This article represents our series on China’s regulatory and policy developments, particularly cross-border data transfer and collection in China. If you missed any of the previous articles and research, simply click on the title below to find out more.
On September 1, 2022, China’s “Measures for Security Assessment of Cross-Border Data Transfers” (the “Assessment Measures”) came into effect, which set forth the requirement for a cross-border data transfer security assessment (“Security Assessment”) when transferring data outside of mainland China. We examine what the Security Assessment means for global businesses and marketers in this article, especially when it comes to personal information as provided in the Personal Information Protection Law of the People’s Republic of China (the “PIPL”).
The Assessment Measures was supplemented by the “Application Guidelines for Security Assessment of Cross-Border Data Transfer (1st Edition)” (the “Application Guidelines”) with references to the “Provisions on the Standard Contract for the Export of Personal Information (Draft for Comment)” (the “Draft Provisions”) and the “Draft Standard Contract for the Export of Personal Information” (the “Standard Contract”). For this article, mainland China excludes Hong Kong, Macau and Taiwan. Data transfers to each of Hong Kong, Macau and Taiwan will be considered as cross-border data transfers falling within the scope of the Assessment Measures and Application Guidelines.
What are the requirements for cross-border data transfer in China, and does it apply to me?
Security Assessment is required in data export activities where data handlers provide cross-border important data and personal information collected and generated during their operations within mainland China. The application scope covers de-identified personal information as well. Specifically, data export can be broadly broken into two categories:
- actual physical transfer – transfer and store overseas data collected and generated in the course of operations in mainland China;
- remote access and download – store data collected and generated in mainland China, but provide overseas institutions, organizations, and individuals with right of access, retrieve, download and export.
However, not all cross-border data transfer is subject to the Security Assessment. The thresholds are:
- data handlers who export important data[i];
- critical information infrastructure operators;
- personal information handlers who export personal information and have processed the personal information of at least 1 million individuals;
- data handlers who have cumulatively exported personal information of at least 100,000 individuals or sensitive personal information[ii] of at least 10,000 individuals since January 1 of the previous year;
- other circumstances where an application for Security Assessment is required as prescribed.
Note that the calculation as to whether the number threshold in (d) will be exceeded is on rolling basis over a period of 2 years (from January 1 of last year and this year) and are not accounted in perpetuity. This potentially lessens the burden on marketer to apply for a Security Assessment in situations when the amount of personal information exported is limited.
There is currently uncertainty if an overseas marketer’s direct collection of personal information outside of mainland China from those residing in mainland China is subject to a Security Assessment. However, Article 40 of the PIPL provides (i) a data localization requirement when certain thresholds are met, and (ii) passing of “Security Assessment” when it is necessary to export such data. This essentially means that passing of “Security Assessment” is required for marketers that meet the localization threshold. Nonetheless, regulatory developments should continue to be closely monitored and relevant actions can be taken when appropriate.
In sum, this means that if a marketer who:
- is located overseas with no physical presence in China, but does carry out marketing activities in mainland China and collect personal information of those residing in mainland China, (i) may potentially be required to pass “Security Assessment”, and (ii) will be required to do so if data localization requirement under the PIPL is met; and
- is conducting business in China and collects personal information and pass these data to an overseas recipient, or is a multinational corporation that collected and stored personal information within mainland China and is to provide such information to your group companies overseas, passing the “Security Assessment” is required.
What should marketers know about the data security assessment?
The result of the Security Assessment is valid for a two-year period. This means that, after the two years, marketers will need to reapply for a Security Assessment.
Furthermore, as the Assessment Measures aim to establish a continuous assessment and supervision mechanism, even during the two-year validity period, if one of the following happens, marketers will be required to reapply for a Security Assessment:
- where the purpose, method, scope, and type of data provided overseas, and the use and method of data processing by overseas receivers have changed, or the overseas retention period of personal information and important data has been extended;
- where the data security protection policies and regulations and the cybersecurity environment of the country and region where the overseas receiver is located have changed, or other situations caused by force majeure have occurred, the actual control of the data handler or the overseas receiver has changed, or changes in the legal documents between the data handler and the overseas receiver, etc. may affect the security of the data export;
- other circumstances that may affect the security of the data exported;
- where the Cyberspace Administration of China finds the data export activity that passed a Security Assessment no longer meets the data export security management requirements in actual processing.
Furthermore, the Security Assessment is based on the export of data from data handlers to recipients outside of China on a one-to-one basis. This means a separate Security Assessment need to be conducted for each recipient outside of China.
Finally, even though the Assessment Measures came into effect on September 1, 2022, there is a cure period in which data handlers can rectify any non-compliance in data export activities carried out before March 1, 2023. Therefore, data export subject to the Assessment Measures but carried out before March 1, 2023 will not be affected at the time of this writing.
I may be subject to the security assessment, what should I do?
First, examine your business operation and threshold requirements to see if you are required to apply for a Security Assessment.
Next, understand your obligations and data structures to see what aspects of data export will require applying for a Security Assessment and whether they will be in place.
Finally, if you have determined that applying for a Security Assessment is required, then start the process immediately. A cross-border data transfer risk self-assessment will first need to be carried out and contractual arrangements governing the responsibilities and obligations of the data handler and overseas recipients will need to be prepared. The Security Assessment process is likely to take 2 to 3 months, or even longer. It is never a good idea to wait until the last minute, especially when it comes to regulatory matters.
Demystifying China for the Global Marketers
EternityX provides comprehensive marketing solution for brands and marketers to effectively connect with Chinese consumers around the world.
Backed by our award-winning precision targeting technology, our global marketing solutions range from programmatic, performance-driven e-Commerce, social media marketing and management, influencer marketing to Web3 marketing.
As a thought leader to the China digital market, we will continue to provide valuable market insights with in-depth research and white papers. We wish to assist international brands as to their marketing strategies and to sharpen their campaign focuses for the China market.
For the latest updates on the Security Assessment and China’s other regulatory policy and how marketers can successfully navigate China, contact us to understand more about our China’s marketing strategies.
[i] “Important Data” is defined in the Security Assessment as data that may endanger national security, economic operation, social stability, public health and safety, etc. once it is tampered with, destroyed, leaked, or obtained or used illegally.
[ii] “Sensitive personal information” refers to personal information that, if leaked or used illegally, may easily cause harm to the dignity of natural persons, or serious damage to the safety of individuals and properties, including information relating to biometric identification, religious beliefs, specific identities, healthcare, financial account, individual location tracking, etc., as well as personal information of minors under the age of 14. Please refer to Article 28 of the PIPL or our advisory note: EternityX’s Advisory Note – Personal Information Protection Law (PIPL) In China For Marketers