Legal update: Security assessment measures on PRC cross-border data transfers


In this snapshot legal update, the Office of the Privacy Commissioner for Personal Data (“PCPD”) reminded businesses in Hong Kong to take timely follow-up actions and seek professional advice to comply with the relevant requirements of the Security Assessment Measures on Cross-border Transfers of Data (“Measures”) of the PRC Cyberspace Administration of China (“CAC”), which came into operation on 1 September 2022.  The Measures set out the considerations and procedures on how to carry out the security assessment required under the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law of mainland China.

The new regulation is important for companies in Hong Kong that have business operations in mainland China as it could affect those that involve transferring personal data outside of mainland China. Specifically, companies will be required to meet the data transfer standards and requirements specified under PRC laws. Also, a Hong Kong data importer from a data exporter based in mainland China can expect to be required to enter into a data processing agreement that contains provisions intended to ensure the protection of data to the standards required under PRC laws.

Data processors must now report their security assessments on cross-border transfers of data to the CAC if the following conditions are met:

  1. the data exporter is transferring “important data”; or
  2. the data exporter:
    1. is an operator of critical information infrastructure; or
    2. possesses personal information of over 1 million persons; or
    3. has cumulatively made outbound transfers of personal information of over 100,000 persons, or sensitive personal information of over 10,000 persons since 1 January of the preceding year.

The term “important data” is widely defined as any data which, if tampered, damaged, leaked, or illegally acquired or used, may endanger national security, the operation of the economy, social stability, public health and security of mainland China.

These are some key factors to be addressed in the security assessment report:

  1. The lawfulness, propriety and necessity of the cross-border transfer, and the purpose, scope and manner of processing of the data by the recipient outside the jurisdiction.
  2. The quantity, scope, category and sensitivity of the outbound data, and the risks that cross-border transfer of data might pose to national security, public interests, and the lawful rights and interests of individuals or organisations; 
  3. Whether the responsibilities and obligations undertaken by the recipient outside the jurisdiction, and the management and technical measures and capabilities of such recipient to perform those responsibilities and obligations, can meet the outbound data security standards required by PRC law;
  4. The risks of the outbound data suffering from alteration, destruction, leakage, loss, transfer, illegal acquisition or illegal use during and after the cross-border transfer, and whether or not channels are available to uphold personal information rights and interests;
  5. Whether data security protection responsibilities and obligations are sufficiently stipulated in the contract, or other documents with legal effect, intended to be concluded with the recipient outside the jurisdiction regarding the cross-border data transfer; and
  6. Other matters that may affect the security of the cross-border data transfer. 

The Measures have not clarified whether an entity based outside of mainland China collecting data from its users directly from China is required to undergo the security assessment.

The Measures provide a six-month grace period expiring on 28 February 2023 for companies to fully achieve compliance, after which enforcement may result in the suspension of cross-border data transfer and other penalties.

The full text of the Measures (Chinese only) is available here.  The CAC’s responses to media enquiries on the Measures (Chinese only) is available here.  The media statement of the Privacy Commissioner for Personal Data is available here.

Pádraig Walsh and Stephanie Sy 

If you would like to discuss any of the matters raised in this article, please contact:

Pádraig Walsh
Partner | E-mail

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.