Promulgation Authorities: Cyberspace Administration of China
Release Date: 2021-10-29
Effective Date: 2021-10-29
Source: http://www.cac.gov.cn/2021-10/29/c_1637102874600858.htm
Original Title: 国家互联网信息办公室关于《个人信息和重要数据出境安全评估办法(征求意见稿)》公开征求意见的通知
Notice of the Cyberspace Administration of China on Seeking Public Comments on the Measures for the Security Assessment of Outbound Data (Exposure Draft)
In order to regulate the outbound data, protect the rights and interests in personal information, safeguard national security and social and public interests as well as promote the safe and free flow of data across borders, we have drafted the Measures for the Security Assessment of Outbound Data (Exposure Draft) in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China and other laws and regulations, and are now seeking public comments thereon. The public may give their feedback through any of the following channels:
1. By logging onto the China Government Legislative Information Network of the Ministry of Justice of the People’s Republic of China (www.moj.gov.cn or www.chinalaw.gov.cn) and then make comments through the Column of “for Legislative Opinions” on the Main Menu Bar on the homepage;
2. Sending comments by email to: shujuju@cac.gov.cn;
3. Sending comments by letter to: No. 11 Chegongzhuang Street, Xicheng District, Beijing Network Data Administration under the Cyberspace Administration of China, postal code: 100044, with “Comments Sought on the Measures for the Security Assessment of Outbound Data” indicated on the envelope.
The deadline for feedback is November 28, 2021.
Annex: Measures for the Security Assessment of Outbound Data (Exposure Draft)
Cyberspace Administration of China
October 29, 2021
Measures for the Security Assessment of Outbound Data (Exposure Draft)
Article 1 The present Measures are enacted in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other laws and regulations, in order to regulate the activities of outbound data, protect the rights and interests in personal information, safeguard national security and social and public interests as well as promote the safe and free flow of data across borders.
Article 2 Unless otherwise provided for in laws and administrative regulations, data processors are required to conduct security assessment according to these Measures when they provide overseas important data collected and generated during their operation within the territory of the People’s Republic of China and personal information that shall be subject to security assessment according to law.
Article 3 It is imperative to conduct security assessment for the outbound data under the principle of combining ex ante assessment and continuous inspection as well as combining risk self-assessment and security assessment, so as to prevent security risks from the outbound data and ensure the orderly and free flow of data in accordance with the law.
Article 4 To provide data abroad, a data processor falling under any of the following circumstances shall, through the local cyberspace administration at the provincial level, apply to the Cyberspace Administration of China (“CAC”) for security assessment of outbound data.
(I) where the outbound data are personal information and important data collected and generated by operators of critical information infrastructure;
(II) where the outbound data contains important data;
(III) where a personal information processor that has processed personal information of more than one million people provides personal information overseas;
(IV) where the personal information of more than 100,000 people or sensitive personal information of more than 10,000 people are transferred overseas accumulatively; or
(V) other circumstances under which security assessment of outbound data is required as prescribed by the CAC.
Article 5 Prior to providing data abroad, a data processor shall conduct self-assessment of the risks of outbound data, with emphasis on the assessment of the following matters:
(I) legality, appropriateness and necessity of the outbound data and the purpose, scope and method of the overseas recipient’s processing of the data;
(II) the quantity, scope, type and sensitivity of the outbound data; risks to national security, public interests, and the legitimate rights and interests of individuals or organizations that may arise from the outbound data;
(III) whether the management, technical measures and capabilities of the data processor in the data transfer link can prevent data leakage, damage and other risks;
(IV) the responsibilities and obligations that the overseas recipient undertakes to assume, and whether the management, technical measures and ability to perform the responsibilities and obligations can ensure the security of the outbound data;
(V) risks of leakage, damage, tampering and abuse of data after the data is transmitted abroad and further transferred, and whether the channels for individuals to maintain their rights and interests in personal information are unblocked; and
(VI) whether the relevant contract for the outbound data concluded with the overseas recipient fully specifies the responsibilities and obligations for data security protection.
Article 6 To apply for security assessment of outbound data, the following materials shall be submitted:
(I) a written application;
(II) self- assessment report on risks of outbound data;
(III) a contract or other legally binding documents (hereinafter collectively referred to as “the contract”) to be concluded between the data processor and the overseas recipient; and
(IV) Other materials required for the security assessment.
Article 7 The CAC shall, within seven working days from the date of receipt of the application materials, determine whether to accept the assessment application, and give feedback on the acceptance results in the form of a written notice.
