Written by:Susan Ning, Wu Han, Yao Minlv, Chen Honglv(Compliance Group)
Introduction
According to the official website of the Cyberspace Administration of China (“CAC”), the Measures on Security Assessment of Cross-border Data Transfer (Draft for Comment) (the “Measures“) was released for public comment for one month as of 29 October. Article 1 of the Measures sets out the purpose and value of its introduction – “to regulate the cross-border transfer of data, protect the rights and interests in personal information, safeguard national security and social and public interests as well as promote the safe and free flow of data across borders.”
The security management and assessment of cross-border data transfer has been a key topic in the data compliance space since the introduction of the Cybersecurity Law of the People’s Republic of China (the “CSL”). The Measures explicitly takes superior legislation the CSL, the Data Security Law of the People’s Republic of China (the “DSL”) and the Law of the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), fundamental laws constituting the framework rules for China’s cyberspace governance, as the source of authorised legislation and legal basis. More importantly, the PIPL, which is most closely related to personal information rights and interests among these three fundamental laws, came into force on 1 November 2021. At a time when China is embracing intensive improvement and updates of cyberspace governance regulations, and a legal system design in line with the information age has taken shape, the Measures will become the supporting rules of key significance and status among regulations for security management of cross-border data transfer when the framework laws on cyberspace governance are in place.
In this article, we provide a preliminary interpretation on the Measures and its application, as well as on the corresponding compliance and value concepts. We are hoping that data processors will have a general understanding of the applicable frameworks and principles of the Measures and develop basic security and compliance awareness when they encounter such relevant security and compliance issues.
I.Application and Scope of the Measures
Article 2 of the Measures provides that, “data processors that provide overseas recipients with important data collected and/or generated during their operations within the territory of the People’s Republic of China (“PRC”) and personal information subject to security assessment in accordance with the law, shall conduct security assessment pursuant to the Measures; and if laws and administrative regulations provide otherwise, such provisions shall prevail.” This Article should be interpreted from at least the “applicable objects” and “applicable scope” of the Measures.
(I)Who are entities subject to assessment under the Measures?
On this issue, the Measures requires that a data processor shall undergo security assessment in a cross-border data transfer scenario. Similar to the approach taken by the CAC in the Several Provisions on Automotive Data Security Management (for Trial Implementation), the term “Data Processor” is used again to describe entities who are regulated by the Measures. But from the perspective of evolving laws and regulations, entities subject to security assessment for cross-border data transfer are more inclusive with the deepening awareness of the security risks of cross-border data transfer.
It is generally believed that Article 37 of the CSL, for the first time, clearly imposes statutory requirements on critical information infrastructure operators (“CIIO”), requiring them to undergo security assessment for cross-border transfer of personal information and important data, i.e., “personal information and important data collected and/or generated during operations within the territory of the PRC shall be stored locally”. If it is necessary to provide such personal information or important data to overseas parties due to business needs, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace authority in conjunction with relevant departments under the State Council; and if laws and administrative regulations provide otherwise, such provisions shall prevail.” It can be seen that the security assessment system of cross-border data transfer applies initially only to CIIOs. This is because CSL regulates those operators who build, operate, maintain and use networks within the territory of the PRC. From the perspective of the importance of cybersecurity, CSL requires CIIOs, a special type of “network operators”, to fulfill their obligations to undergo security assessment of cross-border data transfer. Considering that a large number of cross-border data transfer activities may not be performed by CIIOs, and that a great many of non-CIIOs may also face potential or actual security risks during their cross-border data transfer, such security assessment that originally applies only to CIIOs needs to expand its coverage. Since the DSL, however, with the extension of entities subject to data security obligations, there has been a corresponding legal basis for the Measures to extend its application to “Data Processors”. However, since the term “Data Processor” is not defined under the DSL itself, whether it can follow or refer to the definition of “Personal Information Processor” remains to be further discussed.
