Challenges in Following the New PRC Data Export Assessment Procedures

On 31 August 2022, hours before the Security Assessment Measures for Cross-border Data Transfer (“Measures”) officially came into effect, the Cyberspace Administration of China (“CAC”) released the Guidelines on Application for Security Assessment for Cross-border Data Transfer (First Edition) (“Guidelines”) which reiterates the application scope and the data export assessment procedures under the Measures, and also outlines in detail the documents to be submitted for such procedures. A long-awaited structural template for the self-assessment report was also issued at the same time. This provides a much clearer picture for companies to follow in order to legally share and transfer data across the border of the PRC. The Measures set an explicit deadline (i.e. by the end of February 2023) for companies to fulfill their legal obligations including the assessment. As preparation for the required formalities could potentially become quite complicated in practice due to (unfortunately the still remaining) vagueness and ambiguity of these requirements, you are recommended to ramp up into this immediately to avoid potential compliance exposure. Our experts have summarized some highlights as follows for your easier reference.

Self-assessment report

According to Articles 5 and 6 of the Measures, applicants are obliged to conduct self-assessment, the process of which including its result shall be reflected in a report and - if administrative assessment procedures are triggered - be further submitted to the CAC for security assessment. A self-assessment template that outlines the structure and key contents to be addressed in a self-assessment report has been attached to the Guidelines. Such report will be the most critical and time-consuming document to be prepared. Therefore, please be prepared for the below challenges before you kick off your drafting.

Data protection in recipient’s jurisdiction

According to Article 8 of the Measures, data protection policies and laws as well as the (general) cyber security situation in the data recipient’s jurisdiction will be reviewed by the CAC when it assesses a data export case triggering administrative assessment procedures. According to the Guidelines, it will be the PRC data exporter (e.g. your China subsidiary) to take up the burden to illustrate these items under its self-assessment report. If you are an overseas data recipient dealing with a Chinese data exporter (e.g. your Chinese supplier or customer) that is not part of your organization, this burden may be transferred to you because you need to provide the required information to the Chinese data exporter. It may not be that easy to manage if you do not have competent hands inside your organization to support this matter. As far as you are residing in Europe to receive data from the PRC, our data protection specialists in EU and UK would be well placed to give you a hand in close coordination with our data protection team in China.

Disclosure requirements

The template for the self-assessment report brought by the Guidelines details the information to be disclosed. Some of such disclosure appears a bit far reaching and the information may even be sensitive for a company to disclose, for example, the data exporter’s shareholding structure, ultimate controller, investment in and outside China, information on its onshore and offshore data storage facilities. To what extent is this truly relevant to the topic of data protection and security assessment appears confusing and debatable.

On top of this, the Guidelines require that the whole process of the overseas data recipient’s processing activities shall be described. It also introduces a new (while confusing) concept named “datalink” which shall also be disclosed in detail. This will include explanations of the details about datalink service provider, number of datalinks and respective bandwidth, landing datacenters both onshore and offshore with the detailed geographical location of the respective IDCs and their IP addresses. Whether or not you are able to retrieve all such details from your IT service providers may become questionable, particularly taking into account the fact that cross-border data transmission may be structured in a quite complicated way, and to explain all details as expected by the CAC could become a highly challenging job.

Risk rating and corrective measures

Applicants are required to assess the potential risks associated with the data transmission outside of China (e.g. sharing with overseas affiliates) and specify remedial measures to mitigate these risks under the self-assessment report. The template outlines the following elements to be explicitly addressed:

• Legality, legitimacy, and necessity of the data export;
• Risks to national security, public interest, and organizational or individual rights as might be caused by the data export;
• Data protection competency of the overseas data recipient(s) to properly secure the exported data;
• Whether channels for data subjects to exercise their rights can be properly secured if data breach occurs during or after the data export;
• Whether data protection obligations and liability are fully stipulated in relevant legal instruments;
• Other factors that may have an impact on the security of the data export.

The above major elements are only described in a very general way under the Guidelines which leaves quite some room for the regulators (at different levels and of different locations) to interpret at their discretion. For example, the subjective criteria such as “obligations and liability are fully stipulated in relevant legal instruments” and “properly secure the exported data” leave quite some guesswork ahead for companies to manage. It is also hard to predict and assess what exact remedial measures shall be taken to mitigate the risks since these measures may vary in different cases.

Another interesting aspect in this regard concerns the fate of some earlier draft national standard on the same topic, namely the Guidelines for Data Cross-Border Transfer Security Assessment released by the industrial association in 2017. Though the 2017 guidelines shed more light on implementation details, whether or not such guidelines shall still be followed remains questionable as certain clarity may not necessarily serve for the CAC’s discretionary power to interpret the respective rules.

Data export contract

Among various formalities to be submitted for the export security assessment procedures, a data export contract needs to be in place as the basis for the submission. The Guidelines oblige an applicant to summarize and highlight certain key elements under its data export contract. This indicates that the CAC will be very likely to focus its review on the substance of these statutory elements. However, the Guidelines do not offer further explanations in terms of how these elements shall be reflected under the data export contract. Before any prevailing practice is established, quite some guesswork still remains on implementation side.

The Measures and the Guidelines do not oblige an applicant to base its data export contract on the Chinese standard contractual clauses (“CSCCs” which applies to data export scenarios not covered by the Measures, see our earlier article on this topic. However, all statutory elements as required under Article 9 of the Measures seemingly will pull a security assessment application closer to the Chinese standard contractual clauses since the latter covers most of the elements as required under Article 9 of the Measures. It will not be surprising if the CAC might feel more comfortable with the CSCCs and therefore leave limited room for one to deviate from the CSCCs.

Ramp up to preparation

The Measures grant a six-month grace period for companies to stay compliant (i.e. by the end of February 2023). This means all required work including any submission and assessment procedures shall be completed (not just starting) before such deadline. Considering the fact that the various periods in the procedural timeline as mentioned under the Measures will add up to around 60 working days which are extensible, kicking off respective preparation work immediately from now is strongly advisable to better manage the respective compliance exercises.

Since you will potentially touch upon the issue of “important data” which is a trigger for the export security assessment, to build up a good data mapping and classification system for your PRC data will be indispensable to better assess and manage the efforts ahead for this exercise. In this aspect and if manageable on IT architect side, keeping as much of your PRC-generated data onshore as possible and minimizing data cross-border sharing would be another route to better mitigate your regulatory exposure.

The ambiguities under the Measures and the Guidelines are not uncommon in the Chinese regulatory environment. It would be important to bear in mind that to push for a black-and-white answer may not be a good approach which will be likely to confuse you during the process. Instead, seeking experienced and competent resources both from within and outside the organization to manage communication with the regulators (including proper arguments on legal side) will be critical to facilitate your procedural effort and achieve a good balance between satisfying regulatory demands and business efficiency.