Out-Law / Your Daily Need-To-Know

China proposes security measures for companies seeking to export user data

Out-Law News | 03 Nov 2021 | 2:12 am | 1 min. read

Companies with over one million users in China would be required to go through mandatory security review before sending user-related data abroad under new proposals.

The Cyberspace Administration of China (CAC) has published draft administrative measures focusing on regulation of those who plan to send user-related data abroad.

Under the proposals, data processors should apply to the national internet information department for security review when the data to be exported contains important data. Processors classed as ‘critical information infrastructure operators’ who collect personal information and important data should also apply for review.

Important data refers to data that may jeopardize national security, public interests, or the legitimate rights and interests of individuals or organizations, once it is tampered with, destroyed, leaked or illegally obtained or used.

Companies with over one million users, or which intend to export user-related data of over 100,000 individuals or sensitive personal information of 10,000 individuals, should also apply for the review.

Data protection expert Leo Xin of Pinsent Masons, the law firm behind Out-Law, said: “The draft administrative measures clarify the threshold of personal information processed as mentioned in the Article 40 of the Personal Information Protection Law which may trigger the security review. There are still some uncertainties which require the further clarification. For example, an agreement between data exporter and data receiver is required as one of the key application documents to be submitted.

“The draft administrative measures have provided mandatory terms which shall be incorporated into the data transfer agreement. However, it is not clear so far whether such data transfer agreement shall be based on the model contract to be issued by the CAC. Furthermore, the more detailed guidelines for self-assessment are expected to follow,” he said.

The applicant should submit their application for review along with a self-assessment report, contract or other legally binding document drawn up between the data processor and the receiver abroad.

Within seven working days from the date of receipt of documents, the authorities will determine whether to accept the assessment and provide feedback on the acceptance result in the form of a written notice.

The security review should be completed within 45 days, which may extend to 60 days in complex cases. A successful security review would be valid for two years but a new review may need to be opened when the purpose, type of data provided abroad and the use of data processing by the recipient abroad have changed. Changes in the legal environment of the country or region where the receiver abroad is located would also require a new review.

The proposed measures are open to public review until 28 November.