With the promulgation of the Measures for Security Assessment of Data Export on 7 July 2022, the regulatory regime for data export finally takes form in China. This article interprets the new regulation with a focus on regulators’ concerns and further provides compliance guidelines for enterprises.

As its full name implies, the Assessment Measures provide implementing rules for the security assessment of “data" export. Here the “data" includes “personal information" and “important data". In other words, the export of both personal information and important data will be subject to the uniform provisions of the Assessment Measures.

This is not always the case in the course of the legislative evolution. The legal regime for the security assessment of data export has tried different approaches before it takes its form today. At the earlier stage, the relevant rules did not distinguish the requirements for exporting personal information from those applicable to exporting important data. However, the latter legislations took another approach to provide separate rules for the export of personal information and that of important data. E.g., the Measures for Security Assessment of Cross-border Transfer of Personal Information (Draft for Comment) only apply to personal information, and the Data Security Law and the Personal Information Protection Law respectively regulate either the export of personal information or that of important data.

The original unified regulatory regime had not come back until the recent Measures for Security Assessment of Data Export (Draft for Comment) and the Regulations for the Administration of Network Data Security (Draft for Comment), and it was finally settled in the Assessment Measures. The Assessment Measures integrate various provisions regarding security assessment of data export scattered in the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law into one piece of regulation. Enterprises thus are relieved from the confusing rules and could create a clear roadmap for their compliance strategies.

Pursuant to Article 2 of the Assessment Measures, if a data processor, which in essence is equivalent to a data controller as defined in GDPR, exports the important data and personal information collected and generated in its operation within the territory of the PRC, the relevant security assessment shall be subject to the Assessment Measures.

The Assessment Measures define the subjects of the CAC Assessment (as defined below) as the data processor who (i) plans to export important data; or (ii) processes personal information and such processing meets certain thresholds. This definition covers a broader scope than what the previous legislations do. According to the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, only the “critical information infrastructure operator (“CIIO")" is explicitly required to conduct a security assessment for providing personal information and important data abroad.

However, the trend of expanding the assessment’s application scope was already becoming apparent at the draft stage of data export rules. The publicized versions in draft form all provide that network operators other than CIIOs shall also conduct the CAC Assessment if any of the statutory circumstances occurs. Meanwhile, the existing effective industry regulations have already extended the application of the CAC Assessment. For example, Several Provisions on Automotive Data Security Management (for Trial Implementation) require the automotive data processor to carry out a security assessment prior to providing important data to any overseas parties.

In response to the foregoing trend, the Assessment Measures adopt the expression of “data processor" rather than “network operators" stated in the previous two drafts. This change renders the new set of rules consistent with the legal concepts under the upper-level laws including the Data Security Law and the Personal Information Protection Law.

However, like the Data Security Law, the Assessment Measures also do not explicitly define what the “data processor" specifically refers to. With reference to the current draft legislation （e.g., Administration of Network Data Security (Draft for Comment)）, we believe that the entity that independently determines the purposes and manners of data processing should be responsible for the security assessment. That is to say, if an enterprise entrusts a third party to process data outside China, it is the enterprise which decides the data processing purposes and manners rather than the entrusted third party that will be responsible to initiate the security assessment.

Article 2 of the Assessment Measures, which is limited to the data processors exporting important data and personal information. This means that the data export security assessment only applies to the export of personal information and important data. Other data such as statistics data, if not falling into the scope of personal information or important data, in general will not be subject to the security assessment.

Article 3 of the Assessment Measures stipulates that “the security assessment of the data export shall follow principles of the combination of ex-ante assessment and continuous supervision and the combination of risk self-assessment and security assessment, so as to prevent the security risks arising from the data export and ensure the orderly and free flow of data according to the law." This means that the security assessment may be carried out by the data processor itself (“Self-assessment") and under certain circumstances by the CAC (“CAC Assessment").

The question is whether a data processor must always carry out the Self-assessment as long as it exports personal information or important data. Some refer to the CAC’s press briefing about the enactment of the Assessment Measures in 2022 and claim that the Self-assessment shall apply to all export of personal information or important data even if the CAC Assessment is not triggered.

