Under China’s data protection regulatory framework, data processors are required to pass a security assessment conducted by the cybersecurity regulator before transferring certain categories or volumes of data out of China. This January, six months after the Cyberspace Administration of China (“CAC”) released the Measures on Security Assessment of Outbound Data Transfers (“Measures”), the Beijing counterpart of CAC reported the first two cases where the data processors passed the security assessments led by CAC, which sheds some light on the uncertainty and complexity of the security assessment.
Uncertainty of Reviewing Process and End of Grace Period
As disclosed by Beijing CAC, as of February 22, 2023, Beijing CAC has assisted more than 310 entities with their potential applications for the security assessment of outbound data transfers, and has received 48 formal applications from organizations in industries such as technology, e-commerce, healthcare, finance, automotive, and civil aviation, including multinational companies. Among many applications, CAC granted two organizations with the approval for transferring data out of China, namely the Beijing Friendship Hospital of the Capital Medical University and Air China.
Pursuant to the Measures, an application for the security assessment should first be submitted to the local CAC for review. Once approved at the local level, the application will be escalated to CAC for final approval. Though the total processing time should be no longer than 57 working days as provided in the Measures, the Measures allow CAC to extend the reviewing period if necessary. Therefore, the total processing time is much longer. Given the 6-month grace period for data processors ended in March 2023, multinational companies with the necessity of transferring data out of China should prepare for the security assessment application to be compliant.
For Multinational Companies: Challenging Yet Attainable
Given the details of the two cases approved by the CAC are not yet disclosed to the public, there isn’t guidance regarding how the security assessment is being processed now.
However, as disclosed by Beijing CAC, the applications from some multinational companies are currently under CAC’s review after being approved at the Beijing level. Additionally, Beijing CAC has completed the review process for six other companies; their applications will be provided to CAC for further review. While we will continue to keep an eye on CAC’s review process, we expect to see the first case of a multinational company getting through the review process soon.
Practically, more entities are likely to be subject to security assessment than as required by the Measures. For multinational companies with the needs to transfer data out of China, they should be aware that the CAC-led security assessment is time consuming and challenging under stringent regulations. They also should be prepared for the data security compliance requirements, such as conducting self-assessments, or seeking professional advice on alternative choices to a security assessment.
Seyfarth’s China team proactively advises foreign clients in connection with their data protection, cross-border data transfers, and other data related compliance matters.
To find out more about Seyfarth’s PRC Practice and how they can help your business, please feel free to reach out to the authors, Wan Li, Leon Mao, and Cece Zhang.