THE GRACE PERIOD FOR CHINA’S OUTBOUND DATA SECURITY ASSESSMENT HAS ENDED. WHAT SHOULD MULTINATIONAL COMPANIES DO NEXT?

By?Donnie Hao DONG

We reported in September 2022 that the Cyberspace Administration of China?(CAC), China's data regulator, issued a regulation titled?Measures for the Security Assessment of Outbound Data Transfers?(Assessment Measures) and?Guide to Applications for Security Assessment of Outbound Data Transfers (First Edition). The?Assessment Measures?allowed a six-month grace period for companies to review their practice of data transfer from China to overseas and to determine if they meet the thresholds of seeking CAC’s security assessment and approval before sending personal information outside of China.

Now the grace period has passed by the end of February 2023. So far, there is no clue that CAC would extend the grace period.

When should the CAC security assessment apply

According to the PRC Personal Information Protection Law (PIPL), the data senders need to satisfy one of the following regulatory requirements:?(1) seeking CAC approval after its "cross-border data security review, (2) reaching a data transfer agreement with each data recipient by applying CAC’s Standard Contractual Clauses (SCCs, read our?client alert on SCCs here), or (3) obtaining certification by a certifier appointed by CAC.

CAC has yet to formalize a scheme for the certifier approach, so currently, the available options are the above (1) and (2). CAC has confirmed that Option (1) and Option (2) are mutually exclusive. Namely,?in the following situations,?CAC’s security review is required.

- the data sender is an operator of critical information infrastructure or a controller of the “important data” as defined under the PRC Data Security Law;

- the data sender controls more than 1 million people's data; or

- the data sender has transmitted over 100,000 people's personal data or 10,000 people's sensitive personal data during the last calendar year.

Risks in failure to timely file for security assessment

CAC and its local subsidiaries are now urging enterprises in the security assessment category to submit applications. Violation of PIPL and CAC regulations could lead to a fine of up to CNY50 million (approximately USD 7.2 million) or 5% of the violator's annual revenue, under the authority's discretion.

Further, given CAC’s broad discretion in performing its investigation against a violator, the violator's business could be heavily impacted even before the CAC issues a fine ticket. See our observation titled?What Do We Learn from The DiDi Case?

What should the MNCs do next?

The PRC regime differs from Europe or America's regarding the outbound data security review. Each multinational company with a significant presence in China should develop a wise and practical compliance strategy by working with experienced advisors.

This could include:

• As soon as practical, engage an experienced advisor to launch an internal review of existing cross-border data transmission practice
• Minimize the volume and frequency of cross-border data transfer to a level of need – at this stage, the CAC generally believed that cross-border data transfer should be limited to the level strictly necessary to a company’s business operation
• Where necessary and based on the advisor’s comments, form a workforce collaborating legal, compliance, human resource, business development, client service, procurement, and/or public relationship functions to identify and prioritize data sharing demands
• Based on the review of data transfer practice and the advisor’s comments, revise existing data compliance documents, both internal policies and external privacy notices
• After minimizing the volume and frequency of cross-border data transfer, if thresholds of the CAC data security assessment are still met, prepare an internal self-assessment report (CAC requires this for each assessment application). CAC and its provincial-level subsidiaries in major cities have issued guidelines or outlines on detailed requirements of self-assessment and application. Applicants shall work with local counsels to prepare the required documents and communicate with the local CAC before applying.

Contact us

Please contact us to tailor an action plan for your business in China. Send 董皓 ?a message stating your name, title, affiliation, interested question, and available time slots to book a time.

*???*???*???*???*

This communication is intended for informational purposes only and not to create an attorney-client relationship or constitute any advertisement.

*???*???*???*???*

Author:?Donnie Dong?is a partner of Hylands Law Firm and heads the firm's practice in Digital Technology and Internet sectors. Being a Certified Information Privacy Manager (CIPM/IAPP), Dr. Dong regularly advises MNCs, unicorns, and start-ups on cross-border intellectual property, data privacy, and related investment and dispute resolution matters.