Article 5 of the Assessment Measures provides that “the risk self-assessment is a prerequisite for declaring the security assessment to the CAC at the provincial level". This provision suggests that the Self-assessment will not be applicable if there is no CAC Assessment. Nevertheless, the Self-assessment itself is still an important tool to help enterprises understand their security and compliance conditions in data export.

On the basis of the fundamental rules established in the Cybersecurity Law, the Data Security Law as well as the Personal Information Protection Law, Article 4 of the Assessment Measures specifies the CAC Assessment will be triggered in the following four circumstances:

(1) Where a Data Processor Exports “Important Data"

This condition echoes the legal requirements of enhancing the protection of important data as stated in the Data Security Law.

According to the Data Security Law, all regions and departments shall determine the specific catalogue of important data for their respective regions and departments and for relevant industries and fields. However, the aforementioned catalogue as well as the rules for identifying important data are yet to be clarified.

(2) Where a CIIO or a Data Processor Who Has Processed Personal Information of More than One Million People Exports Personal Information

Here the requirement for the CIIO comes from Article 37 of the Cybersecurity Law, specifically requiring the CIIO to conduct a security assessment when providing personal information and important data abroad.

As to the personal information processor concerned, the Assessment Measures set the threshold at “processing personal information of more than one million people" and if any data processor meets such threshold, regardless of the specific volume of data to be exported, it shall carry out the CAC Assessment.

Notably, the Cybersecurity Review Measures in force adopt a similar baseline, which stipulates that if an online platform operator possesses the personal information of more than one million users and plans to go public abroad, such online platform operator shall be subject to the cybersecurity review. At this point, the security assessment of data export and the cybersecurity review may be simultaneously triggered.

(3) Where a Data Processor has Accumulatively Exported Personal Information of 100,000 People or Sensitive Personal Information of 10,000 People Since January 1 of the Previous Year

According to the Assessment Measures, when the quantity of outbound personal information or sensitive personal information reaches certain thresholds, the data processor is required to carry out the CAC Assessment, and if this threshold is not reached and the data processor does not qualify any other circumstances provided in the Assessment Measures, there is no need to initiate the CAC Assessment. This rule reflects the requirement stipulated under Article 40 of the Personal Information Protection Law that “the personal information processors that process the personal information reaching the threshold specified by the CAC in terms of quantity" are required to pass the security assessment organized by the CAC before providing personal information overseas.

It should be noted that here the quantity of data exported shall be calculated cumulatively. In other words, as long as the total volume of the data exported meets the export threshold of “personal information of 100,000 people or sensitive personal information of 10,000 people", then regardless of the scale of the single data export, the CAC Assessment applies.

For multinational businesses, however, using the cumulative quantity as the trigger condition may already mitigate the compliance costs. In the day-to-day activities, multinational enterprises may need to transfer personal information to overseas recipients. These activities could include using HR management systems deployed on the overseas servers or arranging staff work trips to regions/countries outside the PRC. However, if the total quantity of exported data is small and lower than the threshold within a maximum of 2 years, the CAC Assessment may not be necessarily triggered.

(4) Other Circumstances Provided by the CAC

On the one hand, this provision is intended to address the possible circumstances not enumerated in the Assessment Measures. On the other hand, it also means that the CAC Assessment cannot be triggered based on the CAC’s discretion or initiated by the CAC proactively, unless such other circumstances are stipulated in the rules otherwise formulated by the CAC.

As enumerated in Article 5 and Article 8 of the Assessment Measures, the Self-assessment and the CAC Assessment respectively focus on the following:

Note: The primary differences between these two types of assessments are marked in red.

It is not clear how far the CAC will go on the requirement of “the compliance with China's laws, administrative regulations and departmental rules" and the catch-all provision of “other matters that the CAC considers necessary to assess". It certainly gives the CAC great discretion in carrying out the assessment.

As prescribed in Article 7, Article 12, and Article 13 of the Assessment Measures, the CAC Assessment procedure consists of three stages, i.e., Acceptance – Assessment – Re-assessment. The diagram below further elaborates the detailed requirements for each stage.

