the power of US digital tech giants. One essential cornerstone of this process is the regulation of data flows between China and other countries abroad. On July 7, 2022, the “Outbound Data Transfer Security Assessment Measures” (“Security Measures”) were adopted by the Cyberspace Administration of China (“CAC”) and entered into effect on September 1, 2022. These latest regulatory efforts will further impact companies’ data-driven businesses.
Background
For companies doing business in China or with China, the first significant legislative milestone is China’s Cyber Security Law (“CSL”) of 2016, which at that time has caused much concern to increasing cost in company compliance and ambiguous implementation in regulatory practice. Since then on, the legislative process has been gathering momentum resulting two other legal acts which were adopted in 2021: The Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”). Together these three legal acts form the essential basis of China’s legal data regulation framework for cyber security and data protection.
As mentioned afore, one essential aspect of China’s cyber security and data protection framework involves the ensuring of China’s “data sovereignty”. For this purpose, the CSL already introduced provisions which required “Critical Information Infrastructures Operators” (“CIIO”) to keep personal information and other (non-personal) key data within the territory of China. However, at the same time the CSL also provided ways subject to strict requirements regarding the transfer of certain data outside of China, in particular the passing of a security assessment by the CAC. Similar provisions are now also reflected in the DSL and the PIPL. The Security Measures adopted by the CAC as part of its mandate to release implementing regulations aim to clarify the requirements for such security assessment regarding the outbound data transfer under the CSL, the DSL and the PIPL.
Scope and Application of the Security Measures
The Security Measures are subject to a specific scope of application which depends on multiple requirements and thresholds, namely:
- Outbound transfer of “Important Data” (irrespective of whether the data processor qualifies as CIIO or regular data processor);
- Outbound transfer of “Personal Information” by a CIIO or by a data processor, which processes personal information of more than one million natural persons;
- Outbound transfer of “Personal Information” by data processors, which have aggregately since the beginning of the last fiscal year transferred “Personal Information” of more than 100 thousand natural persons or transferred “Sensitive Personal Information” of more than 10 thousand natural persons;
- Other circumstances under which security assessment of outbound data is required as prescribed by the CAC.
It is worth mentioning that the term “outbound transfer” is not defined in the Security Measures. However, based on feedback from the CAC outbound transfers typically involve the transfer of data collected and stored in China to a recipient outside of China. A typical scenario involves the processing of employee’s personal information by a Chinese subsidiary of a German multinational corporation and transfer of such data to the headquarter in Germany. In addition, an outbound transfer under the Security Measures also involves remote access to data collected and stored in China from outside the Chinese territory. Therefore, outbound transfer can take place in various business scenarios.
The term “Important Data” is defined in the Security Measures rather broad as “data which may endanger national security, economic operation, social stability, public health and safety in case of data distortion, destroy, leak or illegal gain and abuse”. It is not limited to Personal Information but also covers non-personal information. However, due to this broad formulation it is likely that companies may struggle to identify which data ultimately qualifies as “important” and therefore falls under the applicable laws and regulations, including the Security Measures.
“Critical Information Infrastructures Operators” is another term with specific Chinese characteristics. In the CSL, this term is defined as “industries and fields, such as public communication and information service, energy, communications, water conservation, finance, public services and e-government affairs, which endanger national security, national economy and public interest in case of damage, function loss or data leakage”. Under such broad definition may fall, e.g. not only the well-known social media platform WeChat, but also the widely used taxi platform operator DiDi.
In addition to the amount thresholds (i.e. one million or 100 thousand persons), a data processor needs to pay special attention to the so-called “Sensitive Personal Information” which, according to the PIPL, refers to personal data that, once leaked or used illegally, may easily infringe on the personal dignity of natural persons or endanger personal or property safety, including biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts tracking and other data, as well as the personal data of minors under the age of 14.
Risk Assessment and Security Review Process
If an outbound transfer falls under the scope of the Security Measures, the respective data processor is only permitted to carry out such outbound transfer after passing the data security assessment by the CAC.
As part of the data security assessment, the data processor must provide the CAC with multiple documents, including a complete application form, a risk assessment form as well as other documents required by the CAC. The risk assessment as the essential piece of the review process must be carried out by the data processor before filling the application and must cover a variety of aspects, such as the purpose, scope and method of the outbound data transfer, the quantity, scope, categories and degree of sensitivity of the data to be transferred as well as any related risks that may incur to national security, public interest and other individuals and organizations. The data processor also has to evaluate the protective commitment of the receiving party abroad and its management and technical capability to fulfill the protective commitment. In respect of any damage scenarios, like data leaks, distortion or abuse during and after outbound data transfer, the data exporter has to check the availability and feasibility of possible remedies for personal information. Taking this into consideration, the risk assessment should be carried out with due diligence.
After receiving the application with the required documentation, the CAC then conducts the actual data security assessment by focusing on risk factors to national security, public interest, and related individuals and organizations. In this context, besides the risk factors which the data processor has evaluated and documented as part of the risk assessment, as depicted above, the CAC will, in particular, scrutinize whether the country or region of the receiving party can provide a level of data protection essentially equivalent to the level granted under the Chinese law.
As a result of the data security assessment process, the CAC may approve or reject the application as well as require further additional documents and evidence. In case of approval, the governmental risk assessment is valid for a period of two years and must be renewed after this period expires.
Conclusion and Recommendation
With the adoption of the Security Measures, the Chinese authority is building up a tight regulatory framework in order to enhance the control of outbound data transfer. As a consequence, China may face the challenges of over-regulation, de facto inefficiency of implementation and excessive burdens on companies. Nevertheless, in particular multinational corporations operating in China and abroad will have to prepare to meet this round regulatory challenge with suitable arrangement of cross-border data transfer.