Generally, judging from its legislative logic, the DSL is a law that regulates “data processing” activities. The Law does not specifically define the term “Data Processor” (Please refer to our previous article: the Interpretation of Data Protection Paths under the Data Security Law in China, for more detailed interpretation), but in Article 31, it carries on the requirements for CIIOs to undergo cross-border transfer security assessment as stipulated in Article 37 of the CSL. It also expands the scope of entities legally subject to data cross-border transfer security assessment by further provisions, i.e. “the administrative measures for the security management for the cross-border transfer of important data collected and produced during operation by other data processors within the territory of the PRC shall be formulated by the state cyberspace administration in concert with the relevant departments under the State Council.” Articles 38 and 40 of the PIPL provide that “any Personal Information Processor who processes personal information in an amount reaching the threshold specified by the national cyberspace authority” shall pass the security assessment organised by the national cyberspace authority before providing such personal information to overseas parties. As such, the mutually supporting and complementary provisions in the CSL, the DSL and the PIPL form a comprehensive and complete superior legislation basis for the Measures to require “Data Processors” to fulfill their security assessment obligations of cross-border data transfer.
(II)How to understand the geographical scope of “overseas”?
In accordance with domestic laws and regulations (for example, the Exit and Entry Administration Law of the PRC) and normative documents, unless otherwise specified, it is generally understood that the term “overseas” shall include both foreign countries (regions) and Hong Kong SAR, Macao SAR and the Taiwan region of the PRC. (Please refer to our previous article: the Interpretation of the Key Points of the Cybersecurity Review Measures (Revised Draft for Comment) — Answers to Eight Questions, for detailed analysis). Therefore, Data Processors providing important data and personal information to foreign countries/regions or Hong Kong SAR, Macao SAR or the Taiwan region shall voluntarily apply to the competent authority for security assessment of cross-border data transfer if they meet the relevant conditions set out in the Measures.
Further thoughts on the above issue might derive from the provisions in the Cybersecurity Review Measures (Revised Draft for Comment), released by the CAC for public comments in July 2021, which provides that “Operators with the personal information of more than one (1) million users who intend to go public abroad shall apply to the Cybersecurity Review Office for a cybersecurity review.” The Measures also requires that Personal Information Processors who process personal information of one (1) million users should file for and undergo security assessment of cross-border data transfer if they provide personal information to overseas parties. In terms of legal regulations, although the two provisions regulate “Operators” and “Personal Information Processors”, two terms that are not exactly the same, respectively, there may be overlap between them in practice. For example, an Internet company that controls and processes personal information of more than (one) 1 million users will inevitably, as required by going public overseas, provide overseas intermediaries and regulatory authorities with the personal information of its directors and officers, and client information possibly included in its client business data during the due diligence process of the company. According to the above provisions, such cross-border provision of data will also be subject to the regulation of the cybersecurity review system and the security assessment system of cross-border data transfer. In this regard, how can these two systems get related or applied in a coordinated manner when cross-border data transfer is concerned?
In principle, we agree with the view that there is an overlap on the value point of “safeguarding national security” between the “cybersecurity review system as stipulated in the Cybersecurity Review Measures (Draft for Comment) and the “security assessment system of cross-border data transfer” as stipulated in the Measures. The two systems, however, differ in formulating principles and regulatory purposes. Therefore, the two systems should be considered parallel and independent. We also acknowledge that in the special scenario of “operators that process personal information of more than one (1) million users going public abroad”, the above two systems will inevitably be invoked simultaneously. Under the guidance of “safeguarding national security”, the statutory requirements on the “risks of core data, important data or large amounts of personal information being stolen, breached, damaged, illegally used or transferred abroad”, one of the major concerns in the cybersecurity review system, may be similar or even identical with those on the assessment focuses required under the security assessment system of cross-border data transfer. In the absence of an official interpretation or statement, although the need for two declarations cannot be ruled out, the conceptual core and operational value of the two systems are highly consistent. As to how to coordinate and balance the two application systems under specific circumstances to achieve maximum regulatory efficiency, Data Processors need further guidance from the relevant competent authorities.
II.Principles and Value of Security Assessment
Article 3 of the Measures sets out the principles and value of security assessment of cross-border data transfer.
