On July 7, 2022, China’s Cybersecurity Administration (CAC) released long-waited regulations for the management of cross-border data transfers, in the form of the Measures for the Security Assessment of Outbound Data Transfers (the “Measures”), which will come into effect on September 1. These Measures, along with the other rules for cross-border transfers released around the same time (see below) will affect all parties involved in processing Chinese-origin data, include advertisers based entirely outside of China who may utilize local ad monitoring to track the performance of ads placed in China or targeting Chinese individuals.
The other related draft regulation and guideline released around the same time include the draft Provisions on the Standard Contract for Outbound Cross-border Transfer of Personal Information (issued June 30, 2022 by the CAC) and the Network Security Standard Implementing Guidance – Accreditation Technical Specification for Cross-border Personal Information Transfer (issued June 24, 2022 by National Information Security Standardization Technical Committee), each of which will govern or guide other requirements for cross-border data transfers initially sketched under the CSL, DSL and PIPL. All of these together showcase the Chinese government’s strong intent to solidify regulation and procedures around data transfers.
Below is a quick brief on this new law.
The key requirement under the Measures is that all cross-border data transfers done by in-China entities meeting certain triggering criteria must apply for and pass a security assessment organized by the CAC. The triggering criteria are as follows:
(i) All cross-border transfers of “important data”;
(Note: The definition of Important Data is intentionally broad and outcome-dependent, i.e. “any data that will endanger national security, the operation of the economy, social stability, public health and security, etc. if it is tampered with, damaged, leaked, or illegally acquired or used.” But it remains unclear as no catalog showing which data should be deemed.)
(ii) The cross-border transfer of PI by a “critical information infrastructure operator” (“CIIO”)
Note: To date, no specific list of critical information infrastructure (“CII”) or CIIOs has been released. Based on the broad definition of CII, it is possible that foreign companies operating in key or sensitive sectors such as cloud computing, online platforms, financial institutions, or transport, could be recognized as CIIOs.)
(iii) The cross-border transfer of PI by a processor that has processed the PI of more than 1,000,000 people ever:
Note: This trigger is superficially more transparent, provided a company is able to accurately track the number of individual people whose data it may have handled.
(iv)The cross-border transfer of PI by a processor that has (a) transferred the PI of more than 100,000 people cross-border since Jan 1 of the previous year OR (b) transferred the "sensitive PI” of more than 10,000 people cross-border since Jan 1 of the previous year.
Note: As above, these triggers are potentially easier to assess, depending on a company’s record-keeping. As a reminder, in China “Sensitive PI” refers to PI that, once leaked or illegally used, will easily lead to infringement of the human dignity or harm to the personal or property safety of a natural person, and typically includes biometric recognition, religious belief, specific identity, medical and health, financial account, personal location tracking and other information of a natural person, as well as any personal information of a minor under the age of 14.
Hence, in order to determine whether a CAC security assessment may be required for cross-border transfer, a company will at the very least need to have comprehensive records of its past data processing activities, including the number and nature of individual people affected, and will need to make a somewhat subjective assessment of whether the company handles any Important Data. With time, enforcement patterns will help illuminate more concrete criteria for these assessments, but initially we anticipate that companies will find it difficult to predict whether a CAC security assessment might be required.
In terms of process, all entities contemplating a cross-border data transfer must first conduct a self-assessment, and then apply for a CAC security assessment if the triggering criteria are present. Either way, the Measures also stipulate that all cross-border data transfers must be done subject to a legal document (such as a DTA) between the transferor and the transferee, and that this legal document must explicitly address certain data security protection obligations.
It is also important to note that these Measures do not explicitly differentiate between data processors within the PRC and data processors outside of the PRC, which makes it uncertain whether all three of the parties often involved in ad placement (the brand, the agency and the platform) and collecting PRC-originated PI from entirely outside the PRC would be captured. That said, it is certainly the case that if a platform or multinational brand operating in China intends to share PI with an offshore ad monitoring agency via their China entity, both are clearly subject to these Measures.
Also note that the Measures specify a 6-month grace period for transfers ongoing as of the date the Measures come into effect, meaning that companies have 6 months from September 1, 2022 to conduct a self-assessment for the cross-border data transfers conducted since Jan 1, 2021 and apply for and pass CAC security assessment if necessary according to the Measures.
Passing a Security Assessment
Until more precedents are established, it will be difficult to know what criteria are most important for passing a CAC security assessment. But in the meantime, the factors identified in Article 8 of the Measures provide a basic, if somewhat subjective, outline of key elements:
Article 8 The security assessment of a cross-border data transfer shall focus on assessing risks that may be brought by the cross-border data transfer to national security, public interests, or the lawful rights and interests of individuals or organizations, which shall mainly cover the following matters:
(1) the lawfulness, legitimacy, and necessity of the cross-border data transfer in terms of the purpose, scope, method, etc.;
(2) the impact to the security of the outbound data from the data security protection policies and legislation, and cybersecurity environment of the country or region where the overseas recipient is located; whether the data protection level of the overseas recipient meets the requirements of laws, regulations of the People's Republic of China and the mandatory national standards;
(3) the quantity, scope, type, and sensitivity of the outbound data, and the risks of the data being tampered with, damaged, leaked, lost, relocated or illegally acquired or used during and after the cross-border data transfer;
(4) whether data security and personal information rights and interests can be sufficiently and effectively ensured;
(5) whether data security protection responsibilities and obligations are sufficiently stipulated in the contract or other documents with legal force to be executed between the data processor and the overseas recipient;
(6) the compliance with PRC's laws, regulations and rules;
(7) other matters to be assessed as deemed by the national cyberspace administration authority.
In terms of process, the Measures indicate that a security assessment may take at least 57 working days (5 working days for the provincial-level cyberspace administration authority to conduct a completeness check, 7 working days for the CAC to determine whether to accept the application and 45 working days for the CAC to conduct the security assessment). This period may also be extended if the CAC deems necessary.
Any companies with onshore PRC entities involved in cross-border data transfers, or that receive sensitive data or large amounts of ordinary data from onshore partners, are likely to be materially affected by these Measures. All such companies will have to allocate more time and resources to China data compliance reviews on an ongoing basis in order to determine whether a CAC security assessment might apply (i.e. conduct their mandatory “self-assessment” for all cross-border data transfers). For offshore brands conduct ad tracking in PRC, if a local ad monitoring transfers any data collected from the local platform to offshore brands, it involves in cross-border data transfers. Then the brand shall ensure that its contracts with its local ad monitoring and/or platform continue to contain adequate representations and covenants as to PRC compliance.
In addition, where a CAC security assessment is required, it is inevitable that some companies will not pass, i.e., that the CAC will reject the cross-border data transfer if such transfer would be considered to bring risks to national security, public interests, or the lawful rights and interests of individuals or organizations, and instead require that the company keep the data onshore. In that event, the company will have to re-think its China data architecture, including whether it can keep certain data within China in order to satisfy the applicable laws (the Personal Information Protection Law and Data Security Law, etc.).
Given above content and the legal environment, it would be prudent for all parties to be reviewing their China-related data practices to ensure that both they and their partners (such as ad monitoring agencies, platforms, etc.) are compliant with the emerging and sometimes very strict new standards.