国家互联网信息办公室公布

《数据出境安全评估办法》

7月7日，国家互联网信息办公室公布《数据出境安全评估办法》（以下简称《办法》），自2022年9月1日起施行。国家互联网信息办公室有关负责人表示，出台《办法》旨在落实《网络安全法》、《数据安全法》、《个人信息保护法》的规定，规范数据出境活动，保护个人信息权益，维护国家安全和社会公共利益，促进数据跨境安全、自由流动，切实以安全保发展、以发展促安全。

　　近年来，随着数字经济的蓬勃发展，数据跨境活动日益频繁，数据处理者的数据出境需求快速增长。明确数据出境安全评估的具体规定，是促进数字经济健康发展、防范化解数据跨境安全风险的需要，是维护国家安全和社会公共利益的需要，是保护个人信息权益的需要。《办法》规定了数据出境安全评估的范围、条件和程序，为数据出境安全评估工作提供了具体指引。

　　《办法》明确，数据处理者向境外提供在中华人民共和国境内运营中收集和产生的重要数据和个人信息的安全评估适用本办法。提出数据出境安全评估坚持事前评估和持续监督相结合、风险自评估与安全评估相结合等原则。

　　《办法》规定了应当申报数据出境安全评估的情形，包括数据处理者向境外提供重要数据、关键信息基础设施运营者和处理100万人以上个人信息的数据处理者向境外提供个人信息、自上年1月1日起累计向境外提供10万人个人信息或者1万人敏感个人信息的数据处理者向境外提供个人信息以及国家网信部门规定的其他需要申报数据出境安全评估的情形。

　　《办法》提出了数据出境安全评估的具体要求，规定数据处理者在申报数据出境安全评估前应当开展数据出境风险自评估并明确了重点评估事项。规定数据处理者在与境外接收方订立的法律文件中明确约定数据安全保护责任义务，在数据出境安全评估有效期内发生影响数据出境安全的情形应当重新申报评估。此外，还明确了数据出境安全评估程序、监督管理制度、法律责任以及合规整改要求等。

《数据出境安全评估办法》答记者问

7月7日，国家互联网信息办公室公布《数据出境安全评估办法》（以下简称《办法》）。国家互联网信息办公室有关负责人就《办法》相关问题回答了记者提问。

国家互联网信息办公室公布

《数据出境安全评估办法》

Measures for Security Assessment for Outbound Data Transfer

Presented by Shihui Partners

Translated by Jing Lu, Raymond Wang and Jeanette Wang

Reviewed by Ian Read

Article 1

In order to regulate outbound data transfer, protect personal information rights and interests, safeguard national security and social and public interests, and promote the security and free flow of outbound data, the Measures for Security Assessment for Outbound Data Transfer (the “Measures”) are enacted in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China and other laws and administrative regulations of the People’s Republic of China (together, the “Regulations”).

Article 2

The Measures apply to the security assessment of Important Data and personal information collected and generated during operation within the territory of the People’s Republic of China and transferred abroad by a data handler. Where laws and administrative regulations provide otherwise, such provisions shall prevail.

Article 3

Security assessment for outbound data transfer shall adhere to the combination of a prior assessment and on-going supervision, as well as the combination of risk self-assessment and security assessment, so as to prevent security risks to outbound data transfer and ensure the orderly free-flow of data in accordance with the law.

Article 4

Where a data handler transfers data abroad under any of the following circumstances, it shall, through the local Cyberspace Administration at the provincial level, apply to the State Cyberspace Administration for security assessment for the outbound data transfer:

(1)a data handler who transfers Important Data abroad;

(2)a critical information infrastructure operator, or a data handler processing the personal information of more than 1 million individuals, who, in either case, transfers personal information abroad;

(3)a data handler who has, since January 1 of the previous year cumulatively transferred abroad the personal information of more than 100,000 individuals, or the sensitive personal information of more than 10,000 individuals, or

(4)other circumstances where the security assessment for the outbound data transfer is required by the State Cyberspace Administration.