This Article provides that “The security assessment of the cross-border data transfer shall be conducted under the principle of combining ex ante assessment and continuous supervision as well as integrating risk self-assessment and security assessment…” The ex ante assessment and continuous supervision run through the whole lifecycle management and risk control of cross-border data transfer. Ex ante assessment can be reflected in the “risk self-assessment” and “security assessment” systems established or refined in the Measures; while continuous supervision is embodied in Article 12 of the Measures, which provides that “cross-border data transfer assessment results are effective for two years.” Similar provisions can be found in the 2019 Measures on Security Assessment of the Cross-border Transfer of Personal Information (Draft for Comment). In addition, according to the Measures, Data Processors are required to re-apply for assessment if specific changes occur during the effective period.
The Measures also provides that the free flow of data shall be guaranteed on the premise of ensuring its security. Similarly, the PIPL (First Draft for Review) used the wording, i.e. “safeguard the orderly and free flow of personal information in accordance with the law” in the first article of the General Provisions. The Measures made “promoting the secure and free flow of data across borders” its objective. This highlights the regulatory orientation for the security management of cross-border data transfer, that is, promoting the orderly and free flow of data on the premise of ensuring its security
III.Conditions and Process for Applying for Security Assessment of Cross-border Data Transfer
As a major regulated issue in the Measures and a key link of security management for cross-border data transfer under the CSL, DSL and PIPL, how to apply and conduct security assessment of cross-border data transfer should draw special attention from Data Processors.
In fact, prior to the introduction of the Measures, the relevant state departments drafted and released the measures for the security assessment of cross-border transfer of personal information and important data, as well as the measures for the security assessment on cross-border transfer of personal information for public comments in 2017 and 2019, respectively. In addition, in 2017, the National Information Security Standardization Technical Committee also issued the Information Security Technology- Guidelines for Security Assessment of Cross-border Data Transfer (Draft for Comment), with a view to providing guidance on the content and process for relevant parties to carry out the assessment. As mentioned at the beginning of this article, the introduction of relevant normative documents shows our further understanding of the risk and management for the cross-border data transfer.
(I)Triggers for the security assessment of cross-border data transfer
First, as seen from the Measures that not all Data Processors are required to pass the security assessment organised by the national cyberspace authority when providing data across borders. This is clearly reflected in the PIPL. According to Article 38 of the PIPL, “passing the security assessment organised by the national cyberspace authority” is only one of the three main conditions that a Personal Information Processor shall meet in order to provide Personal Information outside the PRC for business purposes when it is not under the circumstances specified in Article 40 of the PIPL.
Second, Article 4 of the Measures comprehensively sets out the circumstances subject to security assessment by relevant competent authorities that have been provided by the CSL, DSL and PIPL separately. From the perspective of legislative law, the Measures, as the supporting regulation to the three aforementioned superior legislation, integrates all relevant provisions on triggers for the security assessment of cross-border data transfer by Data Processors.
In general, the key factors for determining whether triggers for the security assessment of cross-border data transfer are met are as follows: (i) whether a Data Processor has a “specific identity”; (ii) whether data to be transferred across borders is sensitive data, with an amount exceeding the permitted scope; and (iii) whether it falls under other circumstances specified by the national cyberspace authority. The following table shows a clearer picture:
Key factors | Corresponding triggers |
1. The “specific identity” of the Data Processor |
1) Identified as a CIIO 2) Personal Information Processors processing personal information of more than one million people |
2. The “sensitivity and amount” of data to be transferred across borders |
3) Data to be transferred across borders contains important data 4) The personal information of more than 100,000 people or sensitive personal information of more than 10,000 people is transferred overseas accumulatively |
3. Other circumstances requiring application for security assessment under the regulations | 5) Other circumstances as prescribed by the national cyberspace authority. |
This condition is directly derived from Article 37 of the CSL, which also promotes the introduction of the “security assessment system of cross-border data transfer”. Article 31 of the DSL provides that the CSL shall apply to the security management of the cross-border transfer of important data collected and/or generated by CIIOs during their operations within the territory of the PRC. We noticed, however, that the wording “collected and/or generated during operations within the territory of the PRC” is omitted in Article 4 of the Measures when it comes to the description of personal information and important data.1.“Personal information and important data collected and/or generated by CIIOs”Specifically:
We interpret such omission from the following two perspectives:(1) Article 4 only makes omission in wording without compromising its substance as the superior legislation, the CSL and DSL, and Article 2 of the Measures all set out the restrictive condition: “collected and generated during operations within the territory of the PRC”. The Measures, as a supporting regulation, will lead to undue expansion in interpretation if such condition is removed from the provision; and (2) the removal of the restrictive condition may be based on the fact that some CIIOs may also collect (at least) personal information in the process of providing products and services to overseas parties. The cross-border provision of such personal information collected may also be subject to the security assessment as provided in the Measures. As such, we recommend that Data Processors that have been identified by the relevant authorities as CIIO should apply for security assessment before providing personal information and important data abroad.
