On August 20, 2021, China’s first comprehensive Personal Information Protection Law (“PIPL”) was passed into law. The Cybersecurity Law, the Data Security Law, and the PIPL of China are the three pillars of China’s data protection framework, which govern cybersecurity, data security, and personal information protection respectively. The Cybersecurity Law largely governs cybersecurity requirements for…
On July 7, 2022, the cybersecurity regulatory agency from China, the Cyberspace Administration of China CAC issued the Cross-Border Data Transfer Security Assessment Measures (“CBDT Security Assessment Measures”). These measures, along with the Guidance on Cybersecurity Standards – Security Certification Specification for Personal Information Cross-Border Processing Activities , which JD Supra refers to as “the Chinese equivalent of GDPR’s Binding Corporate Rules,” and the Draft Standard Contract Clauses—referred to as “the Chinese equivalent of GDPR’s Standard Contract Clauses,”—will be used to provide detailed guidance on the Chinese Cross Border Data Transfer Rules (“CBDT Rules”).
The CBDT Security Assessment Measures will be effective September 1, 2022 and will provide companies that deal with “very sensitive data or voluminous personal information originating from China” with a six-month grace period if they initiate remedial actions after notice of their violation. However, organizations should currently act to ensure compliance with the regulatory framework.
Under the framework of the CBDT rules, there are three avenues for transferring important data and personal information originating in China.
First, organizations can have a CAC official conduct a State Security Assessment, which, although not mandatory, should be performed if the state cybersecurity authorities have issued specified circumstances in which a State Security Assessment would be required, or the data processor:
- Provides important data outside of China;
- Would be considered a “Critical Information Infrastructure Operators” (CIIO), as defined by the measures, or if they manage or maintain the personal information of one million and more individuals and intends to transfer any of that data overseas; or
- Has exported the personal information of 100,000 individuals or the sensitive personal information of 10,000 individuals since January 1, of the preceding year (known as the “Materiality Test”).
The assessment would focus on the basis for transferring this data, the advantages and disadvantages of permitting said transfer, as well as the risk and legal implication of said permission being granted. The assessment would be valid for a period of two years following the results being, and the data processor must apply for another assessment at least 60 days before the expiration of this time.
Although there are no penalties specified for a failure to obtain a State Security Assessment—because these assessments are reportedly not mandatory—the Measures do refer to the penalties under DSL, PIPL, Cybersecurity Law, and Criminal Law, which can include civil, administrative, or criminal liabilities.
If your organization fails to meet the Materiality Test, it can seek a third-party certification by a professional institution as to the security and necessity of this transfer. However, this is only available where the cross-border data transfer would be received by the same company (known as an “intragroup transfer”) or if personal information processing activity conducted outside of China is for the purpose of:
- Providing products or services to people who live in China;
- Analyzing or evaluating the behaviors of persons living in China; or
- If data processing is permitted by other laws and regulations.
Finally, data importers and exporters can enter into a Chinese standard contract (“China SCCs”), which, according to JD Supra, is the “ least time-consuming route, mainly applicable to smaller-scale data processors.” These contracts are reportedly similar to the Standard Contract Clauses allowed under the GDPR, but they would apply to all cross-border data transfers of the personal information of Chinese natural persons “without distinguishing the roles of data exporters and data importers as “controllers” or “processors.”’
According to JD Supra, there are two “diverged roads” that organizations can pursue in light of these Chinese regulations. First, organizations could localize the data that is involved in the operations, products, and services in China. This would require the organization to “re-organize their global information technology management structure and prepare a separate system specifically for China operations.”
Alternatively, organizations can act to gain compliance with the CBDT rules. Although, organizations who pursue this route should consider “whether a state security assessment for a cross-border transfer is required, and if so, does the company want to go through such an assessment as it may increase exposure to potential unwanted access.”
* * * * * * *
To read our coverage on Ransomware attacks to state or local governments and their limited option following attacks, click here.
For ADCG’s Breach Report and more news updates discussing: House Advances American Data Privacy and Protection Act; FCC Seeks Data Privacy and Retention Info From Mobile Providers; Denmark Schools Ban Google Products Over Data Privacy Issues; and Uber Admits to Massive Cybersecurity Breach, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.