Outbound Data Transfer Security Assessment Measures effective 1st September 2022
- Cinalex
- Sep 29, 2022
- 3 min read
China’s “Outbound Data Transfer Security Assessment Measures, 数据出境安全评估办法, below “the Measures”), made up of twenty articles, came into effect on 1st September 2022.
For any activities that are carried out prior to 1st September and are non-compliant with the Measures, a grace period of six months from said date is granted for any necessary rectification to the activities already carried out (Article 18 of the Measures).
The purpose of the Measures is to regulate outbound data transfer activities, protect personal information rights and interests, safeguard national security and the social public interest, and to promote the secure and free cross-border data flow. The Measures were formulated on the basis of the “Cybersecurity Law of the People’s Republic of China”, the “Data Security Law of the People’s Republic of China,” the “Personal Information Protection Law of the People’s Republic of China” and other relevant laws and regulations (Article 1 of the Measures).
The scope of application of the Measures is clarified by Article 4, which states that that data processors providing data abroad shall apply for a outbound data transfer security assessment with the national cybersecurity and informatisation departments of the Cyberspace Administration of China (CAC, 国家网信部门) i) whenever data processors provide important data abroad; ii) whenever Critical Information Infrastructure Operators and data processors handle the personal information of over 1 million people and provide this personal data abroad; iii) whenever data processors provide the personal data of more than 100,000 people or the sensitive personal information of more than 10,000 people abroad since 1 January of the previous year; iv) any other circumstances where the State cybersecurity department of the Cyberspace Administration of China provides a data export security assessment.
The analysis conducted by the Cyberspace Administration of China focuses on the risks that data transfer may affect national security, public interests, legitimate rights and interests of individuals or institutions and this analysis primarily covers the following aspects: first, the legality, legitimacy and necessity of the transfer, and the purpose and method of the outbound data transfer; second, the impact of data protection policies and regulations and the network security conditions of the foreign receiving party, the guarantee or otherwise that the level of data protection of the foreign receiving party satisfies the requirements imposed by the laws and administrative regulations and mandatory national standards of the People’s Republic of China; third, the scale, scope, type and degree of sensitivity of the data transferred abroad and the risk of manipulation, destruction, loss, unlawful transfer or access or unlawful use of the data during and after the transfer; fourth, that the security of the data and the personal information rights and interests can be fully and effectively protected; fifth, whether the legal documents (法律文件) concluded between the data processor and the foreign receiving party duly stipulate data security protection responsibilities and duties.
If the outcome of the application is negative, data processors may object to the assessment outcome and apply for reconsideration of the decision from the Cyberspace Administration of China within 15 working days after being notified of the assessment outcome. The reconsideration outcome will be final.
The Measures, therefore, set out a uniform set of rules that allow the handling of outbound data transfers on a unified basis with the intent to reorganise the whole system and regulations.
For the sake of completeness, it should be noted that the “Standard Contract Provisions on the Export of Personal Information”( 个人信息出境标准合同规定 - 征求意见稿) were recently published, which apply in cases in which the transfer of personal information does not reach the required thresholds of the Measures.
Such additional document will provide a comprehensive, albeit provisional, overview of the methods and requirements for transferring personal information abroad.
Sources available at:
Comments