On 31 August 2022, the Cyberspace Administration of China (“CAC”) published the Guidelines on the Application of Security Assessment of Cross-border Transfer of Data (“Guidelines”) to clarify how organisations in China can apply to CAC for a security assessment for cross-order data transfer, a requirement stipulated under the Measures for Security Assessment of Cross-border Transfer of Data (“Measures”) which became effective on 1 September 2022.
The Guidelines provide clarity on when such security assessment is applicable, and how data processors in China can apply to CAC for a security assessment for cross-border data transfer.
The CAC security assessment is a requirement under the Personal Information Protection Law, the Data Security Law and the Cybersecurity Law in China. Please see our previous articles Important Updates On Cross-border Data Transfer In China and Proposed security assessment mechanism for transferring data outside of China for details. A data processor is required to apply to CAC for a security assessment for cross-border data transfer if the proposed data transfer meets any of the thresholds specified under the Measures1.
The Guidelines clarify that the following circumstances constitute cross-border data transfer:
- A data processor transfers data collected and generated in China to an overseas jurisdiction;
- remote access to, retrieval, downloading or export of data stored in China by an overseas institution, organisation or individual; and
- other cross-border data transfers as may be specified by CAC from time to time
The Guidelines also set out five key steps in the security assessment application process.
- Step1: Submission of application documents to the provincial-level cyberspace administration at the place where the data processor is located.
- Step 2: The provincial-level cyberspace administration shall check the completeness of the application materials within 5 working days upon receipt of application. Incomplete applications would be rejected.
- Step 3: CAC shall decide whether to process the application and notify the data processor in writing of its decision within 7 working days after receiving the application materials forwarded by the provincial-level cyberspace administration.
- Step 4: The data processor may be notified to supplement or correct its application materials within a prescribed time limit, failing which the application will be terminated. Time extension may be allowed in complicated cases.
- Step 5: After the security assessment is completed, the data processor will receive a notification of the assessment results. The data processor may submit is appeal to the CAC within 15 working days after receiving the assessment results for a re-assessment, and the re-assessment result is final.
Finally, the Guidelines also set out a list of application documents, including templates for (1) an authorisation letter; (2) an application form for cross-border data transfer security assessment; and (3) a self-assessment report for cross-border data transfer.
In particular, the self-assessment report shall contain the following details:
- a brief description of the self-assessment, including the start date and end date, descriptions on the assessment design and its implementation processes and methods;
- an overview of the cross-border transfer activities, including detailed descriptions of the agreed legal documents and information on the data processor, the business and information systems involved in the cross-border data transfer, the data to be exported, the capability of the data transferor and the data recipient to ensure security of the data transferred;
- a risk assessment on any contemplated cross-border transfer activities, which shall be conducted in accordance with Article 5 of the Measures and focus on the issues and potential risks discovered during the assessment, the corresponding rectification measures and results; and
- a conclusion for the self-assessment based on the risk assessment conducted and the corresponding rectification actions.
Depending on the complexity of the proposed cross-border data transfer, preparing the self-assessment report requires data privacy expertise and could be a time-consuming process. Data processors in China which are subject to the CAC security assessment may require professional assistance in this process.
For further information, please contact:
Nanda Lau, Herbert Smith Freehills
1 Data processors must file a security assessment for cross-border data transfer with CAC through the provincial cyberspace administration where the data processer is located if:
i. important data will be transferred;
ii. personal information will be transferred by critical information infrastructure operators or data processors processing personal information of over 1,000,000 individuals in China;
iii. personal information will be transferred by data processors who have either accumulatively transferred (i) personal information of more than 100,000 individuals; or (ii) sensitive personal information of more than 10,000 individuals outside of China since 1 January of the previous year; or
iv. other situations set out by CAC that require a filing under the security assessment regime.