(By Wang Hongliang) Just after the latest publication of my article about the compliance concerning outbound transfer of personal information, in which I referred to the Measures for Data Outbound Transfer Security Assessment (Exposure), the exposure version became official regulations on July 7th.
Accordingly, safety evaluation, the strictest way to transfer data abroad became the first one regulated in law. The Measures for Data Outbound Transfer Security Assessment is generally in the context of previous exposure versions. I would like to give a brief explanation of key points in the Rules.
I. What is Data Outbound Transfer?
The word “outbound” therein should be construed in the substantive meaning, which is not limited to providing or sending data abroad. According to the answers to journalists’ questions about the Measures for Data Outbound Transfer Security Assessment and relevant provisions of the Information Security Technology and Guide of the Measures for Data Outbound Transfer Security Assessment, activities of data outbound transfer mainly include:
(1) data processors transfer and store the data collected and generated during domestic operations to overseas; and
(2) data processors store the data collected and generated in domestic, and grant foreign institutions, organizations or people the access to visit or use such data.
In particular, as stated in the item (2) above, storing domestic data that are directly accessible and usable by offshore entities is also considered as data outbound transfer. This is easily ignored and should be kept in mind in preparations for outbound transfer of data.
II. In Which Circumstances Is Security Evaluation of Data Outbound Transfer Necessary?
In brief, it is necessary if important data are transferred with an amount of personal information. The Rules sets forth four circumstances where applications for security evaluation of data outbound transfer should be filed.
(1) people handling data send important data abroad;
(2) key information infrastructure operators or people handing data including personal information of over one million people send personal information abroad;
(3) people handling data that have sent abroad personal information of accumulated 100,000 people or sensitive personal information of accumulated 10,000 people send personal information abroad since January 1st last year; and
(4) other circumstances where applications for security evaluation of data outbound transfer should be filed, as stipulated by the cyber administration concerned.
Please note that in the first circumstance “important data” should be defined on the basis of the Information Security Technology and Important Data Identification Guide (only exposure version is available currently), Cyber Security Criteria Implementation Guide – Cyber Data Classification Guide and official documents relating to data management in specific industries. Businesses may need to seek professional advice on identifying important data.
Compared with the exposure version, the official version adds the phrase “since January 1st last year” to the third circumstance, which means the “legal” criteria for security evaluation are relaxed as they are no longer calculated on the basis of the accumulated amount of personal information provided. Many businesses can transfer data abroad legally more easily through standard contract or security certification.
III. What Are the Security Evaluation Procedures?
According to the Security Evaluation Rules for Outbound Data Transfer, the security evaluation procedures include the following steps.
(1) Pre-evaluation. People handling data should conduct self-evaluation of outbound data transfer risks before sending data abroad. In the course of such self-evaluation, people handling data need to enter into outbound data transfer contracts or other documents in legal force with offshore recipients.
(2) Evaluation application. Eligible people handling data should file the outbound data transfer security evaluation application with the national cyber administration through the local cyber administration at the provincial level. The application should be filed with the following documents.
- Application form;
- Report of self-evaluation of outbound data transfer risks;
- Legal instruments executed between the person handling data and the offshore recipient;
- Other necessary documents.
(3) Evaluation. The national cyber will decide whether to accept the evaluation application within seven working days from the date of receipt of the application documents and complete the outbound data security evaluation within 45 working days from the date of the written acceptance notice. In cases where circumstances are complicated or documents are not completely adequate or correct, the above periods may be extended for an appropriate time and the person handling data should be notified of the estimated time to be given additionally.
(4) Re-evaluation and termination of outbound data transfer. When the valid period of the evaluation results expires or when the event arises, in which re-evaluation should be performed under the Rules, the person handling data should apply for re-evaluation of outbound data transfer security. If activities of outbound data transfer that passed the evaluation no longer meet the outbound data transfer security management requirements, the person handling the data should terminate the activities of outbound data transfer after receipt of the written notice of the national cyber administration, or otherwise correct them and then file the re-evaluation application in order to continue to do such activities.
The result of passing the security evaluation is valid for two years from the date of issuing the evaluation result. To continue performing activities of outbound data transfer after the valid period expires, the person handling data should apply for re-evaluation 60 working days before the valid period expires.
IV. What You Should Do Under the Measures for Data Outbound Transfer Security Assessment?
(1) Conduct a comprehensive evaluation of outbound data transfer scenarios and choose a good way to send data abroad. As described in my article published previously, the three ways to send data abroad, including security evaluation, standard contract execution and security certification are applicable to different scenarios. For businesses, the first priority is to evaluate outbound transfer of data and take the best choice that meets compliance requirements.
(2) Enter into communication and discussions with offshore recipients, getting informed of their legal practices and requiring them to meet compliance requirements of people handling data onshore and improve or transform relevant systems and procedures.
(3) Prepare an appropriate outbound data transfer agreement and conduct and generate a report of the self-evaluation of outbound transfer subject to Article 5 of the Rules.
Data outbound transfer in progress of which the security evaluation is required should be corrected within the six-month grace period set out in the Rules. Businesses don’t have much time. The evaluation criteria of the cyber administrations are still up in the air.
 Article 5 of the Outbound Data Transfer Security Evaluation Rules: People handing data should conduct self-evaluation of outbound data transfer risks before filing the application for the outbound data transfer security evaluation. The self-evaluation mainly aims to deal with the following matters as to (1) whether purpose, scope, manner, etc. of the outbound data transfer and the offshore recipient handling data are legal, appropriate, necessary, etc., (2) national security, public interest and individual or organization’s legal right risks that may arise from outbound data transfer considering its scale, extent, type and sensitivity, (3) the offshore recipient’s warranties on their responsibilities and obligations and management and technical measures, capabilities, etc. needed to ensure the outbound data transfer security, (4) data alteration, damage, disclosure, loss, transfer, access, use, etc. risks and smooth personal information protection channels available, (5) whether responsibilities and obligations to ensure data security are included in the outbound data transfer contract or other documents in legal force, etc. executed with the offshore recipient (hereinafter collectively referred to as “legal instruments”), and (6) other matters that may affect outbound data transfer security.