Legislation & Policy

Translation: Measures for Data Exit Security Evaluation (Draft for Comments)

SIPS Knowledge, Legislation and Policy

On October 29, 2021, the Cyberspace Administration of China issued the “Measures for Data Exit Security Evaluation (Draft for Comments)”.  The original text is available here and SIPS’ translation below.

The Measures were drafted in accordance with the Network Security Law, the Data Security Law, and the Personal Information Protection Law, and are intended to govern the export of protected data from China to other countries.

Notice of the Cyberspace Administration of China on the Public Consultation of the “Measures for Data Exit Security Evaluation (Draft for Comments)”

October 29, 2021 10:42; Source: China Netcom

In order to regulate data exit activities, protect the rights and interests of personal information, safeguard national security and social public interests, and promote the safe and free flow of data across borders, in accordance with the “Network Security Law of the People’s Republic of China”, “Data Security Law of the People’s Republic of China”, “Personal Information Protection Law of the Republic of China” and other laws and regulations, our Office has drafted the “Measures for Data Exit Security Evaluation (Draft for Comments)”, which is now open to the public for comments. The public can provide feedback through the following channels and methods:

  1. Log in to the Chinese Government Legal Information Network (www.moj.gov.cn, www.chinalaw.gov.cn) of the Ministry of Justice of the People’s Republic of China and enter the “Legacy Opinion Solicitation” section of the main menu on the home page to submit opinions.
  2. Send your opinions via email to: shujuju@cac.gov.cn.
  3. Send your opinions by letter to: Network Data Management Bureau, National Internet Information Office, 11 Chegongzhuang Street, Xicheng District, Beijing, zip code: 100044, and indicate on the envelope “Soliciting Opinions on Data Exit Security Assessment Measures”.

The deadline for comments is November 28, 2021.

Attachment: Measures for Security Evaluation of Data Exit (Draft for Solicitation of Comments)

Cyber Administration of China

October 29, 2021

Data Exit Security Assessment Measures

(Draft for Comment)

Article 1  In order to regulate data exit activities, protect the rights and interests of personal information, maintain national security and social public interests, and promote the safe and free flow of data across borders, in accordance with the “Network Security Law of the People’s Republic of China”, “Data Security Law of the People’s Republic of China”, the “Personal Information Protection Law of the People’s Republic of China” and other laws and regulations formulate these measures.

Article 2  Data processors who provide important data collected and generated during operations within the territory of the People’s Republic of China and personal information subject to security assessments according to law shall conduct security assessments in accordance with the provisions of these Measures; where laws and administrative regulations provide otherwise, such provisions shall prevail.

Article 3 The data exit security assessment adheres to the combination of pre-assessment and continuous supervision, and the combination of risk self-assessment and security assessment, to prevent data exit security risks, and to ensure the orderly and free flow of data in accordance with the law.

Article 4  If a data processor provides data overseas and meets one of the following circumstances, it shall apply to the national cybersecurity and informatization department through the provincial cybersecurity and informatization department where it is located.

  1. Personal information and important data collected and generated by operators of critical information infrastructure.
  2. The exit data contains important data.
  3. Personal information processors who have processed personal information of one million people provide personal information abroad.
  4. Cumulatively providing personal information of more than 100,000 people or sensitive personal information of more than 10,000 people abroad.
  5. Other situations required by the national cybersecurity and informatization department that require data exit security assessment.

Article 5  Before providing data abroad, data processors shall conduct self-assessment of data exit risks in advance, focusing on the following items:

  1. The legality, legitimacy, and necessity of the purpose, scope, and method of data processing by the data exit and overseas recipients.
  2. The quantity, scope, type, and sensitivity of exit data, and the risks that data exit may bring to national security, public interests, and the legitimate rights and interests of individuals or organizations.
  3. Whether the data processor’s management and technical measures and capabilities in the data transfer link can prevent risks such as data leakage and damage.
  4. The responsibilities and obligations promised by the overseas recipient, and whether the management and technical measures and capabilities to perform the responsibilities and obligations can guarantee the security of exit data.
  5. Risks of data leakage, damage, tampering, abuse, etc. after data exits and re-transfer, whether the channels for individuals to maintain personal information rights and interests are unblocked, etc.
  6. Whether the data exit-related contracts concluded with overseas recipients fully stipulate the responsibility and obligation of data security protection.

Article 6 The following materials shall be submitted for the security assessment of the exit of the declared data:

  1. Declaration form.
  2. The self-assessment report of data exit risk.
  3. Contracts or other legally binding documents, etc. (hereinafter collectively referred to as contracts) drawn up between the data processor and the overseas recipient.
  4. Other materials required for safety assessment work.

Article 7  The national cybersecurity and informatization department shall, within seven working days from the date of receipt of the application materials, determine whether to accept the evaluation and feedback the acceptance result in the form of a written notification.

