According to Articles 5 and 6 of the Measures, applicants are obliged to conduct self-assessment, the process of which including its result shall be reflected in a report and - if administrative assessment procedures are triggered - be further submitted to the CAC for security assessment. A self-assessment template that outlines the structure and key contents to be addressed in a self-assessment report has been attached to the Guidelines. Such report will be the most critical and time-consuming document to be prepared. Therefore, please be prepared for the below challenges before you kick off your drafting.
Applicants are required to assess the potential risks associated with the data transmission outside of China (e.g. sharing with overseas affiliates) and specify remedial measures to mitigate these risks under the self-assessment report. The template outlines the following elements to be explicitly addressed:
The above major elements are only described in a very general way under the Guidelines which leaves quite some room for the regulators (at different levels and of different locations) to interpret at their discretion. For example, the subjective criteria such as “obligations and liability are fully stipulated in relevant legal instruments” and “properly secure the exported data” leave quite some guesswork ahead for companies to manage. It is also hard to predict and assess what exact remedial measures shall be taken to mitigate the risks since these measures may vary in different cases.
Another interesting aspect in this regard concerns the fate of some earlier draft national standard on the same topic, namely the Guidelines for Data Cross-Border Transfer Security Assessment released by the industrial association in 2017. Though the 2017 guidelines shed more light on implementation details, whether or not such guidelines shall still be followed remains questionable as certain clarity may not necessarily serve for the CAC’s discretionary power to interpret the respective rules.
Among various formalities to be submitted for the export security assessment procedures, a data export contract needs to be in place as the basis for the submission. The Guidelines oblige an applicant to summarize and highlight certain key elements under its data export contract. This indicates that the CAC will be very likely to focus its review on the substance of these statutory elements. However, the Guidelines do not offer further explanations in terms of how these elements shall be reflected under the data export contract. Before any prevailing practice is established, quite some guesswork still remains on implementation side.
The Measures and the Guidelines do not oblige an applicant to base its data export contract on the Chinese standard contractual clauses (“CSCCs” which applies to data export scenarios not covered by the Measures, see our earlier article on this topic. However, all statutory elements as required under Article 9 of the Measures seemingly will pull a security assessment application closer to the Chinese standard contractual clauses since the latter covers most of the elements as required under Article 9 of the Measures. It will not be surprising if the CAC might feel more comfortable with the CSCCs and therefore leave limited room for one to deviate from the CSCCs.
The Measures grant a six-month grace period for companies to stay compliant (i.e. by the end of February 2023). This means all required work including any submission and assessment procedures shall be completed (not just starting) before such deadline. Considering the fact that the various periods in the procedural timeline as mentioned under the Measures will add up to around 60 working days which are extensible, kicking off respective preparation work immediately from now is strongly advisable to better manage the respective compliance exercises.
Since you will potentially touch upon the issue of “important data” which is a trigger for the export security assessment, to build up a good data mapping and classification system for your PRC data will be indispensable to better assess and manage the efforts ahead for this exercise. In this aspect and if manageable on IT architect side, keeping as much of your PRC-generated data onshore as possible and minimizing data cross-border sharing would be another route to better mitigate your regulatory exposure.
The ambiguities under the Measures and the Guidelines are not uncommon in the Chinese regulatory environment. It would be important to bear in mind that to push for a black-and-white answer may not be a good approach which will be likely to confuse you during the process. Instead, seeking experienced and competent resources both from within and outside the organization to manage communication with the regulators (including proper arguments on legal side) will be critical to facilitate your procedural effort and achieve a good balance between satisfying regulatory demands and business efficiency.
作者 Michael Tan 以及 Julian Sun