Article 8 Security assessment of outbound data shall focus on the assessment of the risks to national security, public interests, and the legitimate rights and interests of individuals or organizations caused by the outbound data, mainly including the following matters:
(I) Legality, legitimacy and necessity of the purpose, scope and method of transmitting the data abroad;
(II) The impact of the policies and regulations on data security protection and the network security environment of the country or region where the overseas recipient is located on the security of the outbound data; and whether the data protection level of the overseas recipient meets the requirements of the laws and administrative regulations of the People’s Republic of China and the mandatory national standards;
(III) The quantity, scope, type and sensitivity of the outbound data, and the risks of leakage, tampering, loss, damage, transfer, or of illegal acquisition or illegal use of such data when leaving the country or thereafter;
(IV) Whether the data security and the rights and interests in personal information can be adequately and effectively protected;
(V) Whether the contract between the data processor and the overseas recipient has made sufficient provisions on the responsibilities and obligations for data security protection;
(VI) Compliance with Chinese laws, administrative regulations, and departmental rules; and
(VII) Other matters that the CAC considers necessary to be assessed.
Article 9 The contract between a data processor and an overseas recipient, which fully provides for the responsibilities and obligations for data security protection, shall include but not be limited to the following:
(I) The purpose and method of transmitting the data abroad and the scope of the outbound data; and the purpose and method of data processing by the overseas recipient;
(II) The place and duration of overseas storage of the data, as well as the measures to deal with the data after the storage period expires, the purpose agreed upon is completed or the contract is terminated;
(III) restrictive clauses restricting the overseas recipient from re-transferring the data transmitted abroad to other organizations or individuals;
(IV) Security measures that shall be taken in case of any substantial change in the actual control right or business scope of the overseas recipient, or any change in the legal environment of the country or region where the overseas recipient is located, which makes it difficult to guarantee data security;
(V) Liability for breach of the data security protection obligation, and binding and enforceable dispute resolution clauses; and
(VI) Properly carrying out emergency response in case of data leakage and other risks and ensuring the smooth channels for individuals to safeguard their personal information rights and interests.
Article 10 After accepting an application, the CAC shall organize the competent authority of the industry concerned, relevant departments of the State Council, the cyberspace administration at the provincial level and specialized agencies to conduct security assessment. For any outbound data involving important data, the CAC shall seek opinions from the competent authority of the industry concerned.
Article 11 The CAC shall complete security assessment of outbound data within 45 working days commencing from the date of issuing the written notice of acceptance; if the circumstance is complex or supplementary materials are required, the said time limit may be extended appropriately, but generally shall not exceed 60 working days. The data processor shall be notified of the assessment result in writing.
Article 12 The outbound data assessment result is valid for two years. If any of the following circumstances occurs during the validity period, the data processor shall re-apply for assessment:
(I) Any change occurs to the purpose, method, scope, or type of outbound data, or the use or method of data processing by the overseas recipient, or the period for overseas storage of personal information and important data is extended;
(II) Any change in the legal environment of the country or region where the overseas recipient is located, any change in the actual control of the data processor or the overseas recipient, or any change in the contract between the data processor and the overseas recipient that may affect the security of the outbound data;
(III) Other circumstances affecting the security of outbound data. If it is necessary to continue the outbound provision of the original data upon expiration of the validity period, the data processor shall apply for assessment again 60 working days before expiration.
Where no new application is filed for assessment under the provisions of this Article, relevant data outbound activities shall be ceased.
Article 13 The data processor shall submit the assessment materials in accordance with the provisions of the present Measures. In case the materials are incomplete or not in compliance with the requirements, it shall make supplements or corrections in a timely manner. If it refuses to make supplements or corrections, the CAC may terminate the security assessment; the data processor shall be responsible for the authenticity of the materials submitted, and if it intentionally submits false materials, it shall be deemed to have failed the assessment.
Article 14 Relevant agencies and personnel participating in the security assessment shall, in accordance with the law, keep confidential the state secrets, personal privacy, personal information, trade secrets, confidential business information and other data learned in the performance of their duties, and shall not disclose or illegally provide such information to others.
Article 15 Organizations or individuals who find that any data processor provides data abroad without an assessment in accordance with the present Measures may complain or report to the cyberspace administrations at the provincial level or above.
Article 16 Where the CAC finds that any outbound data which has passed the assessment no longer meets the security management requirements for outbound data in the actual process, it shall cancel the assessment results and notify the data processor in writing of the same. The data processor shall terminate the outbound data activities. If it is necessary to continue such activities, the data processor shall make rectifications as required and apply for an assessment anew after completing the rectifications.
Article 17 Any violation of the present Measures shall be punished in accordance with the laws and regulations such as the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China and other laws and regulations; if a crime is constituted, criminal liability shall be pursued in accordance with the law.
Article 18 The present Measures shall come into force as of MM/DD/YY.