Measures for Data Export Security Assessments (Draft for Solicitation of Comments)

Issuing Department：Cybersecurity Administration
[Source]http://www.cac.gov.cn/2021-10/29/c_1637102874600858.htm
Comment Period: Until November 28, 2021

Article 1: These Measures are drafted on the basis of the Cybersecurity Law of the PRC, the PRC Data Security Law, the Personal Information Protection Law of the PRC, and other laws and regulations, so as to regulate data export activities, protect rights and interests in personal information, preserve national security and the societal public interest, and to promote the secure and free flow of data across borders.

Article 2: Data handlers shall conduct security assessment in accordance with these Measures when important data that was collected or produced during business operations with the mainland territory of the PRC or personal information for which a security assessment is required by law is provided overseas; but where laws and administrative regulations provide otherwise, follow those provisions.

Article 3: Data export security assessments are to persist in combining ex-ante assessments and sustained oversight, and combining risk self assessment and security assessments, to prevent security risks in data exports and to ensure the orderly and free flow of data in accordance with law.

Article 4: In any of the following circumstances, data handlers providing data overseas shall make declarations on the data export security assessments through the provincial-level internet information department for their area to the state internet information department.

(1) Operators of critical information infrastructure collecting or producing personal information or important data;

(2) The exported data includes important data;

(3) personal information handlers that handle the personal information of 1 million persons providing personal information overseas;

(4) Cumulatively providing more than 100,000 persons' personal information or 10,000 persons' sensitive personal information overseas;

(5) Other situations that the state internet information department requires declarations on data export security assessments.

Article 5: Before data handlers provide data overseas, they should first carryout data export risk self assessments, focusing on assessing the following matters:

(1) The legality, propriety, and necessity of the purpose, scope, and methods, etc. of exporting the data and of the overseas' recipients handling of the data;

(2) The volume, scope, types, and sensitivity of exported data, and protentional risks to national security, public interests, or the lawful rights and interests of individuals and organizations, that might be brought on by the export of data;

(3) The management and technical measures and capacity of data handlers for the transfer of data, and whether it can prevent risks such as data leaks and destruct;

(4) The responsibilities and obligations that the overseas recipient has pledged to undertake, as well management and technical measures and capacity for performing the responsibilities and obligations, and whether they can ensure the security of exported data;

(5) The risks such as leaks, destruction, alteration, and abuse in exporting and returning data, and whether channels for individuals to preserve rights and in interests in personal information are accessible;

(6) Whether the contract signed with the overseas recipient related to the data export fully provides for responsibilities and obligations in protecting data security.

Article 6: The following materials shall be submitted in making data export security assessment declarations:

(1) a written declaration;

(2) The data export risk self assessment report;

(3) The contract signed between the data handlers and the overseas recipients or other documents with legal efficacy and so forth (hereinafter collectively "contracts");

(4) Other materials required for security assessment work.

Article 7: The state Internet information office is to determine whether to accept the assessment and give feedback on the outcome as a written notification within 7 working days of receiving the declaration materials.

Article 8: Data export security assessments are to focus on assessing the potential risks to national security, public interests, and the lawful rights and interests of individuals and organizations that might be brought on by the export of data, primarily including the following matters:

(1) The legality, propriety, and necessity of the purpose, scope, and methods, etc. of exporting the data;

(2) The impact on the security of exported data of the data security policies and regulations of the country or region where the overseas recipient is located and its cybersecurity environment; whether the overseas data recipients' level of data protections meet the requirements of the PRC's laws, administrative regulations, and compulsory national standards;

(3) The volume, scope, types, and sensitivity of the exported data, and risks during and after export such as of leaks, alteration, loss, destruction, transfer, or being illegally acquired or illegally used;

(4) Whether data security and rights and interests in personal information can be fully and effectively safeguarded;

(5) Whether the contract data handlers signed with the overseas recipient export fully provides for the responsibilities and obligations in protecting data security;

(6) Compliance with Chinese law, administrative regulations, and departmental rules;

(7) Other matters that the state internet information department finds need to be assessed.

