China adopts a new security assessment framework for outbound cross-border transfers of personal data and important data
On July 7, 2022, the Cyberspace Administration of China issued the Measures for the Security Assessment of Cross-Border Data Transfer (the “MSA”), which have come into effect on September 1, 2022.
The new regulation affects two types of data which are to be transferred outside China: (i) important data: in accordance with Article 19 of the MSA, “important data” means any data, the tampering, damage, leakage, or illegal acquisition or use of which, if it happens, may endanger national security, the operation of the economy, social stability, public health and security, etc.; and (ii) personal information.
These types of data are subject to the security assessment obligations, which are twofold: a self-assessment and an assessment carried out by the Cyberspace Administration of China.
On the one hand, a self-assessment must be carried out by the transferor in all cross-border transfers, though there is a minimum threshold for common processors. The self-assessment includes checking whether the transfer is compliant with principles of lawfulness, legitimacy and necessity, whether the foreign recipient is capable to safeguard data security, whether safe and proper data transfer channels can be provided by data transferer and whether the legal document, which shall be signed between the data exporter and the recipient contains the full list of obligations regarding data protection in order to provide the maximum level of protection.
Security assessment by the Cyberspace Administration
In addition to the self-assessment, some cross-border transfers are subject to an assessment to be carried out by the Cyberspace Administration of China. Such an assessment is required in the situations where (i) “important data” are transferred outside of China; (ii) personal information of more than 1 million persons by data processors or by Critical Information Infrastructure Operators (CIIO) are transferred outside of China; (iii) personal data of 100,000 individuals, or sensitive personal information of 10,000 persons have been transferred outside China since 1 January 2021. In some instances, data transferors are required to apply for reassessmentCompanies processing personal data in China and transferring them to parent companies outside China must review their legal processes to adjust to the new rules.