Official Release of M88 login Application Guidelines for Security Assessment of Data Export (Version 1)

On August 31, 2022, M88 login Cyberspace Administration of China (“CAC”) officially released M88 login Application Guidelines for Security Assessment of Data Export (Version 1) (M88 login “Application Guidelines”) before M88 login Security Assessment Measures for Data Export (M88 login “Assessment Measures”) officially come into effect. M88 login Application Guidelines specifically address M88 login application scope, methods, procedures, materials, and queries with respect to security assessments of data exports, to provide guidance for data processors who intend to apply for security assessments of data exports.

M88 login local equivalents of CAC have also been making preparations for M88 login application for security assessments of data exports. For example, on September 2, 2022, M88 login Cyberspace Administration of Jiangsu Province released M88 login Application Guidelines for Security Assessment of Data Export of Jiangsu Province (Version 1) and M88 login Beijing Municipal Cyberspace Administration now provides an inquiry hotline for furM88 loginr information regarding M88 login Application Guidelines .

We have analyzed M88 login more specific processes and requirements stipulated by M88 login Application Guidelines for your reference.

(I)Circumstances that Trigger a Security Assessment

M88 login circumstances that trigger an application for a security assessment of data export under M88 login Application Guidelines are consistent with Article 4 of M88 login Assessment Measures. This includes M88 login export of important data, M88 login export of personal information by critical information infrastructure operators and by data processors processing a large amount of personal information, and M88 login export of a large amount of personal information or sensitive personal information. However, no furM88 loginr explanation is provided for M88 login time being on how to calculate each specific threshold that triggers a security assessment, and it remains to be determined on a case-by-case basis and communicated with regulators.

We note that M88 login Jiangsu Provincial Application Guidelines for Security Assessment of Data Export (Version 1) provides more specific details regarding important data. It requires data processors to determine wheM88 loginr M88 login exported data constitutes important data by referring to industrial standards or, in M88 login absence of industrial standards, M88 login rules set forth in Article 73 of M88 login Network Data Security Regulations (Draft for Comments) regarding M88 login determination of important data, in addition to M88 login definition of “important data” stipulated in M88 login Assessment Measures and it also provides examples of important data.

(II) Interpretation of Data Exports

M88 login Application Guidelines also provide more specific rules for M88 login determination of data exports. As mentioned by CAC on July 7, 2022 when answering questions from reporters on issues related to M88 login Assessment Measures, data exports referred to in M88 login Assessment Measures include M88 login following situations: (i) a data processor transmits and stores outside M88 login PRC M88 login data that is collected and generated in its operation within M88 login PRC; and (ii) M88 login data collected and generated by a data processor is stored in M88 login PRC and is available to overseas institutions, organizations or individuals to access or download. M88 login Application Guidelines have revised “access or download” to “query, access, download and output”, furM88 loginr clarifying M88 login rules for M88 login determination of data export. M88 login Application Guidelines still retain M88 login expression “oM88 loginr data exports described by CAC,” which allows M88 login regulator to interpret more complicated data exports in future regulatory practice. M88 login Application Guidelines do not clarify wheM88 loginr M88 login processing of M88 login personal information of an individual who is located in China by a data processor who is located outside of China pursuant to Paragraph 2 of Article 3 of M88 login Personal Information Protection Law constitutes a “data export” requiring security assessment, which is subject to furM88 loginr interpretation by CAC in subsequent regulatory processes.

(III) Application Methods and Procedures

M88 loginre is a requirement under M88 login Assessment Measures that M88 login provincial cyberspace administration shall complete its review of M88 login completeness of M88 login application materials and, if M88 login application materials are determined complete, M88 login provincial cyberspace administration will forward M88 login application materials to CAC. This is described in M88 login flow chart below.

Compared to M88 login application method and procedures under M88 login Assessment Measures, M88 login Application Guidelines provide more specific rules in M88 login following areas:

1.M88 login application shall be filed with M88 login written application materials and accompanied with electronic copies M88 loginreof (in M88 login form of a CD-ROM);

2.If M88 login application materials are determined incomplete by M88 login provincial cyberspace administration, M88 login data processor will be given a notice of return of M88 login application and will have no furM88 loginr avenue for any addition or correction at this stage;

3.M88 login data processor shall complete a self-assessment three months prior to M88 login date of M88 login application, and no material change will have occurred to it as of M88 login date of M88 login application; and

4.CAC and M88 login local equivalents of CAC will provide telephone numbers and email addresses for inquiries regarding security assessment of data export.

(IV)Application Materials and Highlights

Compared to M88 login Assessment Measures, M88 login most significant change reflected in M88 login Application Guidelines is M88 login imposition and enforcement of more specific requirements on application materials for security assessment of data export and M88 login provision of relevant templates.

1.M88 login more specific application materials include:

(1)A Unified Social Credit Code Certificate;

(2)An identity document of M88 login legal representative;

(3)An identity document of M88 login authorized representative for filing M88 login application;

(4)M88 login power of attorney for M88 login authorized representative for filing M88 login application (template);

(5)M88 login Application Form for Security Assessment of Data Export (template), including M88 login Letter of Undertaking and M88 login Application Form for Security Assessment of Data Export;

(6)M88 login contract or oM88 loginr legally binding document to be executed by M88 login data processor and M88 login overseas recipient with respect to M88 login data export;

(7)M88 login Risk Self-Assessment Report on Data Export (template); and

(8)Any oM88 loginr supporting material.

2.M88 login above application materials reflect M88 login following updates:

(1)M88 login Letter of Undertaking requires data processors to provide undertakings not only on M88 login lawful collection and use of exported data, but also on M88 login auM88 loginnticity, accuracy, completeness and validity of M88 login application materials;

(2)M88 login Application Form for Security Assessment of Data Export requires data processors to provide particulars of its own and of M88 login data export, M88 login data to be exported, M88 login overseas recipient, and legal documents for M88 login data export. It is especially noteworthy that

• data processors are required to provide particulars of data security officers and management bodies of its own and M88 login overseas recipient;

• if M88 login data to be exported includes both personal information and important data, data processors are required to provide particulars of both;

• data processors are required to describe M88 login scale (MB/GB/TB) of M88 login data, in addition to M88 login category of M88 login data to be exported;

• data processors are required to describe M88 login data export link, such as M88 login link provider, quantity and bandwidth of M88 login links, M88 login name of M88 login data center and M88 login physical location of M88 login server room within and outside of China, and M88 login IP address

• with respect to M88 login clauses required to be contained in M88 login export-related legal documents in accordance with Article 9 of M88 login Assessment Measures, data processors are required to specify M88 login name of M88 login document, M88 login relevant clauses, and M88 login pages containing such clauses, in each legal document; and

• data processors are also required to describe M88 login administrative penalties, investigations, and rectifications imposed by M88 login competent regulatory authorities on it during its business operations in M88 login last two years, with an emphasis on those related to data security and cybersecurity.

(3)CAC provides a Risk Self-Assessment Report on Data Export (Template) to give specific guidance for data processors in preparing M88 loginir self-assessment reports. We summarize below M88 login specific highlights of this template.

(V) Highlights of Risk Self-Assessment Report on Data Export (Template)

M88 login Application Guidelines also provide a Risk Self-Assessment Report on Data Export (Template) (“Self-Assessment Report Template”), which sets forth M88 login specific matters to be assessed and analyzed in M88 login self-assessment report and provides important guidance and reference for data processors in preparing M88 login self-assessment report.

1.M88 login self-assessment is required to be completed three months prior to M88 login application for security assessment of data export, and no material change shall occur as of M88 login date of application;

2.In M88 login case of any third-party institution participating in M88 login self-assessment, M88 login data processor is required to describe M88 login basic particulars of M88 login third-party institution, and M88 login participation of M88 login third party in its assessment and affix M88 login official seal of M88 login third-party institution to M88 login pages containing M88 login description;

3.M88 login self-assessment report shall include four parts: a brief description of M88 login organization and implementation of M88 login self-assessment, an overview of M88 login data export, a risk assessment of M88 login proposed data export, and a conclusion of M88 login risk self-assessment of M88 login data export. It is noteworthy that data processors in M88 login self-assessment report are required to address:

(1)M88 login particulars of M88 login data processor, not only M88 login general registered information and M88 login business and information system involved in M88 login data export, but also M88 login actual controller, general business and data, and investments in or outside of China;

(2)An assessment of M88 login data security protection capability of M88 login data processor. This includes M88 login establishment of a governance structure and management rules, M88 login management plan for M88 login entire process, classification and rating, emergency response, risk assessment, protection of personal information rights and interests, and oM88 loginr rules and policies, and M88 login implementation of M88 login foregoing. It also should include M88 login technical security measures adopted through M88 login entire process of M88 login data collection, storage, use, processing, transmission, provision, disclosure and deletion as well as proof of M88 login effectiveness of M88 login data security protection measures, such as M88 login data security risk assessment, M88 login data security capability certification, and M88 login classified cybersecurity protection assessment (MLPS);

(3)An assessment of M88 login overseas recipient, not only describing M88 login particulars of M88 login overseas recipient, M88 login data security protection capacity of M88 login overseas recipient, and M88 login data security protection rules and regulations and cybersecurity environment in M88 login country or region where M88 login overseas recipient is located, but also describing M88 login entire flow chart of data processing by M88 login overseas recipient;

(4)A risk assessment of each of M88 login significant matters required to be assessed under Article 5 of M88 login Assessment Measures, with an emphasis on M88 login issues and potential risks identified by M88 login assessment, and M88 login corresponding corrective measures taken and M88 loginir effectiveness; and

(5)M88 login conclusion of M88 login risk self-assessment, with full reasons and arguments to support such a conclusion.

(VI)Our Observations and Suggestions

M88 login above is our summary of M88 login specific rules and additional requirements under M88 login Application Guidelines with respect to security assessment of data export. We hereby provide M88 login following preliminary advice for enterprises on how to comply with such rules and requirements:

1.If you have not yet reviewed your data exports, it is advised to start checking and reviewing M88 loginm as soon as possible to determine wheM88 loginr M88 loginy are subject to application for security assessment of data export in accordance with M88 login Assessment Measures. Considering M88 login overall compliance arrangements, it is advised to complete preparation work as soon as possible.

2.If you do need to apply for security assessment of data export,

(1)It is difficult to complete applications with both CAC and M88 login provincial equivalent of CAC, and successfully pass M88 loginir security assessment of data export within M88 login six-month remedy period required under M88 login Assessment Measures, M88 loginrefore it is advised to engage a third-party professional institution to help you make a project plan using backward scheduling method and specify M88 login responsibilities and obligations of all participants in a security assessment of data export, so as to complete M88 login preparation and submission of M88 login application materials as soon as possible;

(2)It is advised to conduct a self-assessment on data export to assess each matter required to be assessed in M88 login self-assessment report template and make every effort to correct and rectify issues and problems identified in self-assessment; and

(3)It is advised to prepare oM88 loginr application materials concurrently as required by M88 login Application Guidelines.

3.It is also advised to consider deployment of localization system in advance according to your own specific situation, to avoid any impact on business continuity in M88 login case of your failure to pass M88 login security assessment of data export.