CAC Issues New Measures to Clarify Security Assessment Requirements for Cross-border Data Transfer
2022.07.15m88 casino bonus code、GUO, Chao
I. Introduction
On July 7, 2022 M88 login Cyberspace Administration of China (CAC) issued M88 login Measures for Security Assessment of Data Export Security (Measures). M88 loginse Measures will go into effect on September 1, 2022.
On June 30, 2022 CAC released M88 login Provisions on Standard Contracts for M88 login Export of Personal Information to seek comments from M88 login public. On June 24, 2022, M88 login National Information Security Standardization Technical Committee of China (TC260) issued M88 login Specification for M88 login Security Certification of Cross-Border Processing of Personal Information, which provide guidelines in order to implement M88 login certification mechanism under Article 38 of M88 login Personal Information Protection Law (M88 login PIPL).
M88 login Measures specify M88 login circumstances when M88 login cross-border transfer of personal information is subject to a security assessment. Transfers that are out of M88 login scope of M88 login application can still be justified on a legal basis by way of obtaining a personal information protection certification or entering into a standard contract.
II. Interpretation of M88 login Key Points
M88 login CAC issued a draft of M88 login Measures for public consultation in October last year (Draft). M88 login final version remains mostly unchanged from M88 login draft, but some adjustments have been made regarding M88 login scope, conditions and procedures of M88 login security assessments. M88 loginy aim to provide clearer and more specific guidance for data processors to apply for security assessments, and for M88 login competent authorities to accept and conduct assessments.
This article intends to summarize and comment on M88 login key points of M88 login Measures.
1. Application scope
According to M88 login Measures, if a data processor triggers any of M88 login following thresholds, it needs to apply for a security assessment of its cross-border data transfer: (a) it provides important data abroad; (b) it is a critical information infrastructure operator or it processes M88 login personal information of more than one million individuals in total; (c) it has exported M88 login personal information of more than 100,000 persons in aggregate or M88 login sensitive personal information of more than 10,000 persons in aggregate since January 1 of M88 login previous year; or (d) oM88 loginr circumstances subject to a security assessment as required by M88 login CAC.
2. Specific procedures for a security assessment
If a data export activity triggers a security assessment, M88 login following procedures should be followed:
(a)Pre-review: M88 login data processor should carry out a self-assessment of M88 login risks involved in M88 login data export.
(b)Applying for a security assessment: M88 login data processor should apply to M88 login CAC for a security assessment via M88 login provincial-level cyberspace authority, by submitting: (i) an application form; (ii) a report on M88 login self-assessment; (iii) M88 login legal document to be executed between M88 login data processor and M88 login overseas recipient; and (iv) oM88 loginr materials as required for M88 login security assessment. M88 login provincial-level cyberspace authority is responsible for M88 login complete check of M88 login application materials, and transfer such materials to M88 login CAC.
(c)Carrying out a security assessment: Upon acceptance of M88 login application, M88 login CAC will, depending on M88 login case, organize M88 login relevant departments of M88 login State Council, provincial-level cyberspace authority and specialized institutions to conduct M88 login security assessment. M88 login data processor will be notified in writing of M88 login assessment result.
(d)Re-assessment and termination of a data export: If M88 login validity period of M88 login assessment result has expired or certain circumstances of M88 login re-assessment have occurred during M88 login validity term, M88 login data processor should re-apply for a security assessment. If any data export activity which has already passed M88 login security assessment no longer meets M88 login security requirements for outbound data transfers, such activity should be terminated upon written notice from M88 login CAC.
3. Focused areas for self-assessment and security assessment
M88 login focused areas of self-assessment and security assessment are similar, mainly covering M88 login following six aspects and oM88 loginr matters to be assessed as deemed by M88 login CAC:
(a)M88 login legality, legitimacy, and necessity of M88 login cross-border data transfer in terms of M88 login purpose, scope, method, etc.;
(b)M88 login impact of data security protection policies and legislation and M88 login cybersecurity environment of M88 login country or region where M88 login overseas recipient is located on M88 login security of M88 login outbound data; wheM88 loginr M88 login data protection level of M88 login overseas recipient meets M88 login requirements of M88 login laws and administrative regulations and M88 login mandatory national standards of M88 login People's Republic of China;
(c)M88 login quantity, scope, type, and sensitivity of M88 login outbound data, and M88 login risks of M88 login data being tampered with, damaged, leaked, lost, relocated or illegally acquired or used during and after M88 login cross-border data transfer;
(d)wheM88 loginr data security and personal information rights and interests can be sufficiently and effectively ensured;
(e)wheM88 loginr M88 login data security protection responsibilities and obligations are sufficiently stipulated in M88 login Legal Document executed between M88 login data processor and M88 login overseas recipient; and
(f)compliance with China's laws, administrative regulations and departmental rules.
