The Cyberspace Administration of China (“CAC“) released on 7 July 2022 the Measures of Security Assessment for Data Export (“Measures“). The new Measures provide much needed clarity with respect to the general requirement to perform a security assessment prior to cross-border transfers of personal data set forth in Article 38 of the Personal Information Protection Law of the People’s Republic of China (“PIPL“).

The Measures apply to exports of personal data outside of China, only in following circumstances:

• The export of any important data, which is broadly defined as data that may endanger national security, economic operation, social stability, public health, and safety once it is tampered with, destroyed, leaked, or illegally obtained or used.
• The export of personal information by a Critical Information Infrastructure (“CII“), such as public communication and information service, energy, transportation, water resources, finance, public services, e-government affairs, science, technology, and industry for national defense.
• Any export of personal information conducted by a data processor that processed personal information of one million individuals or more during its operations.
• Any export of personal information conducted by a data processor that since January 1 of the previous year cumulatively exported personal information of more than 100,000 individuals or the sensitive personal information of more than 10,000 individuals.
• Other circumstances that may be later designated by the CAC.

For exports that fall within the Measures’ scope, data processors are required to conduct the following procedure before the exportation of personal data:

1. Self-assessment. The self-assessment shall focus on (i) the purpose, scope, and methods of the data export; (ii) the sensitivity of the exported data and the risks it imposes on national interest and individuals’ rights; (iii) the duties and obligations committed to by the foreign recipient; (iv) the risks of a data breach during and after the export; (v) the legally agreed responsibilities and obligations for the data security protection concluded by the parties (“Legal Instruments“), and; (vi) other matters that may affect the security of the data export.
2. Applying for government security assessment. The data processor shall submit to the provincial CAC (i) an application letter; (ii) the self-assessment report; (iii) Legal Instruments, and (iv) any other materials required by the CAC. The CAC shall have a total period of 57 working days to review the application, with a possible extended reasonable period. The CAC review shall focus on similar factors to the self-assessment. Once a determination is achieved and sent, the data processor shall have 15 working days to apply for re-assessment.
3. Security assessment renewal. The data processor shall re-submit the government security assessment every two years, and in any circumstances change.

The Measures will come into effect on 1 September 2022, with an additional grace period of six months to rectify data exports that occurred prior to the effective date.

As time is short, we recommend our clients to promptly review the Measures’ applicability to their activities and implement all applicable requirements, as needed.

Please feel free to contact us if you have any questions regarding the new Measures and their potential effects on your company’s data protection compliance efforts.

Kind regards,

Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation