Promulgation Authorities: Cyberspace Administration of China
Release Date: 2022-07-07
Effective Date: 2022-09-01
Source: http://www.gov.cn/zhengce/zhengceku/2022-07/08/content_5699851.htm
Original Title: 数据出境安全评估办法
Security Assessment Measures for Outbound Data Transfers
Decree No. 11 of the Cybersecurity Administration of China
Article 1 These Measures are enacted in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China and other laws and regulations to regulate outbound data transfers, protect personal information rights and interests, safeguard national security and social and public interests, and promote the security and free flow of data across borders.
Article 2 These Measures apply to the security assessment of critical data and personal information collected and generated by a data processor in its operation in the People’s Republic of China, which are to be provided abroad. Where it is otherwise provided for in laws and administrative regulations, such provisions shall prevail.
Article 3 Security assessment for outbound data transfers shall follow principles of the combination of ex-ante assessment and continuous supervision and the combination of risk self-assessment and security assessment, so as to prevent the security risks arising from outbound data transfers, and ensure the orderly and free flow of data according to the law.
Article 4 To provide data abroad under any of the following circumstances, a data processor shall declare security assessment for its outbound data transfer to the Cyberspace Administration of China (“CAC”) through the local cyberspace administration at the provincial level:
(I) where a data processor provides critical data abroad;
(II) where a key information infrastructure operator or a data processor processing the personal information of more than one million people provides personal information abroad;
(III) where a data processor has provided personal information of 100,000 people or sensitive personal information of 10,000 people in total abroad since January 1 of the previous year; and
(IV) other circumstances prescribed by the CAC for which declaration for security assessment for outbound data transfers is required.
Article 5 Prior to declaring security assessment for an outbound data transfer, a data processor shall conduct self-assessment on the risks of the outbound data transfer, with focus on the assessment of the following matters:
(I) the legality, legitimacy and necessity of the purpose, scope and method of the outbound data transfer and data processing by the overseas recipient;
(II) the scale, scope, type and sensitivity of the data to be provided abroad, and the risks to national security, public interests or the legitimate rights and interests of individuals or organizations caused by the outbound data transfer;
(III) the responsibilities and obligations that the overseas recipient promises to undertake, and whether the overseas recipient’s management and technical measures and capabilities for performing its responsibilities and obligations can guarantee the security of the outbound data transfer;
(IV) risks of the data to be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the outbound data transfer; whether the channel for the maintenance of personal information rights and interests is smooth;
(V) whether the relevant contracts on the data to be concluded with the overseas recipient or other legally binding documents (hereinafter referred to collectively as the “legal documents”) have fully agreed on the responsibilities and obligations to protect the data security; and
(VI) other matters that may affect the security of the outbound data transfer.
Article 6 To declare security assessment for an outbound data transfer, the following materials shall be submitted:
(I) a declaration form;
(II) self- assessment report on the risks of the outbound data transfer;
(III) the legal documents to be concluded by the data processor and the overseas recipient; and
(IV) other materials necessary for security assessment.
Article 7 The cyberspace department at the provincial level shall complete the examination of the completeness of declaration materials within five working days after receiving them. Where the declaration materials are complete, they shall be submitted to the CAC; where the application materials are incomplete, they shall be returned to the data processor and the data processor shall be informed on a one-time basis of materials to be supplemented.The CAC shall, within seven working days after receipt of declaration materials, determine whether or not to accept the same, and notify the data processor of the same in writing.
Article 8 The security assessment for an outbound data transfer shall focus on the assessment of the risks to national security, public interests, or the legitimate rights and interests of individuals or organizations that may be caused by the activity of the outbound data transfer, mainly including the following matters:
(I) the legality, legitimacy and necessity of the purpose, scope, and method of the outbound data transfer;
(II) the impact of the data security protection policies and regulations and the cybersecurity environment of the country or region where the overseas recipient is located on the security of data to be provided abroad, and whether the data protection level of the overseas recipient meets the requirements of the laws and administrative regulations of the People’s Republic of China and mandatory national standards;
(III) the size, scope, types and sensitivity of data to be provided abroad, and the risks that the data may be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the data is provided abroad;
(IV) whether data security and personal information rights and interests can be fully and effectively guaranteed;
(V) whether the legal documents to be concluded by the data processor and the overseas recipient have fully agreed on the responsibilities and obligations of data security protection;
(VI) compliance with Chinese laws, administrative regulations and departmental rules; and
(VII) other matters that the CAC considers necessary to assess.
