What Hong Kong business needs to know about data transfer – security assessment requirements for cross border data transfer in China
Introduction
When China's
new Cybersecurity law came into effect on 1 June 2017, it came with a
draft Measures for Security Assessment of Outbound Transmission of Personal
Information and Important Data (the “Measures”)
to solicit public comments. Since then the Data Security Law and Personal
Information Protection Law (the “PIPL”)
were promulgated that touch on “important data” and cross border transfer of
such and other data such as personal data of Chinese citizens.
On 7 July 2022, the Cyberspace
Administration of China (“CAC”)
promulgated the Measures on Security Assessment for Data Exports that came into
effect from 1 September 2022. This article sets out the requirements that Hong Kong businesses might need to
take and comply for security assessment for cross border/boundary data
transfers (please note that for personal information under the PIPL, there are
other requirements such as obtaining consent and carrying out personal
information protection impact assessments).
The measures
Application
Generally speaking and like the General
Data Protection Regulation (GDPR) of the European Union, the data related laws
in China adopts a data localisation rule with respect to personal information
(data) and other important data collected and generated during operations in
China or related to Chinese citizens. Article 4 of the Measures provides that
an entity that transfers data out of China must apply for a security assessment
if any of the following criteria are met:
1. where the data processor transfers important data across the
border/boundary;
2. where the data processor that transfers important data and personal
information across the border/boundary is an operator of Critical Information
Infrastructure (“CII”)
3. where the data processor that transfers personal information across
the border/boundary processes personal information of over 1 million persons;
4. where the data processor that transfers personal information across
the border/boundary has cumulatively made outbound transfers of personal
information of over 100,000 persons, or sensitive personal information of over
10,000 persons since 1 January of the preceding year; and
5. in other situations as prescribed by the CAC where a report on
security assessment is required.
Important data
The Measures define the term “important
data” as “any data that, once tampered with, sabotaged, leaked or illegally
obtained or used, may endanger national security, economic operation, social
stability, and public health and safety.”
The precise scope of what is important
data is not clear and may take some time before the detailed scope of important
data would be identified. It includes information such as:
Sensitive personal information
Under the PIPL, sensitive personal
information refers to personal information where the disclosure or illegal use of the information may easily lead to the
infringement of an individual’s personal dignity or harm to personal or
property safety. The examples under the PIPL are:
1.
biometrics
2.
religious beliefs
3.
specific identity such as gender identity and sexual preferences
4.
medical health
5.
financial accounts
6.
whereabouts
7.
personal information relating to minors under the age of 14
Cross-border data transfer
The Measures do not define the term
“cross-border data transfer” but according to the CAC, the following scenarios are considered to be cross-border data
transfer that are subject to security assessment:
1.
the data processor transfers and stores data collected and generated in
China outside the territory of China; and
2.
the data processor stores the data collected and generated within China,
but overseas organizations and individuals have remote access to them.
A transfer of data from Mainland China to
Hong Kong in the above scenarios are considered to be a cross-border data
transfer and accordingly, if such transfer relates to the criteria set out
above, then a security assessment will need to be carried out. So if a Hong
Kong company wants to remotely access certain data in Mainland China from Hong
Kong, if such access falls within
the scenarios above, for example, involving the sensitive personal information
of 10,000 staff or customers from China, then a security assessment will need
to be conducted.
Where cross-border data transfers carried
out before the effective date of the Measures do not conform with the provisions of the Measures, data processors
must take steps to rectify the situation within 6 months since the Measures
take effect, namely, before 28 February 2023.
Security assessment
procedure
Self-assessment
The data
processor can carry out its own self-assessment and report such security
assessments to the CAC through the local cyberspace administration authorities
at the provincial level. The self-assessment process and report need to
consider the following factors:
1.
the legality, propriety and necessity of (a) the cross-border transfer
and (b) the purpose, scope and manner of processing of the data by the
recipient outside the jurisdiction;
2.
the quantity, scope, category and sensitivity of the outbound data, and
the risks that cross-border transfer of data might pose to national security,
public interests, and the lawful rights and interests of individuals or
organisations;
3.
whether the responsibilities and obligations undertaken by the recipient
outside the jurisdiction and the management and technical measures and
capabilities of such recipient to perform the aforesaid responsibilities and
obligations can ensure the security of the outbound data;
4.
the risks of the outbound data suffering from alteration, destruction,
leakage, loss, transfer, illegal acquisition or illegal use, etc., during and
after the cross-border transfer, and whether or not channels are available to
uphold personal information rights and interests, etc.;
5.
whether data security protection responsibilities and obligations are
sufficiently stipulated in the contract, or other documents with legal effect,
intended to be concluded with the recipient outside the jurisdiction regarding
the cross-border data transfer; and
6.
other matters that may affect the security of the cross-border data
transfer.
Conclusion
It is
important for Hong Kong businesses to comply with the Measures, even though the
Hong Kong company might not have a presence in Mainland China, if it processes
personal data or important data, even remotely. Failure to comply might lead to
serious consequences such as, under the PIPL, a fine and for cases of serious
nature, a fine up to RMB
50,000,000 or 5% of annual turnover for the previous year. For compliance with
the relevant requirements of the Measures, it is advised that businesses should
seek professional and legal advice to avoid and mitigate the breach of the
relevant data protection laws.
For enquiries,
please feel free to contact us at: |
E: technology@onc.hk T:
(852) 2810 1212 19th Floor, Three Exchange Square, 8 Connaught
Place, Central, Hong Kong |
Important: The law and procedure on
this subject are very specialised and
complicated. This article is just a very general outline for reference and
cannot be relied upon as legal advice in any individual case. If any advice
or assistance is needed, please contact our solicitors. |
Published by ONC Lawyers © 2022 |