🔥 热搜 🔥
上海习近平新疆鄂州父女瓜乌鲁木齐疫情H工口小学生赛高习明泽芊川一笑图包印尼排华
分类
社会娱乐国际人权科技经济其它
🔥 热搜 🔥
上海习近平新疆鄂州父女瓜乌鲁木齐疫情H工口小学生赛高习明泽芊川一笑图包印尼排华
分类
社会娱乐国际人权科技经济其它
查看原文
其他

Impact of the Draft Measures on Outbound Data Assessment

大辉哥 世辉律师事务所 2022-06-13
收录于合集
#世辉数据合规 33 个
#医疗 43 个



The Cyberspace Administration of China (the "CAC") issued the Measures for Security Assessment of Cross-border Data Transfer (Draft) (in Chinese “数据出境安全评估办法(征求意见稿)”) (the "Draft Measures") on October 29, 2021.This article aims at providing a background to the Draft Measures, its key provisions, and the potential impact it may have on enterprises.



Author:Shihui Partners | Raymond Wang | Jeanette Wang



 Background

Over the last four years, with the promulgation of the Cybersecurity Law (in Chinese “网络安全法”) (the "CSL"), the Data Security Law (in Chinese “数据安全法”) (the "DSL") and the Personal Information Protection Law (in Chinese “个人信息保护法”) (the "PIPL"), the fundamental legal architecture for cybersecurity and data protection was gradually being laid in the People’s Republic of China (“PRC”). The three statutes impose, amongst many other things, restriction on the cross-border transfer of data collected and stored in the PRC. Since 2017, many companies have been anxiously awaiting clarification on security assessment for data transfer ever since the CSL introduced limits on export.
The Draft Measures are the CAC’s third attempt at building a comprehensive mechanism for cross-border data transfer. The previous attempts were in 2017 through the Measures for Evaluating the Security of Transferring Personal Information and Important Data Overseas (Draft) (in Chinese “个人信息和重要数据出境安全评估办法(征求意见稿)”) and later the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft) (in Chinese “个人信息出境安全评估办法(征求意见稿)”). 2 The Draft Measures will harmonize the requirements under the CSL and DSL and offers much desired clarification on the security reviews, the governmental department responsible for overseeing security assessments, and what procedures companies must complete to get clearance for the offshore transfer of both important data and personal information.

 Scope of Cross-Border






What qualifies as a “cross-border data transfer” has not been clearly defined by statutes like the CSL, the PIPL or the DSL; although previous draft standards and specifications have tried to do so, the drafts never officially came into effect. The definition is similarly absent in the Draft Measures and we understand this to be an intentional carte blanche to provide for more flexibility for law enforcement under the ever changing digital environment. Nevertheless, in practice, there are some recognized data outbound situations; for example, where data is not transferred outside the PRC but can be accessed and viewed by organizations and individuals abroad is widely considered as a “cross-border data transfer.” Another example would be if an offshore company collects domestic (PRC) operation data. In this case, pursuant to Article 31 of the DSL and Article 40 of the PIPL, the data must be stored in the PRC and cannot be transferred without first complying with the requirements under the Draft Measures.

 Triggers for Security Assessments

Article 4 of the Draft Measures imposes a CAC-led security assessmentrequirement based on the following :

Types of DataProcessor
Types of Data
Statutory Derivative
Critical informationinfrastructure operator (“CIIO”)
Personal data and importantdata
Article 37 of the CSL
All data processors
Important data
DSL4

 
Company which processes thepersonal information of one million individuals or above
Personal information
PIPL
Company which cumulatively5transfers abroad personal information of more than 100,000 individuals

Personal information
PIPL
Company which cumulativelyprovides abroad sensitive personal information of more than 10,000 individuals
Sensitive personalinformation
PIPL
Others as prescribed by theCAC
Others as prescribed by theCAC
-


 Self-Assessments

All data processors subject to the above mandatory security assessment would first need to conduct a self-security assessment addressing the following criteria:
  • the legality, propriety and necessity of the cross-border transfer/processing conducted by the data recipient outside the PRC;
  • the volume, scope, type and sensitivity of the data to be transferred, and the potential risks to national security, public interests and the legitimate interests of individual and corporations;
  • whether the data protection laws and regulations of the data recipient’s jurisdiction, the capability of the security of the data recipient, and whether the protections provided by the data recipient satisfy PRC laws and standards and whether the recipient has sufficient means and capabilities to fulfil such duties;
  • the risk of data leakage, damage, corruption, loss, or misuse; and
  • whether the data transfer agreement adequately allocates relevant responsibilities for data protection.


 Security Assessment Procedure






When applying for the CAC-led data export security assessment, companies are required submit materials including an application form, self-assessment report, legally binding documents drawn up between the data processor and the data recipient. When evaluating a data processor’s application, the CAC will focus on:6
  • the legality, propriety and necessity of the transfer;
  • the data protection laws of the data recipient’s jurisdiction, and whether the protections and security provided by the data recipient are adequate to satisfy those under PRC laws and regulations;
  • the volume, scope, type and sensitivity of the data being transferred and the risk of leakage, damage, corruption, loss and misuse;
  • whether the data transfer agreement adequately allocates responsibilities for data protection;
  • compliance with Chinese laws, administrative regulations, and departmental regulations by the data processor; and
  • other matters that are deemed necessary by the CAC.