Article 5

Prior to applying for the security assessment for the outbound data transfer, a data handler shall, in advance, conduct a self-assessment on the risks of the outbound data transfer, and the self-assessment shall focus on the following matters:

(1)the legality, legitimacy and necessity of the purpose, scope and methods of the outbound data transfer, and the processing of the data by the foreign recipient;

(2)the scale, scope, type and sensitivity of the outbound data transfer, and the risks to national security, the public interest or to the legitimate rights and interests of individuals or organizations, caused by the outbound data transfer;

(3)the duties and obligations which the foreign recipient commits to perform, and whether the foreign recipient’s organizational and technical measures and capabilities in terms of performing the duties and obligations can guarantee the security of the outbound data transfer;

(4)the risks of the data being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the outbound data transfer, and whether there is a smooth channel for safeguarding personal information rights and interests;

(5)whether the responsibilities and obligations for data security protection are fully agreed in relevant contracts for the outbound data transfer, or other legally binding documents to be concluded with the foreign recipient (hereinafter collectively referred to as the “Legal Documents”); and

(6)other matters that may affect the security of the outbound data transfer.

Article 6

To apply for security assessment for the outbound data transfer, the following materials shall be submitted:

(1)an application letter;

(2)a self-assessment report on the risks of the outbound data transfer;

(3)the Legal Documents to be concluded between the data handler and the foreign recipient; and

(4)other materials necessary for security assessment.

Article 7

The Cyberspace Administration at the provincial level shall conduct a completeness check of application materials within 5 working days upon receipt thereof. Where the application materials are complete, they shall be submitted to the State Cyberspace Administration; where the application materials are incomplete, they shall be returned to the data handler and the data handler shall be informed (on a one-time basis) of all supplementary materials still required.

The State Cyberspace Administration shall, within 7 working days after receipt of the application materials, determine whether to accept the application and will inform the data handler of the same in writing.

Article 8

The security assessment for outbound data transfer shall focus on the evaluation of the possible risks to national security, public interests, or the legitimate rights and interests of individuals or organizations arising from the activity of outbound data transfer, including the following major points:

(1)the legality, legitimacy and necessity of the purpose, scope and method of the outbound data transfer;

(2)the impact of the data security protection policies and regulations as well as network security environment of the country or region where the foreign recipient is located, and the effect thereof on the security of the data to be transferred abroad; whether the data protection level of the foreign recipient meets the requirements under the laws, regulations and mandatory national standards of the People’s Republic of China;

(3)the scale, scope, types and sensitivity of the data to be transferred abroad, and risks that the data may be tampered with, destroyed, leaked, lost, transferred, illegally obtained or illegally used before or after the outbound data transfer;

(4)whether data security and personal information rights and interests can be fully and effectively guaranteed;

(5)whether the responsibilities and obligations for data security protection are fully agreed in the Legal Documents to be concluded by the data handler and the foreign recipient;

(6)compliance with the laws, regulations and agency rules of the People’s Republic of China; and

(7)other matters that the State Cyberspace Administration considers necessary to assess.

Article 9

A data handler shall expressly agree on the responsibilities and obligations for data security protection in the Legal Documents concluded with the foreign recipient, which shall, at least, include the following matters:

(1)the purpose, method and scope of the data to be transferred abroad, and the purpose and method for processing the data by the foreign recipient;

(2)the location and duration for the storage of the data located abroad, as well as how to process the data located abroad upon the expiry of the storage period, achievement of the agreed purpose, or termination of the Legal Documents;

(3)restrictions on the foreign recipient’s re-transfer of the data located abroad to another organization or individual;

(4)security measures which should be taken in case of a material change to the actual control or business scope of the foreign recipient, or in case of a change to the data security protection policies or regulations, or network security environment of the country or region where the foreign recipient is located, or in case that the data security cannot be guaranteed as a result of any other force majeure event;

(5)remedial measures, liability for breach of contract and dispute resolution mechanism in the event of a violation of data security protection obligations as agreed in the Legal Documents; and

(6)requirements on properly responding to a data security incident, as well as channels and method to safeguard individuals’ personal information rights, when the data located abroad is tampered with, destroyed, leaked, lost, transferred, illegally obtained or illegally used.

