• <label id="ojqky"><bdo id="ojqky"></bdo></label>
    <noscript id="ojqky"></noscript>

    <ruby id="ojqky"></ruby>
    <strike id="ojqky"></strike>
    <ruby id="ojqky"></ruby>






    Interpretation of the Key Points


    Impact and Observation


    On July 7, 2022 the Cyberspace Administration of China (CAC) issued the Measures for Security Assessment of Data Export Security (Measures). These Measures will go into effect on September 1, 2022.

    On June 30, 2022 CAC released the Provisions on Standard Contracts for the Export of Personal Information to seek comments from the public. On June 24, 2022, the National Information Security Standardization Technical Committee of China (TC260) issued the Specification for the Security Certification of Cross-Border Processing of Personal Information, which provide guidelines in order to implement the certification mechanism under Article 38 of the Personal Information Protection Law (the PIPL).

    The Measures specify the circumstances when the cross-border transfer of personal information is subject to a security assessment. Transfers that are out of the scope of the application can still be justified on a legal basis by way of obtaining a personal information protection certification or entering into a standard contract.


    重点内容解读(Interpretation of the Key Points)


    The CAC issued a draft of the Measures for public consultation in October last year (Draft). The final version remains mostly unchanged from the draft, but some adjustments have been made regarding the scope, conditions and procedures of the security assessments. They aim to provide clearer and more specific guidance for data processors to apply for security assessments, and for the competent authorities to accept and conduct assessments.


    This article intends to summarize and comment on the key points of the Measures.


    Application scope


    According to the Measures, if a data processor triggers any of the following thresholds, it needs to apply for a security assessment of its cross-border data transfer: (a) it provides important data abroad; (b) it is a critical information infrastructure operator or it processes the personal information of more than one million individuals in total; (c) it has exported the personal information of more than 100,000 persons in aggregate or the sensitive personal information of more than 10,000 persons in aggregate since January 1 of the previous year; or (d) other circumstances subject to a security assessment as required by the CAC.


    Specific procedures for a security assessment


    If a data export activity triggers a security assessment, the following procedures should be followed:

    (一) 事前评估:数据处理者应开展数据出境风险自评估。

    (a) Pre-review: The data processor should carry out a self-assessment of the risks involved in the data export.

    (二) 申报评估:数据处理者应通过所在地省级网信部门向国家网信办申报安全评估,提交材料包括:(1)申报书;(2)数据出境风险自评估报告;(3)数据处理者与境外接收方拟订立的法律文件;(4)安全评估工作需要的其他材料。省级网信部门负责对申报材料完成完备性查验,并将申报材料报送国家网信办。

    (b) Applying for a security assessment: The data processor should apply to the CAC for a security assessment via the provincial-level cyberspace authority, by submitting: (i) an application form; (ii) a report on the self-assessment; (iii) the legal document to be executed between the data processor and the overseas recipient; and (iv) other materials as required for the security assessment. The provincial-level cyberspace authority is responsible for the complete check of the application materials, and transfer such materials to the CAC.

    (三) 开展评估:国家网信办受理申报后,根据申报情况组织国务院有关部门、省级网信部门、专门机构等进行安全评估。评估结果将会书面通知数据处理者。

    (c) Carrying out a security assessment: Upon acceptance of the application, the CAC will, depending on the case, organize the relevant departments of the State Council, provincial-level cyberspace authority and specialized institutions to conduct the security assessment. The data processor will be notified in writing of the assessment result.

    (四) 重新评估和终止出境:评估结果有效期届满或者在有效期内出现重新评估情形的,数据处理者应当重新申报评估。已经通过评估的数据出境活动不再符合数据出境安全管理要求的,经国家网信办书面通知后应终止。

    (d) Re-assessment and termination of a data export: If the validity period of the assessment result has expired or certain circumstances of the re-assessment have occurred during the validity term, the data processor should re-apply for a security assessment. If any data export activity which has already passed the security assessment no longer meets the security requirements for outbound data transfers, such activity should be terminated upon written notice from the CAC.


    Focused areas for self-assessment and security assessment


    The focused areas of self-assessment and security assessment are similar, mainly covering the following six aspects and other matters to be assessed as deemed by the CAC:

    (一) 数据出境的目的、范围、方式等的合法性、正当性、必要性;

    (a) the legality, legitimacy, and necessity of the cross-border data transfer in terms of the purpose, scope, method, etc.;

    (二) 境外接收方所在国家或者地区的数据安全保护政策法规和网络安全环境对出境数据安全的影响;境外接收方的数据保护水平是否达到中华人民共和国法律、行政法规的规定和强制性国家标准的要求;

    (b) the impact of data security protection policies and legislation and the cybersecurity environment of the country or region where the overseas recipient is located on the security of the outbound data; whether the data protection level of the overseas recipient meets the requirements of the laws and administrative regulations and the mandatory national standards of the People's Republic of China;

    (三) 出境数据的规模、范围、种类、敏感程度,出境中和出境后遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等的风险;

    (c) the quantity, scope, type, and sensitivity of the outbound data, and the risks of the data being tampered with, damaged, leaked, lost, relocated or illegally acquired or used during and after the cross-border data transfer;

    (四) 数据安全和个人信息权益是否能够得到充分有效保障;

    (d) whether data security and personal information rights and interests can be sufficiently and effectively ensured;

    (五) 数据处理者与境外接收方拟订立的法律文件中是否充分约定了数据安全保护责任义务;以及

    (e) whether the data security protection responsibilities and obligations are sufficiently stipulated in the Legal Document executed between the data processor and the overseas recipient; and

    (六) 遵守中国法律、行政法规、部门规章情况。

    (f) compliance with China's laws, administrative regulations and departmental rules.


