China Regulations – Measures for Security Assessment of Data Export
This article is part of the series on China’s regulatory policy updates, reports and advertising laws. If you have missed out on any of the articles from this series, you can click the following titles to read more – Anti-Monopoly Crackdown, PIPL, Advertising Law, October Update, November Update, December Update, January Update (XiaoHongShu Bans 39 Brands), Medical Advertising, March Update, IP Location Regulations, Didi US$1.2 Billion Fine.
China’s “Measures for Security Assessment of Data Exports” has been officially implemented since September 1, 2022. Many overseas enterprises were not clear on this law as it was ambiguous, now that the law has been implemented the rules have been made more clear. We aim to spell out the salient points that would impact global businesses.
1. What are the situations of data export?
Physical transfer Data processors collect data generated from operations in China and transfer and store data abroad. It should be noted that “exit” refers to going from the mainland to other countries or regions. In the context of China’s “data export”, Hong Kong, Macao and Taiwan regions belong to the overseas scope.
Overseas visits Although the data generated by domestic operations are stored in China, overseas organizations and individuals can access, view, and call (except for public information and web page access)
2. What are the typical scenarios for data export, especially for overseas enterprises entering China?
Overseas enterprises conduct business in China to collect and use domestic user information The enterprise is registered overseas, although it has no physical operations in China, upon carrying out marketing activities in China, during the marketing process, it will collect the personal information of domestic customers, such as email addresses, phone numbers, geographical location, etc., and upload to the overseas marketing systems for analysis, to target product recommendation and sales. Note - Personal information: Various information related to identified or identifiable natural persons recorded electronically or otherwise, such as name, phone numbers, email address, location information, etc., excluding anonymized information.
Overseas group companies collect and use domestic data This is common in multinational corporations. Multinational corporations set up branches in China, which are responsible for business operations in China, and are also managed by overseas group headquarters. At the headquarters' request, it is necessary to provide contact information, product sales data, employee information, etc., generated during its operation for analysis and processing by the overseas group headquarters, to make unified decisions.
3. Are you an enterprise that needs to worry about the security of outbound information?
Companies that need to declare are:
(1) The data processor provides important data overseas;
(2) Critical information infrastructure operators and data processors handling the personal information of more than 1 million people provide personal information overseas;
(3) Data processors who have provided personal information of 100,000 people or sensitive personal information of 10,000 people cumulative overseas since January 1 2020;
(4) Other situations required to declare data export security assessment as stipulated by the Cyberspace Administration of China
Before exporting data, the enterprise needs to submit a security assessment request to the national cybersecurity and information departments after self-assessment, and the data can only be exported after the assessment is passed. (Self-inspection template and declaration form download link are attached)
The standard security assessment process takes longer (at least 3 months). For enterprises that do not meet the requirements but have carried out data export activities, they shall complete the rectification within 6 months from the date of implementation of these measures (September 1), and the deadline is February 28, 2023.
We will continue to follow China’s regulatory policy updates, contact us to understand more and discuss China’s marketing strategies.