Article 10

After accepting an application, the State Cyberspace Administration shall organize relevant departments of the State Council, Cyberspace Administrations at the provincial level and specialized agencies to conduct a security assessment based upon application materials submitted by a data handler.

Article 11

Where the application materials submitted by a data handler are found to be non-compliant during the security assessment process, the State Cyberspace Administration may require the data handler to supplement or correct the non-compliant materials. If the data handler fails to supplement or correct the materials without justified reasons, the State Cyberspace Administration may terminate the security assessment.

A data handler shall be responsible for the authenticity of the materials submitted. If a data handler purposely submits false materials, it shall be deemed as a failure of the assessment, and the data handler shall be held liable according to the Regulations.

Article 12

The State Cyberspace Administration shall, within 45 working days from the date of issuing a written notice of acceptance to the data handler, complete the security assessment for the outbound data transfer; if the situation is complicated or supplementary or corrected materials are needed, the assessment may be extended, and the data handler shall be notified of the expected extension period.

The data handler shall be informed of the assessment results in writing.

Article 13

Where a data handler disagrees with the assessment results, it may, within 15 working days after receipt of the assessment results, apply to the State Cyberspace Administration for re-assessment, and the re-assessment results shall be final.

Article 14

The results of the security assessment for the outbound data transfer are valid for 2 years, commencing from the date of issuance of the assessment results. A data handler shall re-apply for assessment if any of the following circumstances occurs during the period of validity:

(1)the purpose, method, scope and type of data to be transferred abroad, or the purpose and method of data processing by a foreign recipient have changed, affecting the security of the data to be transferred abroad, or extending the period of storage of personal information and Important Data located abroad;

(2)the security of the data to be transferred abroad is affected due to changes in the data security protection policies or regulations, or the network security environment of the country or region where the foreign recipient is located, or any other force majeure event has occurred, or a change to the actual control of the data handler or the foreign recipient has occurred, or any Legal Document between the data handler and the foreign recipient has been amended or ceased to be valid, etc.; and

(3)any other circumstance affecting the security of the data to be transferred abroad.

If it is necessary to continue the outbound data transfer after the expiration of the valid period, the data handler shall re-apply for assessment 60 working days before the expiration of the valid period.

Article 15

The relevant institutions and personnel participating in security assessment work shall keep information confidential in accordance with the law, including matters such as state secrets, personal privacy, personal information, trade secrets, confidential business information and other data they come to know in fulfilling their duties, and shall not divulge or illegally provide the same to others, or illegally use such data.

Article 16

Any organization or individual may report the case to the Cyberspace Administration at the provincial level or above if it finds that a data handler engaged in outbound data transfer in violation of the Measures.

Article 17

As for an outbound data transfer that has passed the security assessment, if the State Cyberspace Administration finds out that the actual data processing activities no longer meet the security management requirements in terms of the outbound data transfer, the State Cyberspace Administration shall notify the data handler in writing to terminate the outbound data transfer. If the data handler needs to continue the outbound data transfer, it shall make rectification as required, and re-apply for assessment after completing the rectification.

Article 18

Any violation of the Measures shall be punished in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other laws and regulations; if any act is held to constitute a criminal act, criminal liabilities shall be investigated in accordance with the laws and regulations of the People’s Republic of China.

Article 19

For the purpose of the Measures, the term “Important Data” refers to the data that, once tampered with, destroyed, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, public health and security, etc.

Article 20

The Measures shall come into force on September 1, 2022. For the data transferred abroad prior to the effectiveness of the Measures, if it is found that such transfer is not in compliance with the Measures, rectification shall be completed within 6 months upon the effective date of the Measures.

来源：网信中国