Article 9: The contract data handlers signed with the overseas recipient export fully providing for the responsibilities and obligations in protecting data security shall include, but is not limited to, the following content:

(1) The purpose and methods of exporting data and the scope of data, the overseas recipients' usages and methods in handling data, and so forth;

(2) The overseas location and duration for data storage, as well as the measures for dealing with the exported data at the end of the storage period, when the agreed on purposes are completed, or after the contract has been terminated;

(3) Restraining provisions on restricting the overseas recipients' from further transferring the exported data to other organizations and individuals;

(4) The security measures that shall be employed when there are changes in terms of overseas recipients' authority for actual control or the scope of their operations, or where there are changes to the legal environment of the country or region where they are located that make it difficult to ensure data security;

(5) Provisions on responsibility for breach from violations of obligations to protect data security and provisions on dispute resolution that have restraining force and are enforceable;

(6) The emergency responses to be taken when risks such as data leaks occur, and the accessible channels for safeguarding individuals' preservation of their rights and interests in personal information.

Article 10: After the state internet information department accepts declarations, it is to organize the industry regulatory departments, relevant departments of the State Council, provincial-level internet information departments, specialized bodies, and so forth, to conduct a security assessment.

Where the export of important data is involved, the state internet information department is to solicit the opinions of the relevant industry regulatory departments.

Article 11: The data export security assessment is to be completed within 45 working days from date of the state internet information department's issuing the written notification of acceptance; this may be extended where the circumstances are complex or materials need to be supplemented, but must generally not exceed 60 working days.

The data handlers are to be informed of the assessment outcome in the form of a written notification.

Article 12: The period of validity for data export assessment results is 2 years. Where any of the following circumstances occurs during the period of validity, the data handlers shall make a new assessment declaration:

(1) Where there are changes to the purpose, methods, scope, and types of data provided overseas, or to the overseas recipients' usage and methods, or where the period for storing personal information or important data is extended;

(2) Where there are changes that might impact the security of exported data such as in the legal environment of the country or region where the overseas recipient is located, in the rights of actual control of the data handlers or the overseas recipient, or in the contract between the data handlers and the overseas data recipients;

(3) Other situations arise that might impact the security of data exports.

Where it will be necessary to continue carrying out data export activities at the completion of the validity period, the data handlers shall make a new assessment declaration 60 working days before the completion of the validity period.

Where a new assessment declaration is not made in accordance with this article, data export activities shall be stopped.

Article 13: Data handlers shall submit assessment materials as provided by these Measures, and where the materials are incomplete or do not meet requirements, they shall promptly supplement or correct them; where they refuse to supplement or make corrections, the state internet information department may terminate the security assessment; data handlers are responsible for the veracity of the materials they provide, and where they provide false materials, they are to be handled as not passing the assessment.

Article 14: The relevant bodies and personnel that participate in security assessment work shall preserve confidentiality in accordance with law of state secrets, personal privacy, personal information, commercial secrets, confidential commercial information and so forth that they learn of during the performance of their duties, and must not disclose or illegally provide it to others.

Article 15: Where any organization or individual discovers that data handlers have provided data overseas without conducting assessments as provided for in these Measures, they may make a complaint or report to an internet information department at the provincial-level or above.

Article 16: Where the state internet information departments discover that data export activities that have passed assessments do not comply with data export security management requirements in the course of actual handling, they shall revoke the assessment outcome and inform the data handlers in writing, and the data handlers shall stope the data export activities. Where it is necessary to continue carrying out data export activities, the data handlers shall make corrections as required and make a new assessment declaration after the corrections are completed.

Article 17: Where the provisions of these Measures are violated, it is to be addressed in accordance with the provisions of the PRC Cybersecurity Law, The PRC Data Security Law, the PRC Law on the Protection of Personal Information, and other such laws and regulations; and where a crime is constituted, criminal responsibility is pursued in accordance with law.

Article 18: These Measures take effect on __/__/20__.