China: Guidelines for Data Export Security Assessments

In an our previous article (available here), we analyzed the Measures for Data Export Security Assessment (the “Measures”) released by the Cyberspace Administration of China (“CAC”), on 7^th July 2022, and entered into effect from 1^st September 2022.

In order to guide and help controllers[1] of personal information to comply with the Measures and to carry out data export security assessments in a standardized and orderly manner, on 31^st August 2022, the CAC developed and released the Guidelines for the application of such Measures (the “Guidelines”).

In particular, the Measures and the Guidelines shall be applied to controllers of personal information that transfer data overseas in the circumstance where the personal information exporter:

• transfers important data[2] overseas;
• is designated as a critical information infrastructure operator (“CIIOs”);
• processes the personal information of more than 1 million individuals and intends to carry out transfer activities overseas;
• processes the personal information of 100,000 individuals or the sensitive information of 10,000 individuals since 1 January of the previous year; or
• is required to carry out a security assessment by the CAC based on other relevant laws and regulations.

Specifically, pursuant to the Measures, the controllers that meet the threshold determined by the CAC must apply for an approval from the CAC, submitting the required materials (i.e., the application form, the self-assessment report, legal documents concluded between the controller of personal information and overseas recipients, and other required materials).

In line with the Measures’ press statement, the Guidelines clarify that data transfers include circumstances where:

• controllers of personal information transfer or store the data collected and generated in domestic operations overseas;
• personal information is collected, generated and stored in China, but can be consulted, accessed, downloaded and exported by overseas organizations, institutions or individuals (e.g., remote access); and
• additional circumstances prescribed by the CAC.

The Guidelines provide template forms to be filled out and various and additional clarifications for conducting the self-assessment and completing the submission to the CAC when it is required a CAC-led security assessment.

In particular, pursuant to the Guidelines, the application form (including the other required documents) shall be submitted by the legal representative of the exporter company, or by a person within the company authorized by a power of attorney.

Specifically, the Guidelines set out the required application materials, such as, among others, the data export security assessment application form duly completed, the data export self-assessment report, the data controller’s certificate of incorporation, a copy of the power of attorney and ID card of the authorized employee (if any), a copy of the legal representative’s ID card, a letter of commitment from the applicant, any other supporting documents, if required.

Data controllers shall fulfill the form application with information regarding the company, the legal representative, and the authorized person who submits the form (if any), details of the data that shall be transferred (i.e. important data, personal information, sensitive information), details of the data subjects, purposes of the data transfer (e.g. business cooperation, technical research, business management, and so on); descriptions of how the data transfers will be carried out (such as, trough public Internet transmission, dedicated line transmission, etc.), descriptions of data transfer chains (chains providers, numbers and bandwidth, the name of its data center, the physical location of its server room, and the IP address), and so on.

Regarding the self-assessment report, the Guidelines do not provide a template form, but just clarify that the report shall contain information such as a brief description of the self-assessment activities (including the period of the beginning and the end, the implementation process, the implementation methods, etc.), data security level, compliance audits, and other information. The self-assessment activities described in the report shall be completed within three months prior to the submission of the application and may be carried out by an external firm that can assist the controller during the assessment. If an external firm is involved in the self-assessment, the basic information of this third party and its participation in the assessment must be specified in the self-assessment report.

Lastly, it should be noted that the Guidelines specify that legal documents concluded between the controller and the overseas importer, and other supporting documents, must be submitted in, or translated into Chinese. Moreover, since the template forms provided by the CAC are all in Chinese, it is also reasonable to assume that all these application materials must be submitted in Chinese or translated into Chinese for CAC’s review purposes. Pursuant to the Guidelines, in case there is a translation of the legal documents into Chinese, the Chinese version shall prevail.

The announcement and the Guidelines are both available here, only in Chinese.

[1] To be intended as the Chinese Personal Information Protection Law, briefly “PIPL” equivalent of a controller under the General Data Protection Regulation no. 2016/679, hereinafter “GDPR”.

[2] Pursuant to Article 19 of the Measures, the term “important data” refers to data that, once tampered with, destroyed, leaked, or illegally obtained or used, may endanger national security, economic operation, social stability, public health and safety, etc.