On July 7, 2022, the Cyberspace Administration of China ("CAC") released the Measures for Security Assessment for Cross-Border Data Transfer (the "Measures"), marking the finalization of China's security assessment system for cross-border data transfer(CBDT). The analysis of the Measures can be found in our previous article titled Cross-border Data Transfer: The Security Assessment Path.
The Measures have been implemented from September 1, 2022. In order to guide and help data processors to apply for security assessment for cross-border data transfer in a standardized and orderly manner, the CAC prepared and promulgated on August 31, 2022 the Guidelines for the Application for Security Assessment for Cross-Border Data Transfer (First Edition) (the "Guidelines"), which provide clarification on the application method, application procedures, application documents, and other specific requirements for the security assessment of cross-border data transfer. We hereby summarize the main content of the Guidelines in the form of quick Q&As for enterprises that have cross-border data transfer needs for reference.
Q1: What is the applicable scope of the security assessment for the cross-border data transfer?
The Guidelines provide that, where a data processor transfers data abroad, it shall, through the local provincial cyberspace administration, apply to the CAC for security assessment for cross-border data transfer in any of the following circumstances:
(Figure 1 Circumstances under which security assessment for cross-border data transfer shall be applied)
The applicable scope provided by the Guidelines remains same with that under the Measures. However, as to what constitutes a cross-border data transfer, the Guidelines have made some minor changes in wording on the basis of the Measures’ reporter’s Q&A as follows:
(Figure 2 Scope of cross-border data transfer)
Q2: What are the specific procedures for security assessment for the cross-border data transfer?
According to the Measures and the Guidelines, the application procedures for security assessment can be summarized as follows:
(Figure 3 Application procedures for security assessment for cross-border data transfer)
Q3: What documents are required for the security assessment?
The Guidelines specify that application for security assessment for the cross-border data transfer should be made in written materials as well as electronic versions of such materials in the form of CD-ROMs. The application materials and relevant requirements are detailed as follows:
List 1 A list of application materials | |||
No. | Document | Requirement | Note |
1 | Unified Social Credit Code Certificate | Photocopy with company seal | |
2 | Identity document of legal representative | Photocopy with company seal | |
3 | Identity document of agent | Photocopy with company seal | |
4 | Power of attorney for agent | Original | |
5 | Application letter for the security assessment for the cross-border data transfer | ||
5.1 | Letter of commitment | Original | |
5.2 | Application form for the security assessment for the cross-border data transfer | Original | |
6 | Contract or other documents with legal force (collectively “Legal Document”) to be executed with the oversea recipient in relation to the cross-border data transfer | Photocopy with company seal | Contractual clauses related to cross-border data transfer shall be highlighted, circled, or otherwise prominently marked. The Chinese version of the Legal Document shall prevail. If there is only a version in a language other than Chinese, a Chinese translation must be provided as well. |
7 | Self-assessment report on the risk of the cross-border data transfer | Original | |
8 | Other relevant supporting materials | Original or photocopy with company seal | The Chinese version of the supporting materials shall prevail. If there is only a version in a language other than Chinese, a Chinese translation must be provided as well. |
Among the above documents, the Guidelines provide the relevant templates as reference for item 4, 5 and 7.
Q4: What does the application letter consist of?
The Guidelines provide templates for Item 5, the application letter, which consists of (i) a letter of commitment and (ii) an application form for security assessment for the cross-border data transfer.
The letter of commitment includes the following content:
(Figure 4 Content of the letter of commitment)
The application form for security assessment for the cross-border data transfer contains 14 items which can be summarized into five domains as follows:
List 2 Content of the application form | |
Item | Domain |
01 Information about the data processor | Information about the data processor |
02 Information about the legal representative | |
03 Information about the persons responsible for data security and the data security management function | |
04 Information about the agent | |
05 Description of the business scenarios related to the cross-border data transfer | Information about the cross-border data transfer |
06 Purpose of the cross-border data transfer | |
07 Method of the cross-border data transfer | |
08 Outbound data link for the cross-border data transfer | |
09 Particulars of the data to be transferred abroad | |
10 Information about the overseas recipient | Information about the overseas recipient |
11 Information about the persons responsible for data security and the data security management function of the overseas recipient | |
12 Legal Document | Legal Document related information |
13 Page number and clause of relevant provisions in the Legal Document | |
14 Data processor's compliance with Chinese laws, administrative regulations and department rules | Data processor’s compliance |
It is worth noting that, although the Guidelines do not provide any template for the Legal Document to be concluded with the overseas recipient, Article 9 of the Measures sets out the main content to be included in the Legal Document, which are shown in the following figure. The Guidelines specially require the data processor to clarify in Item 13 of the application form that the relevant content have been covered in the Legal Document.
