Following the issuance of the Chinese Standard Contractual Clauses (“SCC“) by the cyberspace administration of China (“CAC“) as further detailed in our previous update available HERE, the CAC issued on July 7, 2022, the Measures for Security Assessment of Data Exports (“Order”) which will come into effect on September 1, 2022. The Order determines the legal framework of data transfer outside China when the SCC framework does not apply due to non-compliance with the threshold requirements determined in the SCC.
Security Assessment Applicability:
Companies that are not considered CIIOs or handle smaller volumes of data than the thresholds set below can legally process data by signing an SCC. However, a data processor must conduct a security assessment with the CAC and cannot rely on the SCC where:
- The data processor transfers “important data” overseas – The term “important data” refers to data that, once it is tampered with, destroyed, leaked, or illegally obtained or used, may endanger national security, economic operation, social stability, public health, and safety;
- The entity transfers personal information as a critical information infrastructure operator (“CII”) or data processor that process the personal information of more than 1 million individuals;
- The entity transfers personal information since January 1 of the previous year of 100,000 individuals or sensitive personal information of 10,000 individuals;
- Other situations required to declare data export security assessment as determined by the CAC.
Self-Assessment (Article 5 to the Order):
Before applying for a data export security assessment with the CAC, a data processor must conduct a self-assessment of the data processing risks, focusing on the following matters:
- The legitimacy and necessity of the purpose, scope, and method of the data processing overseas;
- The scale, scope, type, and sensitivity of the data, and the risks that the data processed overseas may cause to national security, public interests, the legitimate rights and interests of individuals or organizations of China;
- The responsibilities and obligations the processor undertakes, and whether the management and technical measures can ensure the security of the data;
- The risk of data being tampered with, destroyed, leaked, lost, transferred, or illegally obtained, and whether the channels for safeguarding personal information rights and interests are unobstructed;
- Whether the data export-related contracts or other legally binding documents fully stipulate the responsibility and obligation of data security protection;
- Other matters that may affect the security of data export.
CAC Assessment Timeline:
Upon receipt of the application, the provincial CAC determines whether the application materials are completed within five business days. If the application materials are complete, the provincial CAC transfers the application to the central CAC for further assessment. If the application materials are incomplete, they will be returned to the processor with required materials that should be supplemented. The central CAC will notify the applicant within seven business days from the date of receipt whether the application has been accepted. Finally, the central CAC will complete the data security assessment within 45 business days from issuing a written acceptance notice to the processor. In complex cases where the assessment might be expanded, the CAC will notify the processor accordingly. In case the processor is not satisfied with the assessment’s result, an application for reassessment can be applied within 15 business days from the receipt of the result, which will be the final conclusion.
Application Materials (Article 6 to the Order):
In order to submit for a security assessment, the processor must provide the following materials to the provincial CAC:
- Application form;
- Self-assessment report on data export risk;
- Legal documents to be concluded between the data processor and the recipient; and
- Other materials required for the safety assessment work.
Expiration Date (Article 14 to the Order):
The validity period of the security assessment result is 2 years from the date of issuance. If one of the following circumstances occurs within the validity period, the data processor shall re-apply for evaluation: A change in the purpose, method, scope, or type of data provided overseas, the use and method for data processing by the overseas recipients has changed, or there is an extension in the overseas retention period for the personal information or important data; There are any changes to: (i) The data security protection policies, regulations, and cybersecurity environment of the country or region where the overseas recipient is located; (ii) The actual control of the data processor or overseas recipient (iii) The legal documents between the data processor and the overseas recipient that may affect the security of outbound data.; and Other circumstances that affect the security of the data export.
When the validity period expires, and it is necessary to continue to carry out data export activities, the data processor shall re-apply for evaluation 60 working days before the validity period expires.
Grace Period (Article 20 to the Order):
The Order will come into force on September 1, 2022. Regarding transfers carried out before this date, the rectification must be completed within 6 months from the implementation date of the Order.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice but rather as a practical overview that is based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
Please let us know if you have any further questions,
APM Technology and Regulation Team.