    Legal document to be signed by both parties


    The legal document to be executed between the data processor and the overseas recipient should be submitted to the cyberspace authority for a security assessment application. The Measures further require that the data security protection responsibilities and obligations be clearly stipulated in the legal document, and set out specific items that should be contained. This includes the purpose and method of the outbound data transfer and the scope of the data, the purpose and method of the data processing by the overseas recipient, and the measures to handle the data transferred overseas upon the expiration of the retention period, the completion of the agreed purpose, or the termination of the legal document.


    In terms of content, the legal document under the Measures is not completely consistent with the standard contract (draft).  In terms of formality, the legal document may also include other legally binding documents in addition to contracts. The specific requirements for the contract content will remain to be further explained and confirmed by the CAC.


    Timelines for security assessments


    The CAC should, within seven working days of the date of receipt of the application materials from the local cyberspace authority, determine whether to accept the application, and complete the security assessment within 45 working days of the date of the written notification of acceptance. If the case is complicated or there are materials that need to be supplemented or corrected, this period may be extended as appropriate and the data processor should be notified of the extension.


    Circumstances for reapplying for a security assessment


    Passing a security assessment for a data export is valid for two years. The circumstances for reapplying for a security assessment under the Measures include: (a) If the data processor needs to continue the data export activity after the expiration of the validity period, it should reapply for the assessment within 60 working days of the expiration date; (b) Any circumstance that may affect the security of the outbound data occurs during the validity term, such as a change to the purpose, method, or scope of the data export; (c) In the case whereby the CAC requires a data processor to terminate the data export and the data processor has a need to continue the data export, it should reapply for a security assessment after completing the rectification. 


    影响和建议Impact and Observation)


    The Measures clarify the scope, conditions and procedures for a security assessment on data exports, and provides specific compliance guidance for enterprises to carry out data export activities. The Measures provide a six-month transition period from its effectiveness for the rectification of cross-border data transfers carried out before the Measures take effect (September 1, 2022). We suggest enterprises and institutions in various industries take the following measures in a timely manner to meet the corresponding compliance requirements: 

    • 整体梳理企业的数据出境场景,判断所涉数据的规模和属性;

      Sort out the data export scenarios of the enterprise, and evaluate the scale and attributes of the data involved;

    • 根据重要性和敏感程度,明确合规整改的优先事项和时间表,把握合规时间安排;

      Specify priorities and create a timetable for compliance rectification according to importance and sensitivity, and adhere to the timetable;

    • 根据业务场景下的数据出境情况,综合风险和成本,明确数据出境路径,选择合适的出境方和境外接收方;

      Specify the path for the data export and select the appropriate data exporter and overseas recipient according to the data export activities in the different  business scenarios and take into consideration the risks and costs involved;

    • 建立内部评估制度,整合个人信息保护影响评估和数据出境风险自评估,运用评估工具,输出符合监管要求的评估报告;

      Establish an internal assessment system, integrate a personal information protection impact assessment and a data export risk self-assessment, and use assessment tools to produce assessment reports that meet the regulatory requirements;

    • 申报安全评估的,可以在自评估的基础上进一步考虑安全评估要求,及时与监管沟通具体要求;

      Further consider security assessment requirements based on a self-assessment; for activities that are subject to an application for a security assessment, conduct effective communication with the regulator in a timely manner;

    • 参照相关规定和标准合同文本,修改完善数据出境的法律文件;

      Revise and update the legal documents for data export in accordance with the relevant regulations and standard contracts;

    • 及时与境外接收方开展进行沟通,有必要的对数据处理和传输方案进行调整,共同推进数据出境的合规工作;

      Communicate with overseas recipients of data in a timely manner, adjust data processing and transmission plans if necessary, and jointly promote compliance with all data export requirements;

    • 对境外接收方所在国家和地区的法律政策环境及网络安全环境进行了解和调研,把握宏观风险和法律障碍;

      Understand and investigate the legislation and the cybersecurity environment of the country or region where the overseas recipient is located, and keep an eye on any macro risks and legal obstacles;

    • 根据评估情况,对于根据自评估可能存在评估未能通过的情况,应尽快进行相应的调整,以尽可能地减少对业务的影响;以及

      Make adjustments as soon as possible for any situation that may fail to pass an assessment based on the self-assessment result, to reduce the impact on the business as much as possible; and

    • 持续跟进政策要求和实践变化。

      Constantly follow up on changes relating to the regulatory requirements and practices.


  • <label id="ojqky"><bdo id="ojqky"></bdo></label>
    <noscript id="ojqky"></noscript>

    <ruby id="ojqky"></ruby>
    <strike id="ojqky"></strike>
    <ruby id="ojqky"></ruby>