(Figure 5 Main content of the Legal Document)
In addition, Item 14 “data processor's compliance with Chinese laws, administrative regulations and department rules” refers to the information regarding any administrative penalties, investigation by the relevant competent regulatory authorities and rectification status received by the data processor in the course of its business operation in the past two years, with a focus on data and cyber security.
Q5: What is the main content of a self-assessment?
Article 5 of the Measures provides that, before filing an application for a security assessment for the cross-border data transfer, the data processor shall conduct a self-assessment on the risks of the cross-border data transfer. To ensure the timeliness of self-assessment, the Guidelines require that the self-assessment should be completed within three months before it submits the application for security assessment, and that there should be no material change from the time of self-assessment to the date of application. In addition, if a third-party institution has participated in the self-assessment, the data processor must state in the self-assessment report the basic information of the third-party institution and its participation in the assessment, with the third-party institution's seal affixed on the relevant content pages.
The Guidelines require that the self-assessment should include the following four parts: a brief description of the self-assessment, the overview of the cross-border data transfer, the risk assessment on the cross-border data transfer and the results of the self-assessment on risk of the cross-border data transfer activities. The overview of the cross-border data transfer and the risk assessment on the cross-border data transfer require detailed information from the data processor regarding the cross-border data transfer.
In the overview of the cross-border data transfer, the data processor should go into details the basic information of the data processor, the business and information systems related to the cross-border data transfer, the particulars of the data to be transmitted abroad, the data processor's security protection capabilities, information about the overseas recipient, and the provisions of the Legal Document. Most of the information has been briefly described in the abovementioned application form. From the content to be assessed, the self-assessment focuses not only on the participants of the cross-border data transfer activities (i.e., the data processor and the overseas recipient), but also on the businesses and systems related to the cross-border data transfer, to understand the scope of the possible influence on the security of data assets and information system assets arising from the cross-border data transfer. In addition, item “the provisions of the Legal Document” again requires that the main content as stipulated in Article 9 of the Measures shall be incorporated in the Legal Document.
As for the risk assessment on the cross-border data transfer, as provided in Article 5 of the Measures, the Guidelines require the data processor to assess the following matters, with a focus on problems and potential risks found in the assessment, as well as the corresponding corrective measures adopted and the effect of such corrective measures.
(Figure 6 Main content to be assessed in the self-assessment)
Q6: How to contact the CAC for information about a filing-related issue?
According to the Guidelines, information about the application can be obtained from the CAC in the following ways:
Email: sjcj@cac.gov.cn
Tel.: 010- 55627135
Currently the Measures have become effective. For cross-border data transfer activities that have been carried out, a six-month rectification period has been provided for the data processors to correct their practices in case of inconsistency with the provisions of the Measures. However, considering the release of the Guidelines shows that the CAC is ready for receiving application from data processors of security assessment on cross-border data transfer, enterprises that have already carried out cross-border data transfer activities should evaluate whether they fall within the scope of the Measures as soon as possible and proactively carry out application in accordance with the relevant procedures and requirements of the Guidelines.
Annie Xue
Dr. XUE is a senior counsel supervising the compliance practice of GEN Law Firm. She specializes in regulatory affairs in cybersecurity and data protection, antitrust and anti-unfair competition, anti-commercial bribery, and Chinese social credit system. Dr. Xue has extensive experience in the said areas and profound understanding of the complicated issues standing at the intersection of those topics. Dr. Xue studied competition law at the College of Law of the University of Illinois at Urbana Champaign and obtained J.S.D. degree. She also participated in many research topics led by law enforcement authorities and academia as a postdoctoral fellow at the Institute of Law of the Chinese Academy of Social Sciences, and actively contributed to the formulation of competition and data regulatory policies. Before joining GEN, Dr. Xue served as a senior attorney in two Chinese law firms. She authored many articles and reviews related to legal compliance and served as an editor of The China Competition Bulletin hosted by Australia and New Zealand Government College.
CHEN Yang
CHEN Yang focuses on cyber security and data protection, personal information protection and compliance supervision consulting, and has participated in many difficult and complex cases. Yang has the Chinese lawyer qualification and is a Certified Information Privacy Professional (Europe) and Certified Information Privacy Manager by the International Association of Privacy Professionals (IAPP), having rich experience in the field of data protection.