国家互联网信息办公室公布《数据出境安全评估办法》-中共中央网络安全和信息化委员会办公室 (cac.gov.cn)
Bing Translation:
On 7 July, the Cyberspace Administration of China promulgated the Measures for Security Assessment of Data Export (hereinafter referred to as the Measures), which came into effect on 1 September 2022. The relevant person in charge of the State Internet Information Office said that the purpose of promulgating the Measures is to implement the provisions of the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, standardize data export activities, protect personal information rights and interests, safeguard national security and social public interests, promote cross-border security and free flow of data, and effectively ensure development with security and promote security with development.
In recent years, with the vigorous development of the digital economy, cross-border data activities have become more and more frequent, and the demand for data export by data processors has grown rapidly. Clarifying the specific provisions of data outbound security assessment is the need to promote the healthy development of the digital economy, prevent and resolve cross-border data security risks, the need to safeguard national security and the social public interest, and the need to protect the rights and interests of personal information. The Measures stipulate the scope, conditions and procedures for data export security assessment, and provide specific guidance for data export security assessment work.
The Measures make it clear that these Measures apply to the security assessment of important data and personal information collected and generated in the course of operations within the territory of the People’s Republic of China provided by data processors abroad. It is proposed that the security assessment of data export adheres to the principles of combining prior assessment and continuous supervision, and combining risk self-assessment with security assessment.
The Measures stipulate the circumstances in which a data export security assessment shall be declared, including the situation in which data processors provide important data abroad, critical information infrastructure operators and data processors that handle personal information of more than 1 million people provide personal information abroad, data processors who have provided 100,000 personal information abroad or 10,000 sensitive personal information that have been provided abroad since January 1 of last year, and other situations where data processors that need to declare data export security assessments are required as stipulated by the state internet information department.
The Measures put forward specific requirements for data export security assessment, stipulating that data processors should carry out self-assessment of data export risks before declaring data export security assessments, and clarifying key assessment matters. It is stipulated that the data processor shall clearly stipulate the responsibility and obligation for data security protection in the legal documents concluded with the overseas recipient, and shall re-declare the assessment if circumstances affecting the security of data export occur during the validity period of the data export security assessment. In addition, it also clarifies the data export security assessment procedures, supervision and management systems, legal responsibilities, and compliance rectification requirements.