The assessment results, according to Article 14 of the Assessment Measures, are valid for two years. The data processor shall re-apply for assessment if any circumstance affecting data security, for example the changes of the purpose, methods, scope, and type of the data provided aboard etc., occurs within the valid period.

Article 6 of the Assessment Measures provides that “the legal document executed between the data processor and the overseas recipient shall be submitted to the competent authorities when declaring the security assessment." (“Legal Document") Thus, in addition to the Self-assessment and the CAC Assessment, the legal document is also a must-have to legally export data. The Assessment Measures further specify what the Legal Document should at least stipulate, including the purpose and method of the data export, the place and period for retention of the data overseas, etc.

The expression “Legal Document" under the Assessment Measures implies that the agreement between the data processor and the overseas recipient does not have to be executed in the form of a contract. Other documents such as the commitment letter are also acceptable.

Prior to the promulgation of the Assessment Measures, on 30 June 2022, the CAC released the Provisions on the Standard Contract for Outbound Cross-border Transfer of Personal Information (Draft for Comment) accompanied by a template for the standard contract. What should be specified in the contract regarding data export between the data processor and the overseas recipient? The Provisions on the Standard Contract for Outbound Cross-border Transfer of Personal Information (Draft for Comment) and the Assessment Measures respectively provide as follows:

Note: The primary differences between the requirements stipulated under these two regulations are marked in red.

The Assessment Measures shall come into force on 1 September 2022 as provided in Article 20 thereof. The Assessment Measures allow a six-month cure period during which the data processor shall complete rectification so that the data export implemented before the promulgation of the Assessment Measures could achieve compliance. Owing to the time constraint, early action is highly recommended.

(1) Assess the Data Export Activities to Determine Whether the CAC Assessment Is Applicable

In practice, the data export may occur in various business scenarios such as reimbursement, HR management, customer service, etc. The CAC Assessment will be triggered if (i)the type of data, (ii) the quantity of data processed or (iii) the quantity of the data exported or (iv) the category of the data processor falls into any of the statutory circumstances prescribed in the Assessment Measures. Hence, the top priority for enterprises is to conduct detailed scrutiny upon the existing and future export activities based on the foregoing four aspects and determine whether the CAC Assessment is applicable.

(2) Evaluate the Possibility of Passing the CAC Assessment

If the enterprise finds that the CAC Assessment is highly likely to be triggered, then the next step is to evaluate whether it could pass the assessment. Unfortunately, this is not that easy. A data export activity could be officially endorsed only if it proves to be legal, legitimate, and necessary and to come to a definite conclusion, various elements should be considered. For instance, if an enterprise needs to determine whether the data export is legal, it should first examine whether the data concerned is prohibited from being exported or is subject to the separate approval of the competent authority. Such prohibitions or strict restrictions are scattered in various industry regulations (e.g., Export of human genetic resources information requires the pre-approval by the Ministry of Science and Technology). In addition, the manner of export may further be subject to telecommunication regulations (e.g., exporting data by virtue of the VPN or by directing traffic to the server located overseas).

Regarding personal information export, it is also challenging for enterprises to evaluate whether the separate consent as required by the Personal Information Protection Law has been obtained. A more complex issue lies in overseas litigations. Enterprises may even be stuck in the dilemma that conflict of laws creates, especially during the discovery process.

(3) Evaluate if Other Legal Procedures are Also Applicable

Before the official enactment of the Assessment Measures, the legal requirements of personal information protection impact assessment and the cybersecurity review had already been clarified. Article 55 of the Personal Information Protection Law provides that, when exporting personal information, the personal information processor shall conduct an impact assessment of personal information protection beforehand. In addition, according to Article 2 of the Cybersecurity Review Measures, if the enterprise’s data export activity affects or may affect national security, then such activity shall be subject to a cybersecurity review. Therefore, depending on the sensitivity and nature of the data export, the Self-assessment, the CAC Assessment, personal information protection impact assessment and the cybersecurity review may be triggered simultaneously.