China Adopts Data Export Regulation, Drafts Standard Contract

The previous week witnessed two significant developments relating to facts export from China. On one hand, the knowledge export-similar regulation was officially adopted which expands the scope of federal government evaluation. On the other hand, the extended-awaited draft private knowledge export standard contract and the rules relating to the application of the agreement were produced for public remark which calls for this sort of contracts to be submitted with the government.

Steps on Details Export Protection Evaluation

On July 7, 2022, the Cyberspace Administration of China (the “CAC”) unveiled the Steps on Information Export Safety Evaluation (the “Measures”). These Steps established out the specific demands on the protection evaluation arranged by the CAC for data export, which is essential under the Personalized Info Security Regulation (“PIPL”) as well as the Facts Protection Legislation. Pursuing a draft model in 2021, the Actions make clear the portions of particular information (“PI”) which tumble underneath the PIPL, and adds new situation that will considerably expand the software of the government’s protection assessment as properly.

Specially, with the information amount threshold of 100,000 individuals’ PI and 10,000 individuals’ sensitive PI, big multinational businesses with more than 10,000 workforce or customers in China really should thoroughly critique whether they would be topic to the government’s protection evaluation.

Threshold for CAC Stability Assessment

Information controllers are demanded to pass the government’s security assessment for details export in any of the following situation:

1. Export of “crucial data”, which means facts that may well endanger national safety, financial operation, social balance, community well being and safety, etc. after it is tampered with, destroyed, leaked, or illegally acquired or made use of.

2. Export of PI by Crucial Details Infrastructure Operators (CIIO). This is in line with the PIPL.

3. Export of PI by a PI controller processing over 1,000,000individuals’ PI (which seems to be the definition of “large volume” PI controller beneath the PIPL).

4. Cumulative export of PI of additional than 100,000 individuals due to the fact January 1 of the preceding calendar year.

5. Cumulative export of delicate PI of over 10,000 individuals considering the fact that January 1 of the prior calendar year, or

6. Other predicaments as stipulated by the nationwide cybersecurity and informatization section.

Situation (4) and (5) are not presented in the PIPL and arguably expands the application of the government’s safety evaluation. It is unclear how the threshold will be calculated. For illustration, whether any update of PI that is formerly exported would be counted inside the present year’s quota.

CAC Assessment Process

Facts controllers topic to the evaluation must perform a self-evaluation very first and submit to the CAC, amid other items, the self-assessment report and the knowledge export/course of action agreements contemplated to be signed with the overseas receiver.

Following obtaining the completed software paperwork, the CAC will have 7 doing work days to determine whether to accept the application, and another 45 operating times to complete the protection evaluation. This duration may well be additional extended without a certain time restrict. These indefinite overview time period has lifted problems of uncertainty that may appreciably effects details move for multinational companies. The consequence of the protection assessment is valid for two a long time.

Grace Time period

The Steps will choose result from September 1, 2022 and provides a 6-month grace interval for complying with the Actions. In other text, data controllers matter to the Measures should really at least make a submitting to CAC in advance of March 1, 2023. Companies in China that are at present exporting crucial details or private knowledge outside of China really should choose speedy action to evaluate whether it falls within the scope of the Actions.

Draft PI Export Typical Deal

Also, in relation to the subject of information export, on June 30, 2022, the CAC produced the Draft Own Info Export Common Agreement and the connected procedures on application of the regular deal (“Draft Standard Contract”) for general public remark.

Info controllers that are NOT subject matter to the government’s stability assessment as offered below the Steps (as specified over) could rely on the signing of the standard agreement to export own details.

Astonishingly, even so, the Draft Normal Agreement call for knowledge controllers to file the executed typical deal (and any amendments thereof) to the authorities (CAC) in just ten times following it normally takes effect, collectively with a PI safety effects assessment report. This is a new need not lined by the PIPL. This necessity could substantially improve the stress of knowledge controllers on facts export, primarily for multinational corporations that usually have globally centralized administration methods.  There are also fears that the filing method may possibly change into a federal government evaluate as the CAC may perhaps overview the submitted normal deal and determine regardless of whether the information export actions are appropriate.

The Draft Common Contract sets out specific specifications on the obligations of the parties in relation to PI defense, and the parties must specify thorough descriptions relating to the export of PI, between other issues, the volume of knowledge, and the processing site. The Draft Typical Contract especially presents that it need to prevail over any other agreements in between the events relating to the issue.

The general public comment period of the Draft Common Agreement will expire on July 29, 2022. We anticipate the last edition may well turn into out there inside this calendar year.

This short article was co-authored by Katherine Supporter.