Article 9 A data processor shall expressly agree on the responsibilities and obligations of data security protection in the legal documents concluded with the overseas recipient, which shall at least include the following contents:
(I) the purpose and method of the outbound data transfer and the scope of the data, and the purpose and method, etc. for processing the data by the overseas recipient;
(II) the location and duration of storage of the data abroad, as well as the handling measures for the outbound data transfer after the storage period expires, the agreed purpose is completed, or the legal documents are terminated;
(III) restrictive requirements on the overseas recipient’s re-transfer of the outbound transferred data to other organizations and individuals;
(IV) the security measures to be taken by an overseas recipient when actual control or business scope has changed substantially, data security protection policies and regulations and cybersecurity environment of the country or region where the overseas recipient is located have changed, or the occurrence of any other force majeure event, under which data security cannot be ensured;
(V) remedial measures, liability for breach of contract and dispute resolution in the event of violation of data security protection obligations agreed in legal documents; and
(VI) the requirements to property carry out emergency response when the data provided abroad is at risk of being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used, as well as the ways and methods to protect people’s personal information rights and interests.
Article 10 After accepting a declaration, the CAC shall organize the relevant departments of the State Council, the cyberspace administration concerned at the provincial level and specialized agencies to conduct security assessment in light of the declaration.
Article 11 During the security assessment, if it is found that the declaration materials submitted by a data processor fail to meet requirements, the CAC may require the data processor to supplement or correct the materials. In case that the data processor fails to supplement or correct the materials without justified reasons, the CAC may terminate the security assessment.A data processor shall be responsible for the authenticity of the materials submitted. If a data processor submits false materials on purpose, it shall be deemed as failing in the assessment, and the data processor shall be held legal liable correspondingly according to the law.
Article 12 The CAC shall, within 45 working days of issuing a written notice of acceptance to the data processor, complete the security assessment for the outbound data transfer; if the situation is complicated or supplementary or corrected materials are needed, the assessment may be extended appropriately, and the data processor shall be notified of the expected extension period.The data processor shall be informed of the assessment results in writing.
Article 13 Where a data processor has any objection to the assessment results, it may, within 15 working days of receiving the results, apply to the CAC for a re-assessment, and the re-assessment results are final.
Article 14 The results of security assessment for an outbound data transfer are valid for two years, commencing from the date when the results are issued. The data processor shall re-apply for assessment if any of the following circumstances occurs within the valid period of time:
(I) the purpose, method, scope and type of the outbound data transfer, or the purpose and method of data processing by the overseas recipient have changed, affecting the security of the data provided abroad, or extending the period of storage of personal information and critical data abroad;
(II) the security of the data provided abroad is affected due to changes in the data security protection policies or regulations or the cybersecurity environment of the country or region where the overseas recipient is located, any other force majeure event, or any change in the actual control of the data processor or the overseas recipient, or any change in the legal documents between the data processor and the overseas recipient; and
(III) any other circumstance affecting the security of the data provided abroad.If it is necessary to continue outbound data transfers after the expiration of the period of validity, the data processor shall declare anew assessment 60 working days before the expiration of the period of validity.
Article 15 The relevant institutions and personnel participating in security assessment shall keep confidential state secrets, personal privacy, personal information, trade secrets, confidential business information and other data they have accessed to in fulfilling their duties , in accordance with the law, and shall not divulge or illegally provide the same to others or illegally use such data.
Article 16 Any organization or individual who discovers the provision of data abroad in violation of these Measures by any data processor may report the case to a cyberspace administration at the provincial level or above.
Article 17 Where the CAC finds that an outbound data transfer that has passed assessment no longer meets the requirements for security management of outbound data transfers in the process of actual processing, it shall notify in writing the data processor to terminate the outbound data transfer. If the data processor needs to continue carrying out outbound data transfers, it shall make rectification as required and, upon completion of the rectification, declare anew assessment.
Article 18 Any violation of these Measures shall be dealt with in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China and other laws and regulations; if a crime is constituted, criminal liability shall be investigated in accordance with the law.
Article 19 For the purpose of these Measures, the term “critical data” refers to the data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and security, etc.
Article 20 These Measures shall come into force on September 1, 2022. For outbound data transfers that have been carried out before effectiveness of these Measures, if not in compliance with these Measures, rectification shall be completed within six months from the effectiveness of these Measures.