A security assessment of a cross-border data transfer should focus on the following aspects:
- the necessity of the cross-border data transfer;
- the personal information involved, including the amount, scope, type, and degree of sensitivity; and whether the data subject has consented to the cross-border transfer of his/her personal information, etc.;
- the important data involved, including the amount, scope, type, degree of sensitivity of the important data, etc.;
- the security measures, capability and level of security protection of the data receiver, and the cybersecurity environment of the country or region in which the data receiver is located;
- risks of leakage, damage, tampering and abuse of data after the cross-border data transfer or subsequent re-transfer;
- risk of harm to national security, social public interest and individual legitimate interests arising from the cross-border transfer and convergence of data; and
- other important aspects that need to be assessed.
Based on the above, network operators must first prove the necessity of a cross-border data transfer before the data can be transferred out of China. However, the Measures have yet to provide any standard of proof in this respect. We understand that network operators may prove the necessity of a cross-border data transfer by explaining in detail the actual business needs.
Under the Measures, a network operator should organise a security assessment on its own initiative prior to a cross-border data transfer taking effect. Network operators are to be responsible for the results of security assessments - meaning that network operators will be held liable if there is any violation in relation to the security assessments. They will also be held liable if they do not proactively conduct self-assessments prior to cross-border data transfers. However, the Measures fail to provide specific punitive measures for network operators violating such obligations.
Network operators should report to their respective industry regulators for the relevant regulator to organise a security assessment under any of the following circumstances:
- the data contains (or accumulatively contains) personal information of more than 500,000 individuals;
- the amount of data exceeds 1,000GB;
- the data contains information regarding nuclear facilities, chemical biology, national defense or military, population health, data related to large-scale engineering activities, the marine environment, or sensitive geographic information;
- the data contains cybersecurity information, such as system vulnerabilities or security measures relating to critical information infrastructure;
- provision of personal information or important data to overseas receivers by operators of CII; or
- other circumstances that may affect the national security and social public interests and are considered to be subject to assessment by the industry regulators or regulatory authorities.
Security assessment organised by industry regulators must be completed within 60 working days, and the results will be reported to CAC. Data will be prohibited from being transferred out of China under any of the following circumstances:
- the data subject does not consent to the cross-border transfer of his/her personal information, or if such transfer may bring harm to personal rights and interests;
- the cross-border data transfer poses risks to the security of State politics, the economy, technology, or national defense, and may affect national security or harm social and public interests; or
- other circumstances in which CAC, public security departments, or national security departments determine that the data is prohibited from being transferred out of China.
It is clear from item (1) above that network operators must first obtain the consent from data subjects prior to cross-border data transfers. The Measures do not provide how the circumstances (1) to (3) above are determined. It is expected that subsequent national standards or guidelines may be issued to shed light on this.
Annual assessment and re-assessment
After the initial self-assessment or regulator assessment prior to the cross-border data transfer, network operators are not required to carry out a security assessment every time they transfer the data out of China. Instead, network operators must conduct a security assessment at least once a year, and report the results to their respective industry regulators.
If the data recipient is changed, or there is any substantial change to the purpose, scope, amount, or type of the cross-border data transfer, or there is any material security incident relating to the data recipient or the data transferred out of China, a security assessment must be re-conducted in a timely manner.