Introduction

When China's new Cybersecurity law came into effect on 1 June 2017, it came with a draft Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data (the “Measures”) to solicit public comments. Since then the Data Security Law and Personal Information Protection Law (the “PIPL”) were promulgated that touch on “important data” and cross border transfer of such and other data such as personal data of Chinese citizens.

On 7 July 2022, the Cyberspace Administration of China (“CAC”) promulgated the Measures on Security Assessment for Data Exports that came into effect from 1 September 2022. This article sets out the requirements that Hong Kong businesses might need to take and comply for security assessment for cross border/boundary data transfers (please note that for personal information under the PIPL, there are other requirements such as obtaining consent and carrying out personal information protection impact assessments).

The measures

Application

Generally speaking and like the General Data Protection Regulation (GDPR) of the European Union, the data related laws in China adopts a data localisation rule with respect to personal information (data) and other important data collected and generated during operations in China or related to Chinese citizens. Article 4 of the Measures provides that an entity that transfers data out of China must apply for a security assessment if any of the following criteria are met:

1.       where the data processor transfers important data across the border/boundary;

 

2.       where the data processor that transfers important data and personal information across the border/boundary is an operator of Critical Information Infrastructure (“CII”)

 

3.       where the data processor that transfers personal information across the border/boundary processes personal information of over 1 million persons;

 

4.       where the data processor that transfers personal information across the border/boundary has cumulatively made outbound transfers of personal information of over 100,000 persons, or sensitive personal information of over 10,000 persons since 1 January of the preceding year; and

 

5.       in other situations as prescribed by the CAC where a report on security assessment is required.

Important data

The Measures define the term “important data” as “any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety.”

The precise scope of what is important data is not clear and may take some time before the detailed scope of important data would be identified. It includes information such as:

Sensitive personal information

Under the PIPL, sensitive personal information refers to personal information where the disclosure or illegal use of the information may easily lead to the infringement of an individual’s personal dignity or harm to personal or property safety. The examples under the PIPL are:

1.       biometrics

2.       religious beliefs

3.       specific identity such as gender identity and sexual preferences

4.       medical health

5.       financial accounts

6.       whereabouts

7.       personal information relating to minors under the age of 14

Cross-border data transfer

The Measures do not define the term “cross-border data transfer” but according to the CAC, the following scenarios are considered to be cross-border data transfer that are subject to security assessment:

1.       the data processor transfers and stores data collected and generated in China outside the territory of China; and

 

2.       the data processor stores the data collected and generated within China, but overseas organizations and individuals have remote access to them.

 

A transfer of data from Mainland China to Hong Kong in the above scenarios are considered to be a cross-border data transfer and accordingly, if such transfer relates to the criteria set out above, then a security assessment will need to be carried out. So if a Hong Kong company wants to remotely access certain data in Mainland China from Hong Kong, if such access falls within the scenarios above, for example, involving the sensitive personal information of 10,000 staff or customers from China, then a security assessment will need to be conducted.

Where cross-border data transfers carried out before the effective date of the Measures do not conform with the provisions of the Measures, data processors must take steps to rectify the situation within 6 months since the Measures take effect, namely, before 28 February 2023.

Security assessment procedure

Self-assessment

The data processor can carry out its own self-assessment and report such security assessments to the CAC through the local cyberspace administration authorities at the provincial level. The self-assessment process and report need to consider the following factors:

1.       the legality, propriety and necessity of (a) the cross-border transfer and (b) the purpose, scope and manner of processing of the data by the recipient outside the jurisdiction;

 

2.       the quantity, scope, category and sensitivity of the outbound data, and the risks that cross-border transfer of data might pose to national security, public interests, and the lawful rights and interests of individuals or organisations;

 

3.       whether the responsibilities and obligations undertaken by the recipient outside the jurisdiction and the management and technical measures and capabilities of such recipient to perform the aforesaid responsibilities and obligations can ensure the security of the outbound data;

 

4.       the risks of the outbound data suffering from alteration, destruction, leakage, loss, transfer, illegal acquisition or illegal use, etc., during and after the cross-border transfer, and whether or not channels are available to uphold personal information rights and interests, etc.;

 

5.       whether data security protection responsibilities and obligations are sufficiently stipulated in the contract, or other documents with legal effect, intended to be concluded with the recipient outside the jurisdiction regarding the cross-border data transfer; and

 

6.       other matters that may affect the security of the cross-border data transfer.

Conclusion

It is important for Hong Kong businesses to comply with the Measures, even though the Hong Kong company might not have a presence in Mainland China, if it processes personal data or important data, even remotely. Failure to comply might lead to serious consequences such as, under the PIPL, a fine and for cases of serious nature, a fine up to RMB 50,000,000 or 5% of annual turnover for the previous year. For compliance with the relevant requirements of the Measures, it is advised that businesses should seek professional and legal advice to avoid and mitigate the breach of the relevant data protection laws.

 

For enquiries, please feel free to contact us at:

E: technology@onc.hk                                                       T: (852) 2810 1212 W: www.onc.hk                                                                    F: (852) 2804 6311 19th Floor, Three Exchange Square, 8 Connaught Place, Central, Hong Kong

Important: The law and procedure on this subject are very specialised and complicated. This article is just a very general outline for reference and cannot be relied upon as legal advice in any individual case. If any advice or assistance is needed, please contact our solicitors.

Published by ONC Lawyers © 2022