Completing Your China Data Export Security Assessment: CAC guidance released!
China’s cyber regulator – the Cyberspace Administration of China (CAC) – released the Application Guidelines on the Data Export Security Assessment (Guidelines) on 31 August 2022, a matter of hours before the Data Export Security Assessment Measures (Measures) took effect today.
Under the Measures, before certain types or volumes of data can be exported from mainland China, or where exports are conducted by certain significant organisations, a CAC-led security assessment must be completed. The Guidelines set out the required application materials, template forms to be filled out, and various explanatory notes for conducting a self-assessment and completing the submission to the CAC for its assessment.
To aid the understanding of domestic and international businesses scrambling to prepare for the mandatory security assessment, we set out below our initial observations on the Guidelines, together with answers to ten frequently asked questions.
You can also click here to view a diagrammatic flow chart of the application process that we have previously prepared.
Q1. What constitutes a cross-border data transfer?
In line with the CAC earlier press statements on the Measures, the Guidelines clarify that a cross-border data transfer includes situations where:
- Data processors transfer or store outside of mainland China data collected and generated in during mainland China operations – however, it remains to be clarified whether an offshore data processor that is subject to the extraterritorial application of the PRC Personal Information Protection Law will be caught if it stores data in the jurisdiction where it is ordinarily registered/operates.
- Data collected and generated by data processors is stored in the mainland China but can be consulted, accessed, downloaded, exported by an institution, organisation or individual overseas – in short, remote access via shared drives or other tools also constitutes a cross-border data transfer.
- CAC subsequently prescribes additional scenarios are in-scope.
Q2. How can a data processor submit a security assessment application? Must it be submitted online or offline?
Applicants must submit to the relevant provincial branch of the CAC both hard copies of the application materials and electronic versions recorded on a disk.
We also learnt from market sources that an online submission system (https://sjcj.cac.gov.cn) is currently under construction and is expected to be launched soon. However, it is yet to be clarified whether materials to be submitted via the online system will suffice, or this will be in addition to the electronic versions recorded on a disk.
Q3. Can an applicant appoint an external firm to help with the submission and assessment?
No, in terms of the application submission. The application can either be submitted by the legal representative of the applicant, or an authorised person within the organisation supported with a power of attorney.
Yes, in respect of the self-assessment process. Applicants can appoint external firms to assist in undertaking the self-assessment, and specify in their self-assessment reports how the advisors/consultancies have contributed to the self-assessment.
Q4. What are the required application materials? Would one application suffice, or are multiple applications necessary for a data processor that conducts multiple export activities?
Application materials include:
- A data export security assessment application form.
- The data export-related agreement to be entered into with the offshore recipient(s) or other legally binding documents.
- A data export risk self-assessment report.
- The official registration certificate of the data processor.
- A power of attorney and ID document of the authorised employee, if the applicant appoints one of its employees to submit the application.
- ID documents of the legal representative of the applicant.
- A letter of commitment from the applicant.
- Any supporting documents of the applicant.
The practical issue of how multifaceted businesses complete their submissions is still unclear in respect of whether one submission can cover transfers by one China-based entity to several, distinct offshore recipients of the same data; or whether one submission for each sender-recipient pairing is possible across multiple transfer purposes / products. The basic set-up of the submission materials leans towards the latter approach, but it is not explained explicitly in the explanatory notes.
Q5. Are there any language requirements for application materials?
The Guidelines specify that data transfer agreements or other legally binding documents and other supporting documents must be submitted in, or translated into Chinese. Since the CAC has released the Chinese templates for other types of application materials, it is also reasonable to assume that all these application materials must be submitted in Chinese or translated into Chinese for CAC’s review purposes.
One open question arises where parties agree in their data transfer agreement that the English or other foreign language version of the agreement will prevail, and there is a discrepancy relevant to the outcome of the security assessment. While we would assume that the principle of party autonomy would continue as a matter of contract, the CAC officials will in practice prefer to refer to the Chinese version and so well-vetted translations will be important for applicants which tend otherwise to contract in a foreign language.
