EN
Home>Insights & Events>Legal & Regulatory> Managing Cross-Border Data Risk: China Data Cybersecurity Assessment
Managing Cross-Border Data Risk: China Data Cybersecurity Assessment

Doing business in China in the times of geopolitical tension and post covid, you are required to meet China’s increasing data compliance regulatory challenges and meanwhile keep your company’s and your client’s data in secure

by Triide  | Jul 24, 2023 | Legal & Regulatory

China Further Raised the Bar on Data Exporting in 2023

 

With the effectiveness of the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information on 1 June 2023, China’s legislature on data export from China further raises the bar. Together with 2017 Cybersecurity Law, 2022 cross border Data Transfer Guidelines and 2021 Personal Information Protection Law and 2021 Data Security Law constitutes current China data export legislature (the “China Data Export Laws”).

 

According to China Data Export Laws, unlike GDPR enacts adequacy principle adopted between country or region with the EU, the data export mechanism of China will be authority which is local Cybersecurity Administration of China (the “CAC) on a case-by-case basis cybersecurity assessment or standard contract filing in accordance with China Data Export Laws. No matter which approvals categories your entity subject to, China’s methodology toward data export mechanism means that the burden of getting the respective approval from CAC will be assumed by the entity individually.

 

When Will Your Entity Require CAC Cybersecurity Assessment Approval

 

According to China Data Export Laws, a CAC security assessment is required for cross-border data transfers in any of the following circumstances:

 

  • Cross-border transfers of “important data”
  • Cross-border transfers of personal data by critical information infrastructure (CII) operators
  • Cross-border transfers by data exporter processing the personal data of 1 million or more individuals
  • Any transfer (in aggregate) of the personal data of more than 100,000 individuals or the sensitive personal data of more than 10,000 individuals that has occurred since 1 January of the preceding year
  • Other situations requiring security assessment in accordance with PRC laws and regulations

 

When Will Your Entity Require CAC Standard Contract Filing Approval

 

According to China Data Export Laws, if your entity needs transfer personal information cross border and not reach the cybersecurity assessment bar, is required to get the standard contract filing approval.For example:

 

  • Non-CII operator
  • Annually processed personal information no more than 1 million individuals
  • From 1 January last year to date, cross border transfer personal information out of China no more than 100,000 individuals
  • From 1 January last year to date, cross border transfer personal sensitive information out of China no more than 10,000 individuals

 

The data exporter shall not split the cross border transfer measures avoiding get the prior standard contract filing approval.

 

However, what highlights in this approval is the entity is required to take data privacy impact assessment first as this assessment will be one of important documents supporting your entity to apply this approval.

 

Legal Consequences if Not Complying with Data Export Laws

 

Before we move to legal consequences toward either of cybersecurity assessment approval or standard contract filing approval, two points should make clear.

 

1. The approvals not regulate foreign invested companies in China but also Chinese local business owners which has overseas data flow requirements; and

 

2. CAC has the right to reject your application for approval until your entity meets the CAC requirements case by case

 

To date, we only see no more than 10 approval cases for either approval category.

 

However, your entity will face the severe legal consequences if not meeting Data Export Laws of China. For example:

 

  • Ban your system/App from using
  • Fine no more than 5% of your entity annual revenue or no more than 50 million RMB
  • Ban your entity’s operation or deregister your entity from business registration

 

Essential Actions for Your Business Regardless of CAC Approval

 

Even your entity not required to achieve the approvals from CAC, you are still required to meet the basics regulated in accordance with Data Export Laws of China when you need cross border flow for your financial or HR information in managing your business in China.

 

Some basics you need to know when planning your export data out of China:

 

1. Data inventory check

 

The purpose is to know the current data inventory whether there is “important data” in the business operation or volumes of data cross border flow reaching the approval bar.

 

2. Building up internal data processing guidelines

 

The purpose of doing this is to draw the “red line” for your Chinese employees when handling financial or HR data flow. It is the specific procedures to define and urge your Chinese employees to follow when dealing with HR data or business data cross border transfer.

 

3. Add China chapter to your privacy policy or cookie policy for your website or system

 

Although there are some similarity between Data Export Laws of China and GDPR, there are significant differences between two legislature system. To avoid any conflict, we suggest your website or APP has special sector when regulating export data from China mainland.

 

4. IT Risk Assessments for Wechat platform or Your Chinese website

 

If your entity using Wechat platform to promote the business or Chinese website, we suggest you do the regular IT risks assessment to protect your client data and your company data in secure.

 

5. Considering outsourcing data protection officer services

 

Hire a local data expert to deal with daily China data utilization issues will be time and cost saving in the context that China is strengthening data export control.

 

6. Considering data localization and segregate your Chinese system/platform strategy

 

We understand that deploy a separate system, server or Chinese version platform will be a burden and costly to your entity.

 

However, in the long run, if your entity has a vision to treat its Chinese subsidiary as an isolated external entity for the system wise, it may finally contribute the data you collect within China mainland territory. One Compliance can assist client to deploy data localization and system segregate strategy to prepare and balance the challenges of cross border data transfer concerns. Our team delivers only the best professional services in data security and privacy protection.

(Author: Grace Chen, Director, One Compliance Consulting)

 

Triide is a fast-growing and dynamic corporate services provider rooted in Asia. With a multidisciplinary team of experts operating across the Asia Pacific Region, Triide offers comprehensive services from company formation and legal compliance to accounting, tax management, and corporate governance.

Previous Article
The Apostille Convention will come into effect in China on Nov 7
Next Article
Intellectual Property Protection in China: An Essential Overview
2024 Negative List: China to Lift Restrictions on Foreign Investment in Manufacturing Sector
2024 Negative List: China to Lift Restrictions on Foreign Investment in Manufacturing Sector
by Triide | Sep 26, 2024 | Legal & Regulatory
Learn more 2024 Negative List: China to Lift Restrictions on Foreign Investment in Manufacturing Sector
China Eases Access for Foreign Investment in Service Sectors
China Eases Access for Foreign Investment in Service Sectors
by Triide | Jul 21, 2024 | Legal & Regulatory
Learn more China Eases Access for Foreign Investment in Service Sectors
Guide to Setting Up a Company in China: 2024 Edition
Guide to Setting Up a Company in China: 2024 Edition
by Triide | Jul 12, 2024 | Legal & Regulatory
Learn more Guide to Setting Up a Company in China: 2024 Edition
Triide
CONTACT US
Linkedin

Copyright © 2024 Triide | All rights reserved.   Privacy Policy