2.Data to be transferred across borders contains important data
This condition is mainly based on the sensitivity of the data to be transferred across borders, i.e. whether such data contains important data. According to the DSL, data is generally classified and graded based on “its importance in economic and social development, and the harm that may be caused to national security, public interests or the legitimate rights or interests of individuals or organisations in the event of data tampering, damage, leakage, illegal acquisition or illegal use.” On this basis, each region and department will determine a specific important data catalog for the region, department and relevant industries and fields. For the important data included in the catalog, the obligation to apply for the security assessment for data to be transferred across borders should be strictly implemented in accordance with the Measures. For the interpretation of the definition of important data and the understanding of the security management for its cross-border transfer, please refer to our previous article: New Beginning, New Journey: Data Security and Development in the Era of the Data Security Law. Currently, the important automobile data in the automotive industry is officially defined and enumerated. For more information, please refer to our previous article: the Interpretation of the Several Provisions on Automobile Data Security Management (Trial).
This condition only targets “important data”. In accordance with the DSL, however, if the data to be transferred across borders contains “national core data” affecting national security, lifelines of national economy, people’s livelihood, significant public interests, etc., the security assessment will be certainly required and relevant Data Processors will be subject to more stringent scrutiny. The Ministry of Industry and Information Technology (“MIIT”) clearly provides that “core data shall not be transferred across borders” in the Measures for Data Security Management in Industry and Information Technology (for Trial Implementation) (Draft for Comment) recently released by it.
3.A Personal Information Processor that has processed personal information of more than one (1) million people provides personal information overseas &
4. the personal information of more than 100,000 people or sensitive personal information of more than 10,000 people are transferred overseas accumulatively
These are the two triggers for the security assessment of the cross-border transfer of personal information (including sensitive personal information). According to Article 40 of the PIPL, Personal Information Processors who process personal information in an amount reaching the threshold specified by the national cyberspace authority shall store locally the personal information collected and/or generated within the territory of the PRC. If it is necessary to provide such personal information to overseas recipients, they shall pass the security assessment organised by the national cyberspace authority; and if laws, administrative regulations and the national cyberspace authority provide for exemption of such security assessment, such provisions shall prevail.
It is clear that the rules for applying for the security assessment for cross-border transfer of personal information as stipulated in the Measures are derived from Article 40 of the PIPL. Thus, the key to understanding these two triggers lies in how to interpret the wording, “process personal information in an amount reaching the threshold specified by the national cyberspace authority” in the said article. As provided in the Measures on these two conditions, two layers of meaning contained: 1) a Personal Information Processor that is required to apply for the security assessment before providing personal information to overseas parties possesses, stores, owns or controls personal information of more than one million people. As mentioned above, this is based on the special identity of the Personal Information Processor, whose cross-border transfer of personal information is presumed high-risky; and 2) the condition that “the personal information of more than 100,000 (inclusive) people or sensitive personal information of more than 10,000 (inclusive) people are transferred overseas accumulatively” is based on the objective risk posed by the cross-border provision of personal information. In other words, application for security assessment is required when personal information of 100,000 people and sensitive information of 10,000 people are involved.
It is not difficult to understand such meanings of the above conditions. The PIPL also includes the “storage” and “cross-border provision” of personal information in its definition of personal information processing. In terms of the interpretation of the text, both conditions 3 and 4 should be considered as triggers for security assessment of cross-border transfer of personal information and sensitive personal information. Taking into account the general practice of enterprises, we understand that the above-mentioned triggers may be easily met as Personal Information Processors have their own user base and engage in cross-border transfer activities due to business needs. As such, it may be a “required move” for these enterprises to apply for the security assessment. As the assessment will bring higher compliance costs, data localization may be an alternative solution to alleviate compliance pressures in the long run.