Q6. What information is required when completing the security assessment application form?
Data processors will need to enter the following information in the application form:
- Basic information of the applicant, the legal representative, and the authorised person who help submit this form.
- Descriptions of the envisaged data export, e.g., related business, purposes, means, chains. “Data export chains” appears to be a new element introduced into the submission form. An applicant will need to describe its “chains providers, numbers and bandwidth, the name of its data centre, the physical location of its computer room, and the IP address.” Data processors might have concerns about the requested granularity of these types of information, in particular, whether disclosing the IP address and other technical details of the data centre and network infrastructure would potentially increase security risks at a time when cybercrime is already increasing.
- Details of data and data subjects involved.
- Details of offshore data recipient(s), and the relevant data security-related person-in-charge and department. The current form only allows the information of one data recipient to be entered. As it is common to see the same data transferred to multiple offshore data recipients (for example on an intra-group basis or to regular consortium partners), query, in practice, whether data processors will be able to rely on one form for multi recipients.
- Legally binding documents, highlighting the terms that are required under the Measures.
- Compliance of the data processor.
Legal, business, operations, IT and other departments within an organisation will need to coordinate efforts to facilitate a smooth submission.
Q7. Are there any specifical requirements for the legally binding documents?
A data transfer agreement or other legally binding documents will need to include certain mandatory terms as required under the Measures. In preparing such terms, following the principles of the certification specification or the Chinese standard contract is likely a must.
The Guidelines do not mention that redaction of some agreement terms is possible. Businesses may like to formulate standalone bilingual agreements for PRC-to-non-PRC transfers rather than submit the entirety of their intra-group agreements or broader agreements entered into with external counterparties, which may also include sensitive commercial terms that are not related to the transfer of data.
Q8. Is there an official template form for the self-assessment report?
Although the application form is similar to that we saw from a previous pilot scheme, the Guidelines do not provide a template form for the self-assessment report for applicants to fill in. The template report in attachment 4 of the Guidelines is more akin to an outline, so applicants must consider the level of detail that they are comfortable to include. The content of the self-assessment report will no doubt need discussion and buy-in from internal stakeholders before submission.
Q9. What must be included in the self-assessment report?
The abovementioned template details aspects to be assessed when conducting a self-assessment, among which, data security appears to be one of the key focuses. The report should address the capabilities of both the data processor and the recipient to ensure data security. Data security certifications, compliance audits, multi-level protection scheme reports can also be used to support the self-assessment.
As mentioned in the response to Question 6, data recipients will also need to understand their data security reporting lines and specify the relevant data security person in-charge and management body when assisting the data processor to submit the application form. However, in practice, individuals overseas may not be comfortable being named and their contact details provided to a national security-focused database. Similarly, private equity, funds and other financial sponsors may be reluctant to disclosure details on shareholder structures and actual controllers.
In addition, a self-assessment report will need to outline the data security and protection-related laws and practices of the jurisdictions where a data recipient is located. To formulate a long-term compliance system, one practical tip for multinational organisations may be to prepare and maintain overviews of the data protection and cyber regimes in jurisdictions to which data is commonly transferred.
Q10. How can a data processor calculate risk levels to draw a conclusion for its self-assessment?
The Guidelines does not mention or set out an alternative to the method of calculating risk levels, which was principally set out in appendix B (with a decision reference table) of the 2017 draft guidelines on this topic. It is a bit surprising to some observers that this key element of the self-assessment is omitted. When compiling their self-assessment reports, some businesses may query the value of continuing to refer to 2017 guidelines after 5 years of legislative development.
While the Guidelines offer multinational businesses that have been tracking the evolution of PRC security assessments a certain level of consistency with previously released regulations and pilot documentation, there are still apparent gaps in the guidance. On receipt of initial market feedback, it would be helpful if the CAC could issue a supplement to the Guidelines, as it already seems to anticipate by explicitly naming today’s version only the “first edition”.