Online Class Notes (Ally)

Thursday Presentation

Well, thank you, xxx, And good afternoon, everybody.

One month ago, On July 7, the Measures for Security Assessment of Cross-border Data Transfers was formally promulgated and it will take effect on Sep.1. Precisely, We first see the concept “security assessment for cross-border data transfer” that is in Cybersecurity Law which has been in effect since June 1, 2017. But it only applies to the so-called critical information infrastructure operator. which is called “CIIO”, That refers to the entities that operates key industries related to national security and public interests. And, the concept is reiterated by the Data Security Law which took/in effect as of September 1, last year and the Personal Information Protection Law which took effect as of November 11 last year. And, this concept has been further extended for Personal information export by not only CIIO but also non-CIIO. However, the absence of details on the implementation of the PIPL made it difficult to follow. So, almost all the companies have adopted something like a “wait and see” strategy.

But, as you can see, such strategy will no longer work, the Assessment Measures now substantiate the scope and details of data export security assessment. And, More importantly, these Measures explicitly set a six-month grace period until March 1, 2023 for affected companies to complete their data export security assessments.

So, For CIIOs data export, the Assessment Measures is consistent with the provisions of the CSL, which says the amount of personal information processed by CIIOs is not the criterion for determining whether security assessment is required.

For non-CIIOs, the security assessment shall be mandatory, if When a data processor accumulatively exported personal information of more than 100,000 individuals or sensitive Personal information of more than 10,000 data individuals, since January 1 of the preceding year. I think the quantitative thresholds provide a clearer picture for Personal information export that can be more easily followed.

In addition, important data will be exposed to the same data export security assessment. Actually, the concept of “important data” is quite tricky under the current legal framework. The Measures only provide for a very general definition of important data, while the exact and implementable scope remains unclear. It remains to be seen whether the regulators will accelerate the development of more detailed and usable guidance on the scope of important data to facilitate the implementation of the Measures.

Ok let’s move on the next page. We can see here is the procedure of the security assessment.

The first step, we need to carry out the self-assessment before applying for the formal Security Assessment. The question is whether a data processor must always carry out the self-assessment as long as it exports personal information or important data. The answer is Yes, Some refer to the CAC’s press briefing about the enactment of the Assessment Measures and claim that the self -assessment shall apply to all export of personal information or important data even if the CAC assessment is not triggered.

Besides that/In addition to that, the legal Documents for data export which is drawn up with overseas receivers is also required for the Security Assessment application. The expression of legal document under the Assessment Measures implies that the agreement between the data processor and the oversea recipient does not have to be executed in the form of a contract. Other types of documents such as commitment letters are also acceptable.

Notably, the Assessment Measures removes the 60-working-day maximum extension period for the Security Assessment stipulated by the Draft Assessment Measures. The CAC may extend the assessment for an appropriate period, where it finds the case is complicated or if submitted materials are due for/require further correction.  However, there is no explicit limit for this “appropriate period”.

so, as you can see, it will takes at least 60 working days for the CAC to make the final decision. It means that, if we need to conduct the security assessment, we have to submit the application no later than December this year in order to meet the March 1, 2023 deadline. So, It’s quite challenging and the 60-day extension period policy bears a great uncertainty.

Articles 5 and 8 of the Measures outline the general methodology applicable to a data exporter when conducting self-assessment and the regulator when conducting an official assessment based on the results of the data exporter’s self-assessment (that is, the areas to be looked upon including the respective assessment criteria).

The assessment criteria ,on the one hand, include objective criteria such as whether the data protection competence of the overseas data recipient satisfies the PRC legal requirements including mandatory national standards. On the other hand, they also include some subjective criteria such as whether data security or data subjects’ rights can be “fully and effectively” guaranteed, or whether the responsibilities and obligations of data security are “fully” agreed in the legal documents to be concluded between the data exporter and overseas recipient. It can be difficult to navigate these subjective criteria as the regulators obviously have wide discretion to interpret the exact meaning of these subjective criteria in an assessment case.

Personally, I think more details need to be worked out through implementation, including consideration of a fixed six-month grace period, and to seek clarification from the concerned authorities, if necessary.

Next page, please. Thank you.

So, what will we do next?

I am working with Leslie for the China’s Cross Border Data Transfer Requirements Project. We had a discussion with the outside attorneys from Arnold & Porter on this Tuesday, seeking their advice on completing the security assessment, self assessment and any other requirements for cross-border data transfers. Our discussion is still in the early stages, but we will continue our work on this.

And, the Security Assessment is not a one-time assessment. If the validity period of the result expires, we are required to conduct the re-apply for Security Assessment.

The Measures also emphasize the on-going compliance monitoring of data exporters, and such compliance will be closely overseen by the regulators. Article 17 of the Measures stipulates that in case the regulator finds out that an existing security assessment is no longer sustainable, for example, failure to consistently satisfy the statutory requirements due to any change of processing activities, then the regulator will have the power to call for an immediate suspension of data export and a new security assessment to enable further data export.

Moreover, the wording of the Measures indicates that the CAC will play a more active role in enforcing its rules. It is foreseeable that the CAC will conduct more frequent checks and closer monitoring/supervision, which indicates that the security assessment itself is not meant to be a purely a “formalistic step”, and we need to spend constant efforts in keeping our data export activities compliant in substance. Any change in cross-border business process – which in reality, you know is hard to avoid – may have an impact on data export compliance and will need to be timely monitored and reviewed.

Finally, many companies including us have been relying on the existing GDPR-based or US-based contractual templates to regulate data export topics. This quite often goes with the misconception that the GDPR, those golden rule of privacy protection, is good enough for the PRC. Because, in mainland China, where data protection is just a new topic attracting attention in recent years. However, such misperception shall be corrected now.

As the result of, GDPR-based templates focus on the perspective of EU data export to China (protection of European interests), which contradicts the intention of the Chinese data export control to protect Chinese interests. And, the Chinese Standard Contractual Clauses for cross-border data transfers as referred to in Article 38 of the PIPL are expected to be rolled out soon, very likely in this year. The Chinese SCCs appears to be a supplementary to the Measures.

Ok, this is all for me today.

Tuesday Meeting question

If the total quantity of exported data is lower than the threshold within a maximum of 2 years, but the data that the oversea recipient constantly processed are more than the threshold. Because they received those data before the preceding year. In this circumstance , do we need to apply for the assessment?

Pronunciation

discretion – more wide