(II)Key assessment matters and contents of the security assessment of cross-border data transfer
The relevant provisions of the Measures further elaborate on and supplement the key assessment matters and review points for conducting the security assessment of cross-border data transfer, thus enhancing the implementation of the security assessment system of cross-border data transfer and making the relevant regulations more effective as practical guidance.
First, from the legislative purpose of risk prevention, Article 8 of the Measures indicates that “Security assessment of cross-border data transfer shall focus on the assessment of the risks to national security, public interests, and the legitimate rights and interests of individuals or organisations caused by the cross-border data transfer”, mainly including the following matters:
1.Lawfulness, legitimacy and necessity of the purpose, scope and method of cross-border data transfer;
2.The impact of the policies and regulations on data security protection and the network security environment of the country or region where the overseas recipient is located on the security of data transferred abroad; and whether the data protection level of the overseas recipient meets the requirements of the laws and administrative regulations of the PRC and the mandatory national standards;
3.The quantity, scope, type and sensitivity of data transferred abroad, and the risks of leakage, tampering, loss, damage, transfer, or of illegal acquisition or illegal use of such data during or after cross-border transfer;
4.Whether data security and the rights and interests in personal information can be adequately and effectively protected;
5.Whether contracts concluded by Data Processors and overseas recipients fully specify the responsibilities and obligations for data security protection;
6.Compliance with Chinese laws, administrative regulations, and departmental rules; and
7.Other matters that the national cyberspace authority considers necessary to be assessed.
As can be seen from the above matters, in order to reach an objective and comprehensive assessment result, Data Processors are required to make as complete a disclosure as possible regarding the whole lifecycle process of cross-border data transfer. As to the lawfulness, legitimacy and necessity of cross-border data transfer, it is required to assess whether cross-border data transfer is explicitly prohibited by laws and regulations, whether it is in compliance with the treaties and agreements on cross-border data transfer signed between China and other countries and regions, whether cross-border data transfer based on the consent of personal information subjects has obtained their separate consent, and whether cross-border data transfer is “necessary for normal business activities” (i.e., whether it is necessary to provide data to overseas parties).
The security assessment of cross-border data transfer needs to focus not only on the motivation of cross-border transfer, transfer methods and data scope of the data transferring party, but also on the politics and laws of the country or region where the data recipient is located, as well as the possibility of a data security incident in the environment of the data recipient which may result in adverse consequences such as data leakage. In addition, some regulatory requirements (such as data transfer agreements) have become necessary to assess cross-border transfer risks.
Second, the Measures further elaborate on “whether contracts concluded by Data Processors and overseas fully specify the responsibilities and obligations for data security protection”, which shall include but not be limited to the following:
1.The purpose, method and scope of cross-border data transfer; and the overseas recipient’s purpose and method of data processing;
2.The location and duration of overseas data storage, as well as the measures to deal with the data after the storage period expires, the purpose agreed upon is completed or the contract is terminated;
3.Clauses restricting the overseas recipient from re-transferring the data transferred abroad to other organisations or individuals;
4.Security measures that shall be taken in case of any material change in the actual control or business scope of the overseas recipient, or any change in the legal environment of the country or region where the overseas recipient is located, which makes it difficult to guarantee data security;
5.Liabilities for any breach of data security protection obligations, and binding and enforceable dispute resolution clauses; and
6.Proper emergency response in case of data leakage and other risks and guaranteed smooth channels for individuals to safeguard their personal information rights and interests.
The above six matters should be covered and agreed upon in any cross-border data transfer agreements. In addition to conventional provisions that may have been generally adopted by Data Processors, it should be noted that the Measures imposes specific requirements to restrict the data transferred abroad from being re-transferred by the overseas recipient, and proposes that it may be necessary to agree on the specific ways to enforce the above restrictions. The data security protection rights and obligations of the parties that should be clearly agreed upon in an agreement are further refined into “data security measures under special circumstances (changes in business nature or scope of the recipient, or changes in legal environment in the jurisdiction where it locates)”, “the enforceability of the provisions on breach of contract and dispute resolution” and “the response methods and channels to protect the rights and interests of personal information” and other aspects.