Article 8  The security assessment of data exiting the country focuses on evaluating the risks that data exiting the country may bring to national security, public interests, and the legitimate rights and interests of individuals or organizations, mainly including the following items:

  1. The legality, legitimacy, and necessity of the purpose, scope, and method of data exit.
  2. The data security protection policies and regulations of the country or region where the overseas recipient is located and the impact of the network security environment on the security of outbound data; whether the data protection level of the overseas recipient meets the laws, administrative regulations and mandatory national standards of the People’s Republic of China Require.
  3. The quantity, scope, type, and sensitivity of outbound data, and the risks of leakage, tampering, loss, destruction, transfer, or illegal acquisition or illegal use during and after leaving the country.
  4. Whether data security and personal information rights can be fully and effectively protected.
  5. Whether the contract between the data processor and the overseas receiver fully stipulates the responsibility and obligation of data security protection.
  6. Compliance with Chinese laws, administrative regulations, and departmental rules.
  7. Other matters deemed necessary by the national cyberspace administration.

Article 9 –The contract between the data processor and the overseas receiver [shall] fully stipulate the data security protection responsibilities and obligations, and shall include but not limited to the following contents:

  1. The purpose, method and scope of data exit, the purpose and method of data processing by overseas receivers, etc.
  2. The location and duration of data storage overseas, and the processing measures for data going abroad after the storage period is reached, the agreed purpose is fulfilled, or the contract is terminated.
  3. Binding clauses restricting the transfer of outbound data by overseas recipients to other organizations and individuals.
  4. The security measures that the overseas receiver should take when the actual control rights or business scope of the foreign party undergo a substantial change, or the legal environment of the country or region where it is located makes it difficult to ensure data security.
  5. Responsibilities for breach of data security protection obligations and binding and enforceable dispute resolution clauses.
  6. In the event of data leakage and other risks, properly carry out emergency response and ensure unobstructed channels for individuals to safeguard their personal information rights.

Article 10  After the national cybersecurity and informatization department accepts the application, it shall organize the industry competent department, relevant departments of the State Council, provincial cybersecurity and informatization departments, and specialized agencies to conduct security assessments.

For the exit of important data, the State Cyberspace Administration of China shall solicit opinions from relevant industry authorities.

Article 11  The National Cyberspace Administration shall complete the data exit security assessment within 45 working days from the date of issuance of the written acceptance notice; if the situation is complicated or supplementary materials are required, it can be extended appropriately, but generally no more than 60 tasks day.

The results of the evaluation will be notified to the data processor in writing.

Article 12  The results of the data exit assessment are valid for two years. If one of the following situations occurs during the validity period, the data processor shall re-apply for evaluation:

  1. The purpose, method, scope, and type of data provided overseas, and the use and method of data processing by overseas recipients have changed, or the overseas retention period of personal information and important data has been extended.
  2. Changes in the legal environment of the country or region where the overseas receiver is located, changes in the actual control of the data processor or the overseas receiver, changes in the contract between the data processor and the overseas receiver, etc. may affect the security of outbound data.
  3. There are other situations that affect the security of outbound data.

If the validity period expires and it is necessary to continue the original data exit activities, the data processor shall re-apply for evaluation 60 working days before the validity period expires.

Those who fail to re-apply for evaluation in accordance with the provisions of this Article shall stop data exit activities.

Article 13  Data processors shall submit assessment materials in accordance with the provisions of these Measures. If the materials are incomplete or do not meet the requirements, they shall be supplemented or corrected in a timely manner. If they refuse to supplement or correct, the national cyberspace administration may terminate the security assessment; data processing. The person is responsible for the authenticity of the submitted materials, and if the false materials are deliberately submitted, they shall be handled as if the assessment fails.

Article 14  Relevant institutions and personnel involved in security assessment work shall keep confidential the state secrets, personal privacy, personal information, business secrets, confidential business information and other data that they learn in the performance of their duties, and shall not disclose or illegally provide them to others.

Article 15  Any organization or individual who discovers that the data processor has not provided data to overseas by conducting evaluations in accordance with the provisions of these Measures may complain or report to the cybersecurity and informatization department at or above the provincial level.

Article 16 If the national cyberspace administration finds that the data exit activity that has passed the assessment no longer meets the data exit security management requirements in the actual processing process, it shall revoke the assessment result and notify the data processor in writing, and the data processor shall terminate the data exit activity. If it is necessary to continue to carry out data exit activities, the data processor shall make rectifications in accordance with the requirements and re-apply for evaluation after the rectifications are completed.

Article 17 Anyone who violates the provisions of these Measures shall be dealt with in accordance with the “Network Security Law of the People’s Republic of China”, “Data Security Law of the People’s Republic of China”, “Personal Information Protection Law of the People’s Republic of China” and other laws and regulations; be held criminally responsible.

Article 18  These measures shall come into force on year, month and day.