Your privacy is very important to us.When you visit our website,please agree to the use of all cookies.For more information about personal data processing,please go to Privacy Policy.

Make an Enquiry
Home
About us
News
Services
Our Clients
Insights
Careers
Contact Us

How should companies comply with Measures for the Security Assessment of Outbound Data Transfer?

2022-08-24


Editor’s note:

On 7 July 2022, the Cyberspace Administration of China issued the Measures for the Security Assessment of Outbound Data Transfer (hereinafter referred to as the "Measures"), which comprehensively and systematically set out the specific requirements for China's outbound data transfer security checks and marked the formal implementation of the outbound data transfer assessment system mentioned by the Cybersecurity Law of China.


Companies, as the main bodies of data transfer activities, often engage in cross-border data transfer activities during cross-border management, cross-border services, cross-border trade and overseas listing, etc. Especially for multinational companies, data transfer between headquarters and branches, between organs in different countries have become more often.


In this article, we will analyze how to conduct a self-assessment on cross-border data transfer and how to comply with the Measures for enterprises that have transferred or will transfer their data outbound.

How to conduct a self-assessment on cross-border data transfer?
The self-assessment can be carried out by the data processor itself or by a third-party organization, resulting in a self-assessment report. The report shall include:

1.basic information about the cross-border data transfer entity;
2.details about the data transfer;
3.cross-border data transfer risk assessment;

4.conclusion.

For a better understanding of the respective focusandrelationship between self-assessment and official assessment, we have compared the assessment elements between the two, as shown in the following chart:

Number

Elements of self-assessment

Elements of official assessment

Difference

1

The legality, legitimacy, and necessity of the   outbound data transfer and the data processing by the overseas recipient in   terms of the purpose, scope, method, etc.

The legality, legitimacy, and necessity of the   cross-border data transfer in terms of the purpose, scope, method.

The former involves consideration of the overseas   recipient.

2

The   quantity, scope, type, and sensitivity of the outbound data, and the risks   that may be brought about by the outbound data transfer to national security,   public interests, or the lawful rights and interests of individuals or   organizations; the risk of the outbound data being tampered with, damaged,   leaked, lost, relocated or illegally acquired or used during and after the   outbound data transfer.

The   quantity, scope, type, and sensitivity of the outbound data, and the risks   that may be brought about by the outbound data transfer to national security,   public interests, or the lawful rights and interests of individuals or   organizations.

The   former considers more about national security, public interests, and the   legitimate rights and interests of individuals or organizations.

3

Whether the responsibilities and obligations   undertaken by the overseas recipient and the management and technical   measures and capabilities of the overseas recipient to perform such   responsibilities and obligations can ensure the security of the outbound   data.

The impact of the data security protection policies   and legislation and cybersecurity environment of the country or region where   the overseas recipient is located on the security of the outbound data;   whether the data protection level of the overseas recipient meets the   requirements of laws and administrative regulations and the mandatory   national standards of the People's Republic of China.

The former focuses on the management and technical   capacity of the recipient, while the latter focuses on the legal environment   of the recipient.

4

Whether   the channels for individuals to safeguard their personal information rights   and interests are unobstructed.

Whether   data security and personal information rights and interests can be sufficiently   and effectively ensured.

The   latter also considers data security, and the scope of protection of the   rights and interests of personal data is larger.

5

Whether data security protection responsibilities   and obligations are sufficiently stipulated in the Legal Document executed   between the data processor and the overseas recipient;

Whether data security protection responsibilities   and obligations are sufficiently stipulated in the Legal Document executed   between the data processor and the overseas recipient.

The same.

6

/

The   compliance with China's laws, administrative regulations and departmental   rule.

The   latter considers more.

7

Other matters that may affect the security of the   outbound data transfer.

Other matters to be assessed as deemed by the   national cyberspace administration authority.

Almost the same.


  How should companies comply with the Measures

According to the Measures, companies still have a six-month transition period f to rectify their outbound data transfer activities (i.e. to complete their rectification by March 1, 2023). To address the potential compliance challenges, we suggest that companies should sort out their internal exit data as soon as possible and determine whether they need to declare an outbound data transfer security assessment.

If companies confirm that their data transfer activities are applicable to the Measures, they should carry out self-assessment and prepare declaration materials for the official assessment to avoid negative impacts on their business or breaching of laws and regulations. Companies may store data generated within the territory of China on a system or cloud service platform in order to prevent the negative consequences of a failed declaration.

For companies that have conducted and will conduct outbound data transfer activities, we suggest the following compliance efforts.
1. Sort out cross-border data transfer scenarios to determine whether the Measures applies to the company. Enterprises should identify whether they are involved in "critical information infrastructure operators" "important data" and "sensitive personal information" as soon as possible, and map the scale, scope, type and sensitivity of the data to be transferred abroad, as well as the purpose, scope and manner of data processing by the overseas recipient. If a company has judged itself to be applying the Measures, a compliance rectification shall begin as soon as possible.
2.Establish an outbound data transfer self-assessment system. Companies applying the Measures should develop an internal self-assessment system as soon as possible, such as setting up a self-assessment working group (including members from legal, security, technical, management and product departments), developing a cross-border data transfer risk assessment plan, implementing compliance monitoring, conducting due diligence on overseas recipients, etc.
3.Clarify the different compliance paths for data transfer.Different compliance requirements may apply to different data transfer scenarios, such as security assessment, standard contacts, professional certification, etc. For scenarios within the scope of the Measures, companies shall declare for official security assessment. For other cases, a personal information protection certification or the signing of a standard contract formulated by the cyberspace administrative authorities may also meet the requirements of outbound data transfer.  
4.Prepare legal documents and ensure security measures.For companies that will transfer data overseas, it is necessary to sign legal documents before the activity happens. Companies should focus on the responsibility and liability of the offshore data recipients, as well as their management capacity and technical measures required to fulfil the responsibility and liability.

5. Pay close attention to the following-up guidelines on cross-border data transfer assessment and relative FAQs.Prepare different operational plans regarding different assessment results. For example, if the assessment is not passed, companies may need to seek alternative plans such as cooperating with local service providers or transferring their offshore system operations and maintenance team back to China.

Conclusion

With the development of globalization and digital economy, data, as one of the most important production factors, is flowing more and more frequently between countries and regions.
China attaches great importance to safeguarding data sovereignty, and has established a basic regulatory system for the cross-border flow of important data and personal information through the Network Security Law, the Data Security Law and the Personal Information Protection Law, which are in line with China's actual and international environment.

Sinobravo will keep monitoring the policy trends and management measures on cybersecurity and data security, study the risk points of various cross-border data transfer scenarios, and unleash companies’ business power through our analysis.


Make an Enquiry
Please fill out the form below and we will respond as soon as we can.
  • Ms.
    Mr.
  • PRC
    Other jurisdictions
  • ODI services
    FDI services
    Fund services
    Tax services
    Foreign exchange services
    Bank services
    Offshore services
    Public Policy services
  • Search engine
    Sinobravo website
    Brochure
    Event
    Recommendation
    Social media
  • Yes,Please
    No,Thanks
  • I have read, acknowledged and understood the《Privacy Statement》,  and agree with the contents thereof.