(III)The basic process and possible results of the security assessment of cross-border data transfer?
The Measures clarifies the basic process for applying for the security assessment of cross-border data transfer, and also makes enforceable and detailed regulations on the possible results (including procedural results and substantive results) of the application by Data Processors. For a clearer understanding, please see the following diagram that illustrates the relevant procedural specifications and the possible outcomes of the assessment.
Diagram: basic process and possible results of the security assessment of cross-border data transfer
IV.Self-assessment of the risks of cross-border data transfer
Unlike the application for the security assessment of cross-border data transfer to the relevant competent authorities after triggering specific conditions, it is a legal obligation, as provided in Article 5 of the Measures, for Data Processors to conduct self-assessment of the risks of cross-border data transfer prior to providing data abroad.
First, with regard to the cross-border transfer of important data, in accordance with Article 31 of the DSL, the administrative measures for the security management for the cross-border transfer of important data collected and produced during operation by data processors within the territory of the PRC shall be formulated by the state cyberspace administration in concert with the relevant departments under the State Council. Thus, as part of the “administrative measures for the security management for the cross-border transfer” in the Article, conducting risk self-assessment becomes a mandatory requirement for management under the CAC.
Second, with respect to the cross-border transfer of personal information, in accordance with Article 55 of the PIPL, when providing personal information to overseas parties, Personal Information Processors shall conduct an impact assessment on personal information protection in advance. We understand that risk self-assessment before the cross-border transfer of personal information and the “impact assessment on personal information protection” stipulated by the law may occur simultaneously and overlap in practice. However, unlike the above-mentioned situations, risk self-assessment and impact assessment on personal information protection before the cross-border transfer of personal information are “self-disciplined”conduct of enterprises. Therefore, in order to improve data compliance efficiency and save compliance costs, when designing an impact assessment on personal information protection specifically for cross-border business scenarios, enterprises may consider risk self-assessment before the cross-border transfer of personal information specified in the Measures as an impact assessment on personal information protection for special scenarios. They are advised to combine the following assessment requirements highlighted in the Measures with the requirements for the impact assessment on personal information protection and bring the result to the department and colleagues responsible for personal information protection compliance for implementation.
And last, the Measures clearly require that prior to providing data abroad, a Data Processor shall conduct self-assessment of the risks of cross-border data transfer, with emphasis on the assessment of the following matters:
1.Lawfulness, legitimacy and necessity of the purpose, scope and method of the cross-border data transfer and the overseas recipient’s data processing;
2.The quantity, scope, type and sensitivity of data transferred abroad; and risks to national security, public interests, and the legitimate rights and interests of individuals or organisations that may arise from the cross-border data transfer;
3.Whether Data Processors’ management, technology and capabilities in the data transfer link can prevent data leakage, damage and other risks;
4.The responsibilities and obligations that overseas recipients undertake to assume, and whether their corresponding management, technology and capabilities can ensure the security of data transferred abroad;
5.Data leakage, damage, tampering, abuse and other risks after cross-border transfer and re-transfer, and whether the channels for individuals to maintain their rights and interests in personal information are unblocked; and
6.Whether the relevant contracts on cross-border data transfer concluded with overseas recipients fully specifies the responsibilities and obligations for data security protection.
The above risk self-assessment of cross-border data transfer focuses on essentially the same key matters and risks as the security assessment of cross-border data transfer performed by the relevant competent authorities. Therefore, we believe that Data Processors’ risk self-assessment of cross-border data transfer does not bring down the requirements and standards of the assessment, the necessary assessment matters, or the obligations and responsibilities of self-assessment. For enterprises involved in cross-border data transfer in their daily business, it has become an imperative compliance task to establish an internal security management system of cross-border data transfer in strict accordance with the requirements of relevant laws and regulations.
V.Legal liabilities for violating the Measures
Article 17 of the Measures highlights the legal liabilities for data processing in violation of the security assessment system of cross-border data transfer: “Anyone who violates the Measures shall be punished in accordance with CSL, DSL, PIPL and other laws and regulations; if a crime is constituted, criminal liability shall be pursued in accordance with the law.”
