Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)

Guidelines on Chinese Data Export Security Assessment

The first edition of the Application Guidelines on Data Export Security Assessment has been released.

08 September 2022

Publication

The first edition of the Application Guidelines on Data Export Security Assessment (Application Guidelines) was released by the Cyberspace Administration of China (CAC) near midnight of 31 August 2022 before the Data Export Security Assessment Measures (Export Measures) took effect on 1 September 2022. The Application Guidelines intend to provide actionable guidance to data processors that meet the mandatory data export security assessment thresholds under the Export Measures.

We set below highlighted takeaways from our reading of the Application Guidelines together with the Export Measures and the Personal Information Protection Law (PIPL). Please also refer to our previous analysis of the Export Measures for more background information.

1. What activities constitute data export?

According to the Application Guidelines, there are essentially two scenarios that constitute data export, ie (i) cross border transmission and storage of data collected or generated within mainland China; or (ii) search, access, download or export of data stored in mainland China by entities or individuals based outside of mainland China.

2. What if the data has been transferred out of mainland China before 1 Sep 2022?

The Export Measures provide that any cross-border transfers subject to the security assessment and have occurred before 1 September 2022 shall be rectified within six months since the Export Measures take effect, ie by the end of February 2023.

3. Is local storage a must?

The PIPL requires operators of critical information infrastructure and data processors reaching certain volume thresholds to store their data within mainland China and only transfer such data out of mainland China after completing the security assessment. Though the Export Measures provide clear thresholds for the security assessment, this regulation does not explicitly clarify whether the same thresholds also apply to the local storage requirement.

That said, a predominant market view is that local storage shall be a pre-condition before applying for the security assessment. The Application Guidelines also require data processors to report their local storage facilities (ie the relevant system platforms and/or data centres).

Local storage may be a key challenge for many multinational companies that operate with globally deployed information systems where mainland China generated information is directly stored overseas. It is worth noting that the PIPL requires local storage instead of local processing, which means personal information generated from mainland China may still be processed on globally deployed systems but a copy of such data shall be retained within mainland China. Considering the Export Measures only grant a grace period of six months, and information infrastructure set-up usually takes time, it is advisable for multinational companies to take actions to implement local storage as soon as practically possible.

4. Who will review the application?

Data processors need to make applications via the provincial level cyberspace administrations (CAs). The provincial CAs will conduct a more formality review, once passed, the applications will be submitted to the CAC for substance review. The Application Guidelines require all applications to be submitted offline in paper forms, though online filing may become available in the future.

Upon completion of security assessment by the CAC, data processors will receive a written assessment result notice, which may include specific requirements for rectification. In other words, in addition to clean approval, the CAC may issue conditional approvals where data processors must satisfy certain conditions before conducting any data export activities.

5. What does the application package include?

In addition to certain corporate identification documents, the substantial documents for the application package include (i) an application form, (ii) a self-assessment report on data export risks and (iii) photocopies of legal documents to be entered with overseas recipients.

Application Form

For the application form, the data processors need to (i) describe the business operations, purposes, manners, routes with respect to data exports; (ii) categorise the data types, sensitivity of personal information, data volume, industry/area; (iii) provide information on overseas recipients, eg names, contacts, business scopes; and (iv) set out specific clauses in the legal documents with data recipients that address issues such as the purposes and manners of the recipients’ processing, overseas storage, onward transfers, security measures, and data incident response plans. In particular, with respect to data export routes, information of the service vendor, route volume, bandwidth, overseas data centre, physical location of servers and IP addresses need to be provided.

The information required above means that the data processors must conduct thorough data mapping and negotiate with their overseas data recipients within the six month grace period that ends on 28 Feb 2023. For companies with multiple data export scenarios and large number of overseas recipients, time is of essence to get compliant. It is also a test of internal management over data processing. For example, some companies currently do not have effective measures to track data flows or volume, which may require certain fundamental technical redesign. Further, for overseas data centres, physical location of servers and IP addresses, the overseas recipients may be reluctant to provide detailed information to the data processor or Chinese regulators.

Self-assessment Report

For the self-assessment report on data export risks, it must be completed within three months immediately before the application is submitted to ensure that such report reflects the current compliance status of the data processor.

In the report, the data processors need to elaborate in much more details of the information provided in the application form. The key areas include the following:

  • basic corporate information, including the data processors’ shareholding charts and ultimate controlling person information; corporate governance structures; data security organisation information; overall business operations and data compliance status; and investments within and outside of mainland China;

  • information on the business and information systems in relation to data exports, including a description of the relevant business, data asset information, information systems involved, data centres (including cloud service), data export routes;

  • information on the data to be exported, such as the purposes, scopes, types, sensitivity, domestic and overseas storage and onward transfers after the intended exports;

  • data processors’ data security protection capabilities, including the data processors’ organisational and management policies, technical capabilities, professional certifications (if any) about data security protection; and

  • information on the overseas recipients, including basic information on the recipients, the purposes and manners of their processing, data security protection capabilities, and legal and regulatory environment of the countries or regions where the recipients reside.

The legal document may be a contract or other legally binding document that obliges the relevant overseas recipient to apply adequate protection to the exported data. The CAC has released a draft Standard Contract for Cross-border Transfer of Personal Information (China SCC) recently. The legal document may refer to the China SCC to meet the CAC’s expectations. Regardless of which language the legal document is in, Chinese version or translation needs to be submitted. As existing contracts between the data processors and their overseas recipients may cover sensitive commercial terms and may not meet all requirements under the Export Measures, if possible, it is advisable to use a standalone data protection addendum as the legal document.

6. What is the outlook over the implementation of the Export Measures and the Application Guidelines?

As the data export rules are only recently adopted and still in dynamic development, the regulator, data processors as well as external counsels are in a trial and error stage. The CAC has published an inquiry hotline and email to receive questions and comments. With all participants contributing to the process, the data processors are likely expecting to see subsequent editions of the Application Guidelines to further address, adjust or clarify issues.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.