China Implements “Measures for the Security Assessment of Outbound Data Transfers”

Back in 2020 I wrote a series of three blog posts titled “China Cybersecurity: No Place to Hide”. And two years before that, we started writing about China’s Personal Information Security Specification.

On July 7, 2022, the Cyberspace Administration of China (CAC) issued the Measures for the Security Assessment of Outbound Data Transfers (Security Assessment Measures), which will take effect on September 1, 2022.

The Security Assessment Measures provide further data management guidance to critical information infrastructure operators (CIIO) and data controllers who handle personal information over a certain threshold; importantly, they require that the CAC conduct a security assessment before any personal information is exported.

The ostensible purpose of the Security Assessment Measures is to protect the rights of individuals and organizations, but as always, the elephant in the room is the protection of the “national security interests” of China and the ruling Communist Party of China (CCP).

Data protection is an important issue in the EU, U.S. and many other jurisdictions, and with the data protection laws it has rolled out over the past few years, China generally has been playing catch-up. Data protection with Chinese characteristics, however, leans much more heavily toward reinforcing the CCP’s pre-eminent goals of strengthening information control, maintaining political stability, and enforcing limitations on any public expression of dissent.

Aside from immediate implications for organizations and individuals doing business in and with China, the CCP’s development of a suite of cybersecurity laws provides a template that other authoritarian governments around the world can be expected to copy. As it does in other areas, China hopes to create an influential set of global “norms” that will provide authoritarian governments with cover for repudiating the open cross-border data handling policies favored by the U.S. and other democratic countries.

In brief, the Security Assessment Measures require that CIIOs and data controllers apply for a security assessment if they handle personal information or “sensitive personal information” in amounts exceeding certain thresholds.

Prior to applying to the CAC for an official assessment, CIIOs and data controllers must undertake an “outbound data transfer risk” self-assessment, aimed at evaluating the national security (and personal information security) risk(s), as well as prepare a contract with the overseas party receiving the data, stipulating the receiving party’s data security protection responsibilities and obligations.

The law calls for an official response to applicants within 45 days, and includes provisions for extensions if further explanations or documentation are required. Applicants may appeal rejections, and are entitled to a reassessment within 15 days, but the authorities’ subsequent judgment will be final. Positive assessments provide applicants with a two-year term during which they may export data under the terms of their agreement with the overseas party, after which the process must be renewed.

China very clearly wants to be a leader of the digital global economy, but as usual, it wants to go global on its own terms, controlling every aspect of every transaction, and reserving the right to implement further constraints at any time. On the other hand, information wants to be free.

This paradox can be seen in many other areas of China’s engagement with the world, and while China aspires to be a dominant force in the establishment of global monetary policy, regional security frameworks, and technology standards, among other things, its ambition exceeds its achievements, in large part because its policy positions are so clearly self-serving. The lone strategic objective of the CCP is simply to Remain In Power.

Becoming a leader of the digital global economy is a secondary objective, which is why China is just fine with blocking foreign social media networks including Facebook, Twitter, Instagram, Snapchat and YouTube. And which is why China was just fine with Microsoft’s October 2021 announcement that Linkedin would be shutting down in China due to a “significantly more challenging operating environment and greater compliance requirements.” Several weeks later, on November 1, 2021, the day China’s Personal Information Protection Law came into effect, Yahoo! also announced that it would cease operating in China. Yahoo said it was leaving China because of the “increasingly challenging business and legal environment.”

In 2019, one of my law firm’s data privacy lawyers, Griffen Thorne, wrote about an important difference between the China, EU and California data privacy laws:

U.S. or E.U. companies doing business in China will not be able to rely on having entered into contracts with Chinese citizens to process their data. they will now need to painstakingly explain all of the ways in which they will use the data and get consent for using it, unless one of the other few very narrow exceptions applies. If you want to change how you process data after collecting it and getting consent, most of the time that will be just too bad—unless there’s another exception. You will need to go back and get fresh consent. In other words, and as so many of our clients keep wanting us to confirm, what you have done to comply with GDPR and US/California data privacy laws does not really help you much if at all for China. You will need to undertake wholly separate and different compliance work for China.

China’s new Security Assessment Measures join the PIPL, Cybersecurity Law (implemented in June, 2017) and Data Security Law (implemented in September 2021) in providing the Chinese government with an array of tools it can use to control the use of information by both Chinese organizations and foreign companies doing business in and with China.

As my firm’s lead China lawyer, Steve Dickinson, wrote in 2019:

Under the Cybersecurity Law, the Chinese government has the right to obtain from any person or entity in China any information the Chinese government deems has any impact on Chinese security. The Chinese government understands that foreign companies and individuals will be reluctant to simply turn over their information to the Chinese government when asked. For that reason, the Chinese Cybersecurity Bureau does not plan to politely make a formal request for the information. The fundamental premise of the new cybersecurity systems is that the government will use its control of communications to simply take the information without discussing the matter with the user. All data will be open to the Chinese government.

Collectively, these cyberlaws empower China’s regulators to issue warnings, order companies to take corrective actions, suspend services and/or levy fines. Compliance is critical, and implementing compliance mechanisms is and will be costly.

Our China lawyers have written often (especially during the past five years) on how foreign companies operating in China must comply with every China law and regulation. This holds true for the PIPL as well. If your company gets customer data from China, you need to make sure you stay on the right side of Chinese data privacy laws.

For a deeper dive into the impact of the cybersecurity laws that China has been gradually implementing over the past few years, see a series of blog posts I published in late 2020:

As always, feedback is very welcome (and can be provided anonymously below). Is China’s new regime of cybersecurity laws changing your outlook on China?

Read More