We understand that the penalty provisions in the CSL, the DSL and the PIPL relating to violations of cross-border data transfer security and non-compliance with cyber security, data security and personal information protection obligations will be applied. The details are as follows:
Term | Content |
Article 66 of the CSL | Where CIIOs violate Article 37 hereof by storing or providing network data outside the PRC, the relevant competent authority shall order corrections, give warnings, confiscate illegal gains, impose a fine between RMB 50,000 and RMB 500,000, and order the suspension of related business activities or cessation of business operations for rectification, shutdown of websites, revocation of the relevant business permit or business license and a fine between RMB 10,000 and RMB 100,000 on the directly responsible person in charge and other directly responsible personnel each. |
Article 46 of the DSL | Where important data is provided across borders in violation of Article 31 hereof, the relevant competent authority shall order corrections and give warnings, confiscate illegal gains, and impose an additional fine between RMB 100,000 and RMB 1 million, and may impose a fine between RMB 10,000 and RMB 100,000 on the person directly in charge and other directly responsible personnel. If violations are grave, the relevant competent authority shall impose a fine between RMB 1 million and RMB 10 million, and may order the suspension of related business activities, cessation of business operations for rectification, revocation of the relevant business permit or business license, and a fine between RMB 100,000 and RMB 1 million on the directly responsible person in charge and other directly responsible personnel each. |
Article 66 of the PIPL |
Where personal information is processed in violation of this Law, or personal information is processed without fulfilling personal information protection obligations under this Law, the departments performing personal information protection duties and responsibilities shall order corrections, give warnings, and confiscate illegal gains, and order the provisional suspension or termination of service provision of any application programs unlawfully processing personal information. If correction is refused, a fine of not more than RMB 1 million is to be additionally imposed, and the directly responsible person in charge and other directly responsible personnel shall each be fined between RMB 10,000 and RMB 100,000. Where the unlawful acts mentioned in the preceding paragraph are grave, the departments performing personal information protection duties and responsibilities at or above the provincial level shall order corrections, confiscate illegal gains, and impose a fine of less than RMB 50 million, or less than 5% of the previous year’s turnover, and may order the suspension of related business activities or cessation of business operations for rectification, and notify the relevant competent department to revoke the relevant business permit or business license. The directly responsible person in charge and other directly responsible personnel shall each be fined between RMB 100,000 and RMB 1 million, and may also be prohibited from holding positions of director, supervisor, senior officer, or personal information protection officer in any relevant enterprises within a certain period of time. |
Provisions on the legal liabilities are not only based on the three major laws mentioned above, but also on the Law on the Protection of Rights and Interests of Consumers, the Law on Administrative Penalties for Public Security and even the Criminal Law. In addition, as “regulations” also provide for the above legal liabilities, the improvement of China’s cybersecurity and data compliance laws and regulations system paves the way for better application of special regulations (such as the Security Protection Regulations for Critical Information Infrastructure) and the regulatory requirements of specific sectors and industries.
Conclusion
The Measures comes at a critical juncture. On 1 November 2021, the PIPL came into force, following the DSL on 1 September 2021 and the CSL on 1 June 2017. We are witnessing the gradual improvement in China’s cybersecurity, data security and personal information protection, and establishment of a well-regulated cyberspace underpinned by a series of supporting laws and regulations such as the Measures.
As for the Chinese model of cross-border data transfer security management, we discussed it in our previous article: Exploring the Rules of China’s Cross-border Data Flow in a Global Perspective. Combined with the relevant provisions of the Measures, we have also written down our thoughts on the corresponding issues in this article. Overall, establishing and strictly implementing a security assessment system is an important part of security management system of cross-border data transfer, which can help us better control potential risks in cross-border data transfer. How to better set the trigger mechanism for the operation of the security assessment system to balance security and development remains a topic worthy of discussion by all parties in the future.
In the new era of comprehensive network data security and personal information protection, Data Processors, in addition to actively preparing for implementing relevant compliance measures, need to pay attention to compliance risk control in every link and detail of the whole data lifecycle management, emerging conflicts and requirements brought by technological development and regulatory trends, and the importance of compliance in data-driven business operations.