According to an official press release dated January 18th, 2023 by the WeChat official account "Cyberspace Beijing"[1], a joint research project between Beijing Friendship Hospital, Capital Medical University and Amsterdam University Medical Center and an Air China project have become the first and the second cases in China to be approved by the Cyberspace Administration of Beijing ("Beijing CAC") in security assessment of cross-border data transfer. This signals the first implementations of the national cross-border data transfer security assessment policy in Beijing. According to the press release, Beijing CAC has provided service to more than 270 entities with the need of cross-border data transfer, and has organized and guided 16 entities in Beijing in key sectors, such as social media, medical care, finance, automobile and civil aviation, to submit formal applications. Among them, 10 entities have passed sanity checks with the above 2 passing the security assessment. Although Beijing CAC did not disclose detailed information such as the type, quantity and sensitivity of the data of the two projects, having reviewed the standard templates for application materials it has released and other public information, we recommend that enterprises pay attention to the following matters:
According to Article 4 of the Measures on Security Assessment of Cross-border Data Transfer ("Measures"), a data processor shall apply to the Central Cyberspace Affairs Commission (“Central CAC”) for security assessment of the cross-border data transfer through the provincial cyberspace administration under any of the following circumstances: (i) the data processor provides important data abroad; (ii) the processor is a critical information infrastructure operator or has processed the personal information of over one million people; (iii) the processor has provided the personal information of over 100,000 people abroad; (iv) the processor has provided the sensitive personal information of over 10,000 people abroad cumulatively since January 1 of the previous year; or (v) any other circumstance where an application for the security assessment of cross-border data transfer is required by the Central CAC. For the above cases, passing a security assessment is the only compliant path for transmitting data abroad.
The first approved case published this time may constitute the first situation mentioned above and thus apply for a security assessment. As analyzed in the article "Healthcare Data Compliance Series (I):Healthcare Data Collection", healthcare data, as a category of important data relating to the national economy and the people's livelihood, is subject to all-round and multi-dimensional regulatory challenges. In this case, medical cooperation activities may involve many important types of data such as public health data, genetic data, genomic data, etc. It should also be noted that, pursuant to Regulations on the Management of Human Genetic Resources, where the data provided to foreign organizations in medical cooperation activities constitute human genetic resource information, such data shall pass a safety review organized by the competent science and technology administrative department of the State Council (i.e., the Ministry of Science and Technology), with a filing and data backup to be submitted to the Ministry of Science and Technology.
The second case may involve the circumstance in which the scale of air passenger data to be transmitted exceeds one of the three thresholds provided in (iii) or (iv) above, especially the threshold for sensitive personal information. Due to its nature, international air passenger transport inevitably involves the two-way information exchange between domestic and foreign airlines, airports, customs and other organizations. Since passengers' fingerprints, passport numbers, photos, etc. constitute sensitive personal information[2],with hundreds of passengers transported in a single flight, international airlines are very likely to be subject to security assessment due to them providing the sensitive personal information of over 10,000 persons abroad since the previous year.
According to the data released by Beijing CAC, only two of the 16 enterprises that submitted formal declarations passed the assessment, with a percentage of 12.5%. If the scope of statistics is expanded to all 270 entities with needs of cross-border transfer, the pass rate will be further reduced to only 0.74%. It can be seen that, even after five months of self-assessment, consultation and even self-rectification, most enterprises are still far from being approved in terms of data export compliance.
The high standards of security assessment are also reflected in the application materials. The "Application for Cross-border Data Transfer Security Assessment (template)" attached to the " Application of Cross-border Data Transfer Security Assessment (First Edition)" produced by the CAC requires data processors to provide basic information about themselves, the activities requiring cross-border data transfer, the data to be transferred, the overseas receiver and the legal documents entered into between them, and requires detailed technical or legal description of the data scale, cross-border data connection, as well as the legal documents. In addition, the "Report on Self-Assessment on Cross-border Data Transfer Risks (Template) " requires that the self-assessment should be completed within three months before the application, and that no major changes may have occurred as of the date of application, which undoubtedly increases the risk of redoing the self-assessment if the assessment fails. Therefore, it is important to seek assistance from local CAC branches and professional bodies in a timely manner.
We recommend that enterprises with data export needs start reviewing and sorting out their data export activities as soon as possible if they have not already sorted out their data export activities and decide whether they need to apply for a security assessment under the Measures. If it is more likely that an enterprise will need to apply for a security assessment, it should consult its local cyberspace administration office and simultaneously prepare all the application materials, including the Report on Self-evaluation and the Written Application, in order to legally carry out the relevant business or projects as soon as possible after the assessment.
Given that there is less than one month from the end of the six-month grace period as specified in the Measures, and that the number of enterprises queuing to apply for a security assessment is relatively large, it may be difficult for the relevant enterprises to prepare all application materials, apply for business guidance from local cyberspace administrations, or even pass the security assessment in the little remaining time.
It is recommended that enterprises which have not yet passed the security assessment consider the possibility of not passing the assessment by the end of the grace period prudently and consider the alternatives in a timely manner. These alternatives include suspending data export activities based on enterprises’ needs, restricting or halting "unnecessary" data transfers timely, and contacting local data storage solution providers as soon as possible so as to deploy data localization measures, in order to avoid any impact on their ongoing business or the possibility of the enterprises or their personnel bearing administrative or criminal liabilities after the grace period expires on 1st March 2023[3]. Of course, while adopting alternative plans, enterprises should also actively prepare for the security assessment and learn from relevant successful or failed experiences, in order to pass the security assessment as soon as possible.
特别声明:
大成律师事务所严格遵守对客户的信息保护义务,本篇所涉客户项目内容均取自公开信息或取得客户同意。全文内容、观点仅供参考,不代表大成律师事务所任何立场,亦不应当被视为出具任何形式的法律意见或建议。如需转载或引用该文章的任何内容,请私信沟通授权事宜,并于转载时在文章开头处注明来源。未经授权,不得转载或使用该等文章中的任何内容。