The CAC shall confirm whether it accepts an application within 7 working days of receipt and must process the application within 45 working days from the date it confirms its acceptance of the application. The 45-day period may be extended to 60 working days if the facts of the case are complicated. The validity period of the assessment is two years which application for renewal should be made 60 working days before the expiration of the validity period.

The data processor shall re-submit the assessment upon the expiration of the validity period or where any of the following circumstances occur:
  • changes in fundamental aspects of the cross-border data transfer: any change to the purpose, method, range and variety regarding the data to be provided overseas, or the purpose and method regarding the data processing by the overseas receiving party, or the extension of the period for overseas storage of personal information and important data;
  • changes in data protection environment (law, control or contract): any change to the legal environment of the country or region where the overseas receiving party is located, or the actual control of the data processor or overseas receiving party, or the contract between the data processor and the overseas receiving party, which may affect the security of the data provided overseas; or
  • other circumstances that may affect the security of the data provided overseas.

In addition, where the CAC is of the view that any approved cross-border data transfer activity no longer meets the security standards, the CAC may revoke its security assessment approval and the data processor cannot proceed with a transfer.


 Data Transfer Agreement

The data transfer agreement mentioned in the two sections above need to be signed between the data process and data recipient and will need to include the following key provisions:
  • the purpose, method and scope of the cross-border transfer;
  • the location where the data will be stored outside of the PRC and how long the transferred data will be retained and how the data will be dealt with after the expiration of the retention period, termination of the data transfer agreement, or when the purpose of processing has been met;
  • provisions restricting disclosure and transfer of the data to third parties;
  • the security measures to be taken in the event of a material change to the data recipient’s business or if the data recipient does not have the means or capabilities to satisfy its duties;
  • liability for breach of contractual security responsibilities;
  • a binding and enforceable dispute resolution provision; and
  • data recipient to respond and safeguard the rights and interests of the data subjects (if personal information is involved) in the event of a data leak or other breach.

Conclusion

Companies should take into consideration the timeline to prepare and complete a security assessment for any project planning since there are no existing exemptions. We anticipate that in the near future, other detailed rules and regulations on the cross-border data transfer security management will continue to be released intermittently to create a more comprehensive security management regime for cross-border data transfer. In the meantime, companies are advised to gear up and align their policies with those under the Draft Measures. In this regard, we would be pleased to share with you our experience and understanding on this topic on an ongoing basis.


参考资料:1.The deadline for public comments is set at November 28, 2021.2.It should be noted that the Measures supersedes and replaces these two drafts.3.Application should be made through the provincial cyberspace administration.4.According to the DSL, local governments and industry departments should determine the specific catalog of important data in their regions or industries. We also understand that local governments and industry departments have been working on drafting important data catalogs.5.It is not clear what qualifies as “cumulative.” We understand that since the declaration assessment has a validity period of two years, data processors should nonetheless proceed with a declaration assessment if they expect their cumulative transferred data over the course of two years to meet the threshold based on their internal historical operational data.
6.See Article 8 of the Draft Measures.
Copyright and DisclaimerThis article is for reference only and should not be considered legal advice. This article should not be used for any other purposes without the written consent of Shihui Partners. If you need to forward, please indicate the source. If you have any questions about the content of this article, you can contact the authors of this article, Raymond Wang and Jeanette Wang or other Shihui Partners's lawyers.



Raymond Wang | Partnerwangxr@shihuilaw.com
Raymond focuses on cybersecurity and data protection and frequently advises leading multinational and domestic technology companies and ministries and local governments with respect to legislative and regulatory programs.
Raymond sits on the expert panel for the ICC’s Data Governance Working Group and the B20 Organization Compliance Working Group. He is one of the key authors of the monograph “International Comparative Study on Personal Information Protection" and “Data Service Framework". He has published many articles, reports and translation works in the field of personal information protection, and also has taught courses related to data protection and cyber law in Peking University and Tsinghua University.
He was listed as one of the 2021 ALB China Top 15 Lawyers in TMT area by Asian Legal Business and as "Leading lawyer in data protection area" by The Legal 500 ranking institution. The awards he has gained also include Lawyers of the Year in Cybersecurity areas by 2021 China Law & Practice and China Top 15 Lawyers– Cybersecurity and Data Protection (Tier one) by LEGALBAND in 2019, 2020 and 2021.

Jeanette Wang | Partnerwangjy@shihuilaw.com
Jeanette’s main areas of practices are in M&A, PE/VC, foreign direct investment cybersecurity and data compliance.
Jeanette has assisted across the broad spectrum corporate work including domestic and cross-border mergers and acquisitions, and advised investors and conglomerates such as KKR, Blackstone, Tencent, JD, Haier, Office Depot and Swiss Post in such transactions. She also assisted many venture capital funds and start-ups in several rounds of private equity/venture capital investment and financing transactions. Her track record spans a vast range of sectors, including pharmaceutical & healthcare, TMT, manufacturing, automobile and new energy, chemical engineering, real estate, commercial retails, banking and finance.
Jeanette has also assisted multinational corporations in their various cybersecurity and data protection issues, including data security inspection and assessment, establishment of data compliance system and dealing with government inspection and security incidents. She also provides advice to clients in general corporate matters. Her list of clients includes GE, Richemont, Thermo Fisher, Burberry, Chanel, Danaher, Volvo, PEPSI and Abbott.
往期推荐
数据安全系列
投融资系列
资本市场 
投资基金并购期权辉说医疗

辉说仲裁

辉说反垄断

其它






您可能也对以下帖子感兴趣

文章有问题?点此查看未经处理的缓存