July 13, 2022
Following the issuance of the Chinese Standard Contractual Clauses (“SCC“) by the cyberspace administration of China (“CAC“) as further detailed in our previous update available HERE, the CAC issued on July 7, 2022, the Measures for Security Assessment of Data Exports (“Order”) which will come into effect on September 1, 2022. The Order determines the legal framework of data transfer outside China when the SCC framework does not apply due to non-compliance with the threshold requirements determined in the SCC.
Security Assessment Applicability:
Companies that are not considered CIIOs or handle smaller volumes of data than the thresholds set below can legally process data by signing an SCC. However, a data processor must conduct a security assessment with the CAC and cannot rely on the SCC where:
Self-Assessment (Article 5 to the Order):
Before applying for a data export security assessment with the CAC, a data processor must conduct a self-assessment of the data processing risks, focusing on the following matters:
CAC Assessment Timeline:
Upon receipt of the application, the provincial CAC determines whether the application materials are completed within five business days. If the application materials are complete, the provincial CAC transfers the application to the central CAC for further assessment. If the application materials are incomplete, they will be returned to the processor with required materials that should be supplemented. The central CAC will notify the applicant within seven business days from the date of receipt whether the application has been accepted. Finally, the central CAC will complete the data security assessment within 45 business days from issuing a written acceptance notice to the processor. In complex cases where the assessment might be expanded, the CAC will notify the processor accordingly. In case the processor is not satisfied with the assessment’s result, an application for reassessment can be applied within 15 business days from the receipt of the result, which will be the final conclusion.
Application Materials (Article 6 to the Order):
In order to submit for a security assessment, the processor must provide the following materials to the provincial CAC:
Expiration Date (Article 14 to the Order):
The validity period of the security assessment result is 2 years from the date of issuance. If one of the following circumstances occurs within the validity period, the data processor shall re-apply for evaluation: A change in the purpose, method, scope, or type of data provided overseas, the use and method for data processing by the overseas recipients has changed, or there is an extension in the overseas retention period for the personal information or important data; There are any changes to: (i) The data security protection policies, regulations, and cybersecurity environment of the country or region where the overseas recipient is located; (ii) The actual control of the data processor or overseas recipient (iii) The legal documents between the data processor and the overseas recipient that may affect the security of outbound data.; and Other circumstances that affect the security of the data export.
When the validity period expires, and it is necessary to continue to carry out data export activities, the data processor shall re-apply for evaluation 60 working days before the validity period expires.
Grace Period (Article 20 to the Order):
The Order will come into force on September 1, 2022. Regarding transfers carried out before this date, the rectification must be completed within 6 months from the implementation date of the Order.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice but rather as a practical overview that is based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
Please let us know if you have any further questions,
APM Technology and Regulation Team.