All Things Newz
Law \ Legal

China Requests Data Exporters To Undergo Security Assessment, Effective On 1 September 2022 – Data Protection


The Cyberspace Administration of China (the
CAC“) released the Measures for
Security Assessment of Data Export on 7 July 2022 (the
Measures 2022“), which will come into
effect on 1 September 2022.

EVOLUTION

The regime, with regards to data exports, is ever-evolving in
China. Since 2017, the CAC has consecutively released ‘The
Measures for Security Assessment of Transferring Personal
Information and Critical Data Overseas (Draft)’ (the
Measures 2017“), ‘the Measures for
Security Assessment of Transferring Personal Information Overseas
(Draft)’ (the “Measures 2019“) and
‘the Measures for Security Assessment of Data Export
(Draft)’ (the “Measures 2021“). Now
the Measures 2022 is to be enacted. In this latest article, we
introduce the highlights of the Measures 2022, with some
comparisons to the Measures 2017, the Measures 2019, and the
Measures 2021.

HIGHLIGHTS OF THE MEASURES 2022

Clarifying the definition of data export

The Measures 2022 is the first instance in which the CAC has
clarified the scope of data export, including:

  1. whether a data handler exports or stores the data it collected
    and created from its operation within China; and

  2. whether a data handler stores the data it collected and created
    within China but foreign institutions, organisations or individuals
    have access to or are able to use such data.

Unifying the regulations on personal information and critical
data

As we mentioned above, the CAC was vacillating on the issue of
whether to regulate the export of personal information and critical
data separately or collectively.

In the Measures 2022, the CAC finally confirms that the export
of critical data and personal information should be regulated
together since they share similar procedural rules. As a result, it
is enacted according to both the Data Security Law (the
DSL“) and the Personal Information
Protection Law (the “PIPL“), and
supplements them with substantive and procedural rules in terms of
the security assessment.

Despite the conceptual overlap between personal information and
critical data, the CAC still discriminates the legal interests
between them. That is, Article 1 of the Measures 2022 stipulates
that this regulation is to protect personal information rights and
interests, which echoes the PIPL; and to protect national security,
and social and public interests, which responds to the critical
data protection under the DSL. (Read our insight on China’s new DSL).

Specifying the thresholds of conducting the security
assessment

In the Measures 2017, the triggers for conducting the security
assessment included “exporting personal information of 500,000
data subjects” and “data volume exceeding 1,000 GB”;
whilst the Measures 2019 solely stipulate that, any network
operator exporting personal information shall undergo the security
assessment. However, the Measures 2021 and 2022 revised the
triggers and gave up the threshold of data volume, focusing on the
amount of subjects’ personal information and the data’s
criticality, which echoes the subject matter of the PIPL and the
DSL.

Therefore, in the final version, the Measures 2022 stipulate
four circumstances that a data handler shall apply to the national
CAC for the security assessment via the provincial CAC in Article
4, if it:

  1. exports critical data;

  2. is a Critical Information Infrastructure Operator (CIIO);

  3. handles personal information of more than 1,000,000 data
    subjects;

  4. since 1 January of the previous year:

    1. has provided personal information of 100,000 data subjects in
      aggregate; or

    2. has provided sensitive personal information of 10,000 data
      subjects in aggregate; or


  5. falls into other circumstances as stipulated by the national
    CAC.

Providing substantive and procedures of applying for
assessments in detail

The Measures 2022 requests the data handler, who reaches the
above thresholds, to carry out a self-assessment at first of the
data it intends to export. The issues to be dealt with in the
self-assessment include, to name but a few, (a) the legality and
necessity of purpose, scope, and approach of data export, (b) the
risks to national security and individuals’ interests, (c)
whether the overseas recipient is capable of performing its legal
obligations such as protecting the data being exported, (d) whether
the data exporter and the recipient have entered into any legally
binding documents (the “Legal Document“)
to stipulate the obligations of data protection.

The Measures 2022 clarify that the Legal Document includes a
contract or other documents executed with the overseas recipient.
We have discussed in another article about the standard contractual
clauses (the “SCC“) that the CAC has
released on 30 June 2022 for seeking comments. (See our ‘Briefing on the new draft legislation on
exporting data out of China’
).

Although the Measures 2022 do not expressly state that the
parties shall use the SCC as a template for the contract of
exporting data, we believe the SCC could be regarded as a reliable
reference to consider as the SCC reflects, at least, the rationale
of the CAC in terms of regulating data exports.

After the self-assessment is completed, the report of
self-assessment and the Legal Documents will be integrated into the
set of submission documentation for security assessment, with the
rest being an application form and other materials as required by
the CAC.

The submission of the security assessment will be firstly
checked by the provincial CAC to make sure no document is missed
and then submitted to the national CAC. The national CAC will
decide whether to accept the application and notify the applicant
within five working days. If accepted, the national CAC shall
complete the security assessment within 45 working days upon
notice. The security assessment is valid for two years from the
date of issuing the assessment result to the applicant.

It is worthwhile to note that should there be any change in the
purpose, approach, scope, etc., or any change in the legal
environment of the recipient’s jurisdiction, the data handler
shall re-apply for the security assessment.

Granting a grace period of six months

The Measures 2022 provide a six-month grace period from the
effective date, which will end on 28 February 2023.

PRACTICAL TIPS

Despite the grace period as abovementioned, we notice that the
administrative procedure is quite time-consuming, failure of which
will result in a potential interruption to business. On the one
hand, it will take 57 working days from submission to completion,
which is equivalent to approximately three months and data handlers
may miss the deadline of the grace period, not to mention the time
spent on the preparation of submission documentation; on the other
hand, the CAC can further extend the period of completing the
review of submission where applicable at its own discretion. It is
advisable to prepare as soon as possible and consider the following
items:

  • reviewing the data to be exported, especially the scope, types,
    sensitivity and purpose of export;

  • evaluating the legal pathway to export data, for example,
    whether to proceed with security assessment or to sign the standard
    contractual clauses with the recipient;

  • conducting the self-assessment as it is the pre-condition of
    each pathway to export personal information; and

  • negotiating with the overseas recipient of the Legal Documents
    and engaging qualified legal counsel to prepare the documents.

Read the original article on GowlingWLG.com

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.



Source link

Related posts

The Canadian Government Undertakes A Second Effort At Comprehensive Reform To Federal Privacy Law – Privacy Protection

Horace Hayward

Upcoming changes to the Fair Trading Act – Contracts and Commercial Law

Horace Hayward

Bringing psychologists & other allied health practitioners into your medical practice – Contracts and Commercial Law

Horace Hayward