China’s Data Export Security Assessment Measures (“Export Measures”) took effect on 1 September 2022. These measures apply to everyone receiving data from China -or those that hold data in China and therefore may create significant barriers for the cross-border flow of data, affecting legitimate business operations.
The Application Guidelines on Data Export Security Assessment (“Application Guidelines”) provide guidance to data processors who meet the mandatory thresholds. The guidelines also clarify the question as to how serious China was when it implied in previous legislation that it would restrict the flow of data to other countries. It turns out China was very serious.
If you have a subsidiary in China, you need to be extremely careful how the business transmits data back to the UK (or another country).
1. Activities that constitute data export
According to the Application Guidelines, there are two scenarios:
- cross border transmission and storage of data collected or generated within mainland China, or;
- search, access, download or export of data stored in mainland China by entities or individuals based outside of mainland China.
2. Mandatory requirements to store data locally
Operators of critical information infrastructure and data processors reaching certain volume thresholds must store their data within mainland China, and can only transfer it out of the country after completing a security assessment.
Local storage is a pre-condition before applying for the security assessment. The Application Guidelines require data processors to report their local storage facilities.
3. Review of the application
Data processors must apply through provincial level cyberspace administrations (CAs) who conduct a formality review. Once passed, applications will be submitted to the Cyberspace Administration of China (CAC) for substance review. Application Guidelines currently require that applications are submitted offline in paper form.
Note that the CAC is a new and surprisingly powerful organ. It is a merged party-state institution listed under the Central Committee of the Chinese Communist Party (CCP) and can blacklist companies and even block listings or other corporate activity.
After a security assessment by the CAC, data processors will receive a written assessment result notice. This could include specific requirements i.e. conditions to meet before engaging in data export activities.
4. What does the application package include?
Data processors must complete a report three months before the application submission. Required information includes:
- Basic corporate information e.g. shareholding charts
- Information on business and information systems relating to data exports e.g. data centres
- Information on data to be exported e.g. purpose and scope
- Data processor’s data security protection capabilities e.g. management policies
- Information on overseas recipients e.g. purposes and manners of their processing
This could be a contract or other legally binding document that requiresthe relevant overseas recipient to apply adequate protection to the exported data.
The CAC recently released a draft Standard Contract for Cross-border Transfer of Personal Information (China SCC) and the legal document may refer to the China SCC to meet the CAC’s expectations. A Chinese version of the document needs to be submitted.
Existing contracts between the data processors and their overseas recipients may cover sensitive commercial terms and not meet all the Export Measures’ requirements. Hence it is advisable to use a standalone data protection addendum as the legal document.
5. Future developments
The data export rules are still developing and the CAC has published an inquiry hotline and dedicated email address to receive questions and comments. In the meantime, companies will need to assess the type of data that has been or is about to be exported (especially whether it is “important data” or “personal information”).