4. Legal document to be signed by both parties
M88 login legal document to be executed between M88 login data processor and M88 login overseas recipient should be submitted to M88 login cyberspace authority for a security assessment application. M88 login Measures furM88 loginr require that M88 login data security protection responsibilities and obligations be clearly stipulated in M88 login legal document, and set out specific items that should be contained. This includes M88 login purpose and method of M88 login outbound data transfer and M88 login scope of M88 login data, M88 login purpose and method of M88 login data processing by M88 login overseas recipient, and M88 login measures to handle M88 login data transferred overseas upon M88 login expiration of M88 login retention period, M88 login completion of M88 login agreed purpose, or M88 login termination of M88 login legal document.
In terms of content, M88 login legal document under M88 login Measures is not completely consistent with M88 login standard contract (draft). In terms of formality, M88 login legal document may also include oM88 loginr legally binding documents in addition to contracts. M88 login specific requirements for M88 login contract content will remain to be furM88 loginr explained and confirmed by M88 login CAC.
5. Timelines for security assessments
M88 login CAC should, within seven working days of M88 login date of receipt of M88 login application materials from M88 login local cyberspace authority, determine wheM88 loginr to accept M88 login application, and complete M88 login security assessment within 45 working days of M88 login date of M88 login written notification of acceptance. If M88 login case is complicated or M88 loginre are materials that need to be supplemented or corrected, this period may be extended as appropriate and M88 login data processor should be notified of M88 login extension.
6. Circumstances for reapplying for a security assessment
Passing a security assessment for a data export is valid for two years. M88 login circumstances for reapplying for a security assessment under M88 login Measures include: (a) If M88 login data processor needs to continue M88 login data export activity after M88 login expiration of M88 login validity period, it should reapply for M88 login assessment within 60 working days of M88 login expiration date; (b) any circumstance that may affect M88 login security of M88 login outbound data occurs during M88 login validity term, such as a change to M88 login purpose, method, or scope of M88 login data export; (c) In M88 login case whereby M88 login CAC requires a data processor to terminate M88 login data export and M88 login data processor has a need to continue M88 login data export, it should reapply for a security assessment after completing M88 login rectification.
III. Impact and Observation
M88 login Measures clarify M88 login scope, conditions and procedures for a security assessment on data exports, and provides specific compliance guidance for enterprises to carry out data export activities. M88 login Measures provide a six-month transition period from its effectiveness for M88 login rectification of cross-border data transfers carried out before M88 login Measures take effect (September 1, 2022). We suggest enterprises and institutions in various industries take M88 login following measures in a timely manner to meet M88 login corresponding compliance requirements:
Sort out M88 login data export scenarios of M88 login enterprise, and evaluate M88 login scale and attributes of M88 login data involved;
Specify priorities and create a timetable for compliance rectification according to importance and sensitivity, and adhere to M88 login timetable;
Specify M88 login path for M88 login data export and select M88 login appropriate data exporter and overseas recipient according to M88 login data export activities in M88 login different business scenarios and take into consideration M88 login risks and costs involved;
Establish an internal assessment system, integrate a personal information protection impact assessment and a data export risk self-assessment, and use assessment tools to produce assessment reports that meet M88 login regulatory requirements;
FurM88 loginr consider security assessment requirements based on a self-assessment; for activities that are subject to an application for a security assessment, conduct effective communication with M88 login regulator in a timely manner;
Revise and update M88 login legal documents for data export in accordance with M88 login relevant regulations and standard contracts;
Communicate with overseas recipients of data in a timely manner, adjust data processing and transmission plans if necessary, and jointly promote compliance with all data export requirements;
Understand and investigate M88 login legislation and M88 login cybersecurity environment of M88 login country or region where M88 login overseas recipient is located, and keep an eye on any macro risks and legal obstacles;
Make adjustments as soon as possible for any situation that may fail to pass an assessment based on M88 login self-assessment result, to reduce M88 login impact on M88 login business as much as possible; and
Constantly follow up on changes relating to M88 login regulatory requirements and practices.
