Back to the overview
09-20-2022Article

Update China Desk 07/2022 | Update Data Protection

China’s New Regulation on Outbound Data Transfer

China speeds up its ambition in building data sovereignty and digital moat, in particular by following EU’s footprint of GDPR and in awareness of the power of US digital tech giants. One essential cornerstone of this process is the regulation of data flows between China and other countries abroad. On July 7, 2022, the “Outbound Data Transfer Security Assessment Measures” (“Security Measures”) were adopted by the Cyberspace Administration of China (“CAC”) and entered into effect on September 1, 2022. These latest regulatory efforts will further impact companies’ data-driven businesses.

Background

For companies doing business in China or with China, the first significant legislative milestone is China’s Cyber Security Law (“CSL”) of 2016, which at that time has caused much concern to increasing cost in company compliance and ambiguous implementation in regulatory practice. Since then on, the legislative process has been gathering momentum resulting two other legal acts which were adopted in 2021: The Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”). Together these three legal acts form the essential basis of China’s legal data regulation framework for cyber security and data protection.

As mentioned afore, one essential aspect of China’s cyber security and data protection framework involves the ensuring of China’s “data sovereignty”. For this purpose, the CSL already introduced provisions which required “Critical Information Infrastructures Operators” (“CIIO”) to keep personal information and other (non-personal) key data within the territory of China. However, at the same time the CSL also provided ways subject to strict requirements regarding the transfer of certain data outside of China, in particular the passing of a security assessment by the CAC. Similar provisions are now also reflected in the DSL and the PIPL. The Security Measures adopted by the CAC as part of its mandate to release implementing regulations aim to clarify the requirements for such security assessment regarding the outbound data transfer under the CSL, the DSL and the PIPL.

Scope and Application of the Security Measures

The Security Measures are subject to a specific scope of application which depends on multiple requirements and thresholds, namely:

  • Outbound transfer of “Important Data” (irrespective of whether the data processor qualifies as CIIO or regular data processor);
  • Outbound transfer of “Personal Information” by a CIIO or by a data processor, which processes personal information of more than one million natural persons;
  • Outbound transfer of “Personal Information” by data processors, which have aggregately since the beginning of the last fiscal year transferred “Personal Information” of more than 100 thousand natural persons or transferred “Sensitive Personal Information” of more than 10 thousand natural persons;
  • Other circumstances under which security assessment of outbound data is required as prescribed by the CAC.

It is worth mentioning that the term “outbound transfer” is not defined in the Security Measures. However, based on feedback from the CAC outbound transfers typically involve the transfer of data collected and stored in China to a recipient outside of China. A typical scenario involves the processing of employee’s personal information by a Chinese subsidiary of a German multinational corporation and transfer of such data to the headquarter in Germany. In addition, an outbound transfer under the Security Measures also involves remote access to data collected and stored in China from outside the Chinese territory. Therefore, outbound transfer can take place in various business scenarios.

The term “Important Data” is defined in the Security Measures rather broad as “data which may endanger national security, economic operation, social stability, public health and safety in case of data distortion, destroy, leak or illegal gain and abuse”. It is not limited to Personal Information but also covers non-personal information. However, due to this broad formulation it is likely that companies may struggle to identify which data ultimately qualifies as “important” and therefore falls under the applicable laws and regulations, including the Security Measures.

“Critical Information Infrastructures Operators” is another term with specific Chinese characteristics. In the CSL, this term is defined as “industries and fields, such as public communication and information service, energy, communications, water conservation, finance, public services and e-government affairs, which endanger national security, national economy and public interest in case of damage, function loss or data leakage”. Under such broad definition may fall, e.g. not only the well-known social media platform WeChat, but also the widely used taxi platform operator DiDi.

In addition to the amount thresholds (i.e. one million or 100 thousand persons), a data processor needs to pay special attention to the so-called “Sensitive Personal Information” which, according to the PIPL, refers to personal data that, once leaked or used illegally, may easily infringe on the personal dignity of natural persons or endanger personal or property safety, including biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts tracking and other data, as well as the personal data of minors under the age of 14.

Risk Assessment and Security Review Process

If an outbound transfer falls under the scope of the Security Measures, the respective data processor is only permitted to carry out such outbound transfer after passing the data security assessment by the CAC.

As part of the data security assessment, the data processor must provide the CAC with multiple documents, including a complete application form, a risk assessment form as well as other documents required by the CAC. The risk assessment as the essential piece of the review process must be carried out by the data processor before filling the application and must cover a variety of aspects, such as the purpose, scope and method of the outbound data transfer, the quantity, scope, categories and degree of sensitivity of the data to be transferred as well as any related risks that may incur to national security, public interest and other individuals and organizations. The data processor also has to evaluate the protective commitment of the receiving party abroad and its management and technical capability to fulfill the protective commitment. In respect of any damage scenarios, like data leaks, distortion or abuse during and after outbound data transfer, the data exporter has to check the availability and feasibility of possible remedies for personal information. Taking this into consideration, the risk assessment should be carried out with due diligence.

After receiving the application with the required documentation, the CAC then conducts the actual data security assessment by focusing on risk factors to national security, public interest, and related individuals and organizations. In this context, besides the risk factors which the data processor has evaluated and documented as part of the risk assessment, as depicted above, the CAC will, in particular, scrutinize whether the country or region of the receiving party can provide a level of data protection essentially equivalent to the level granted under the Chinese law.

As a result of the data security assessment process, the CAC may approve or reject the application as well as require further additional documents and evidence. In case of approval, the governmental risk assessment is valid for a period of two years and must be renewed after this period expires.

Conclusion and Recommendation

With the adoption of the Security Measures, the Chinese authority is building up a tight regulatory framework in order to enhance the control of outbound data transfer. As a consequence, China may face the challenges of over-regulation, de facto inefficiency of implementation and excessive burdens on companies. Nevertheless, in particular multinational corporations operating in China and abroad will have to prepare to meet this round regulatory challenge with suitable arrangement of cross-border data transfer.

Download as PDF
Download as PDF

Contact persons

Michael Kuska, LL.M., LL.M.
Düsseldorf

Contact persons

Michael Kuska, LL.M., LL.M.
Düsseldorf

Related articles

03-28-2024
The implementation of the NIS2 Directive in Germany: The challenge of determining the scope of application for corporate groups
03-15-2024
EU digital law: Formal agreement in the EU Parliament on the AI Regulation, the Cyber Resilience Act and the European Media Freedom Act
03-11-2024
New OLG judgment: Is private email use subject to telecommunications secrecy?
02-29-2024
Changes to the BDSG and TTDSG - What is changing and what companies need to pay particular attention to
02-13-2024
Covert checks as a data protection breach in unfair dismissal proceedings
02-06-2024
Employee surveillance: French data protection authority fines major online mail order company 32 million euros
01-25-2024
AI Act: Preliminary result of the trilogue negotiations leaked
01-24-2024
Data protection violations as a reason for dissolving the works council
01-03-2024
ECJ clarifies further questions on compensation for damages and health data
01-02-2024
DORA – One year before the implementation deadline, more and more details are becoming known
12-22-2023
ECJ rules on liability and compensation in the event of Cyberattacks
12-18-2023
AI Act (update): Agreement on the new AI regulation

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.