On April 11, 2017, the CAC promulgated the Measures for Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Exposure Draft) .

On June 13, 2019, the CAC promulgated the Measures for Security Assessment of Cross-border Transfer of Personal Information (Exposure Draft).

On June 10, 2021, The Data Security Law of the People's Republic of China (“Data Security Law") was adopted at the 29th session of the Standing Committee of the 13th National People's Congress of the People's Republic of China and came into force on September 1, 2021.

On August 20, 2021, The Personal Information Protection Law of the People's Republic of China (“Personal Information Protection Law") was adopted at the 30th session of the Standing Committee of the 13th National People's Congress of the People's Republic of China and just came into force on November 1, 2021.

On October 29, 2021, the CAC promulgated the Measures for Security Assessment of Data Cross-border Transfer (Exposure Draft).

As can be seen, cross-border transfer of data has always been a focus and challenge in data legislation and a key factor that the legislature took into account at the beginning of the enforcement of the Cybersecurity Law. Subsequently, the legislation went through a stage of dividing cross-border data into two categories, namely, personal information and important data, and set up separate rules for them. With the data legislation framework largely completed, the cross-border assessment rules fall into place to facilitate the overall law enforcement.

1. The "Troika" [1]makes up the upper-level laws

With the promulgation of the Data Security Law and the Personal Information Protection Law in 2021, the upper-level laws on which data cross-border transfer assessment is based have been finalized, remedying the predicament where a lower-level law was in force, but an upper-level law, the basis of the former, was up in the air. The Exposure Draft clarifies the legal system for data cross-border transfer security assessment, with the "Troika", say, the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law, acting as the upper-level laws and the Exposure Draft and other refined legal documents forming the lower-level laws. The legal system serves as the regulatory basis to guide the related work of data cross-border transfer security assessment.

2. Data processor is regarded as the subject of assessment

When the Cybersecurity Law and the National Security Law functioned as the upper-level laws for data cross-border transfer assessment, they defined the subject of assessment as "network operator", which was not precisely defined but at least clearly interpreted. One reason behind may be that it could mitigate the contradiction between the upper-level laws and the lower-level laws.

With the clarification of the upper-level laws by the Exposure Draft which deals with security assessment of data cross-border transfer, it is more accurate to use "data processor" as defined in the Data Security Law instead of the previously employed “network operator" to refer to the subject of assessment. This is one of the highlights of the Exposure Draft that in a way avoids a series of ambiguities in the application of the law caused by the unclear definition of the subject of assessment.

3. Return to the unified supervision model

As can be seen from the legislative history, the issue of data cross-border transfer assessment has undergone a shift from a unified supervision model of "important data + personal information" to a separate supervision model of "personal information", and then back to the unified supervision model in the Exposure Draft.

The return to the "important data + personal information" model also signals that the regulator will no longer legislate separately on assessment of cross-border transfer of personal information and that of important data, thus alleviating businesses’ increased regulatory compliance obligations associated with separate legislation.

4. Assessment model: a two-tier assessment process

Article 3 of the Exposure Draft provides that it is imperative to conduct security assessment for data cross-border transfer under the principle of combining ex ante assessment with continuous inspection as well as risk self-assessment with security assessment, so as to prevent security risks in data cross-border transfer and ensure orderly and free transfer of data in accordance with the law.

In addition to focusing on the supervision of the whole process of data cross-border transfer, Article 3 also specifies a two-tier assessment process of "risk self-assessment + security assessment" as illustrated below:

Risk self-assessment: In this two-tier assessment process, the risk self-assessment is a mandatory process that a data processor must go through before transferring data abroad. The self-assessment requirement, however, does not limit the volume, scope and purpose of the data transfer. For our understanding, it is triggered when a data processor conducts data cross-border transfer. Thus, a data processor needs to carry out risk self-assessment as long as it conducts any data cross-border transfer. This is the regulatory compliance obligation that a data processor must fulfill in data cross-border transfer.

Security assessment: The security assessment by the competent authority is not a mandatory process. Only when a data processor who meets a certain threshold and carries out data cross-border transfer will it need to apply to the regulator for security assessment. After the application is submitted, the regulator will conduct the assessment according to the assessment items set out in the Exposure Draft. The adjustments to assessment items and assessment process are explained relatively clearly in the Exposure Draft. Among all those adjustments, the change to the conditions for security assessment constitutes a big breakthrough, which will be discussed in the next part.

5. Core: significant adjustments to statutory obligations of applying for security assessment 

Article 4 of the Exposure Draft makes significant adjustments to the conditions under which data processors have a statutory obligation to apply for security assessment. It also greatly expands the scope of data processors with such obligation. The chart below compares and briefly comments on the conditions that trigger that obligation under the Exposure Draft with those under its 2017 version - the Measures for Security Assessment of Personal Information and Important Data to be Transmitted Abroad (“2017 Version").

6. Other changes

In addition to the above important adjustments, the Exposure Draft further makes the following new changes:

1) The assessment period is relatively fixed. The Exposure Draft sets a maximum assessment period of sixty-seven working days.

2) The focus of assessment is clear: Assessment will be around the legitimacy and necessity of data cross-border transfer, potential security risks and protection level of the overseas recipient and the country where it is located, the sensitivity of data to be transferred abroad and the adequacy of protection of individuals’ rights and interests.

3) The requisite terms of cross-border contracts are definite: The Exposure Draft sets out necessary provisions on security liability involved in cross-border transfers of data, which will form an important part of the template for cross-border contracts to be formulated by the cyberspace administration under the Personal Information Protection Law.

4) The competent authorities conducting the assessment are certain: The assessment will be led by the national cyberspace administration and undertaken by the competent authority of the industry concerned, relevant departments of the State Council, the cyberspace administration at the provincial level, specialized agencies, etc.

5) The conditions for reassessment are adjusted: Compared with the two previous versions, the Exposure Draft sets more flexible factors for reassessment based on data security considerations. These factors include, among others, changes in the legal environment of the recipient and contractual changes that may affect the security of data cross-border transfer.

6) The setting of legal liability is still based on legal provisions: Except for revocation and rectification, the Exposure Draft does not create any new legal liability for violating the assessment rules. Processors who violate the Exposure Draft will be held administratively and criminally liable under the Personal Information Protection Law and the Data Security Law.

*Intern Yujie Chen and Huiting Wang also contribute to this article.