Background information on the PIPL security assessment. On July 7, China’s top regulator, the Cyberspace Administration of China (CAC), released the final version of the data export security assessment measures (Security Assessment Measures or Measures). According to China’s Personal Data Protection Law (PIPL), Article 40, both handlers and CIIOs must first exist when personal data processors (the PIPL equivalent of a controller under the GDPR) and critical information infrastructure operators (CIIO ) exporting personal data abroad must undergo a security assessment organized by the State Department of Cybersecurity and Informatization. These security assessment measures are effective September 1, 2022, and existing data export activities must be resolved by March 1, 2023.
Four steps to meet the requirements of China’s PIPL New Security Assessment: Personal data processors (ieControllers seeking a security assessment must take the following four steps: (1) determine if they meet the threshold, (2) conduct a data protection impact assessment, (3) update any data processing agreements, and (4) submit materials to the CAC, if and as required.
1. Threshold. The security assessment measures apply to personal data processors and CIIOs exporting data abroad. The new guidance states that a security assessment is required when a CIIO or handler exports critical data or personal data, and one of the following applies:
a. The export of all important data;
b. The export of personal data if the processor processes personal data of more than one million people;
c. The export of personal data of more than 100,000 people or of sensitive personal data of more than 10,000 people since the previous year; or
i.e. Any situation provided for by the CAC.
2. Data Protection Impact Assessment (DPIA). In order to meet the requirement under Article 40 of the PIPL to conduct a self-assessment prior to the export of personal data, an EU-style data protection impact assessment (a “DPIA”) could be used, as the Chinese PIPL self-assessment is very similar to a DPIA below of the GDPR with some additional requirements.
self-assessment: Before exporting data, a company must first carry out a self-assessment in accordance with Article 5 of the Measures. This DPIA needs to focus on:
a. The validity, necessity and appropriateness of the transfer;
b. The scope, category, size and sensitivity of the data and the impact that the overseas transfer may have on China’s national security, the public interest or the legal rights and interests of any individual or entity;
c. Whether the foreign recipient has sufficiently strong organizational and technical measures in place to protect against data loss or corruption;
i.e. The risk of data being tampered with, destroyed, leaked, lost, transferred, or illegally acquired or used during or after export, and whether channels have been put in place to protect the rights and interests of data subjects in their rights to personal data;
e. Whether data protection responsibilities and obligations are fully specified in data export contracts or other legal documents drafted with the foreign recipient; and
f. Any other matter that may affect the security of the exported data.
3. Data processing agreements (AVV). According to Article 9 of the Measures, all legal documents, such as B. the data processing agreement, between the exporter and the foreign recipient contain several provisions. Many of the requirements are similar to those of the GDPR. However, this DPA provides more specific remedies, requires the foreign recipient to adhere to security measures, and requires the determination of actions to be taken when data is tampered with. The DPA requirements under Article 9 of the PIPL include:
a. The purpose, method and scope of the exported data and the purpose and method of data processing by foreign recipients;
b. Place and duration of data storage abroad as well as measures to handle exported data after the retention period has expired, the agreed purpose has been fulfilled or the legal documents have been terminated;
c. Mandatory requirements for foreign recipients to transfer data to other organizations or individuals;
i.e. Security Measures Recipient is required to take overseas if there is a material change in its actual control or scope of business, or if there are changes in the privacy policies, regulations, and network security environment of the country or region in which it is located, or other force majeure circumstances occur that make it difficult to ensure data security;
e. remedies, liability for breach of contract and dispute resolution methods for breach of data protection obligations set out in legal documents; and
f. If outgoing data is tampered with, destroyed, leaked, lost, transferred or illegally acquired or illegally used, the requirements for the proper implementation of emergency response measures and the ways and means for individuals to protect their rights and interests in personal data must be properly observed out.
4. Submission of Materials. The final package of materials to be submitted to the CAC will include: (i) the Declaration, (ii) the DPIA, (iii) the DPA, and (iv) any other materials required by the CAC. Once the materials are submitted, the CAC has seven business days to decide whether to accept the materials. Once acceptance is complete, the CAC oversees its own assessment of data export activities, taking into account many of the same factors considered during the self-assessment. This state assessment is conducted within 45 business days of acceptance of the application. A safety assessment is valid for two years; However, in some cases new assessments are required, e.g. B. if the company changes the purpose or scope of the data processing activity abroad.
Four important steps before September 1, 2022. As the measures come into effect on September 1, 2022, steps to comply should be taken quickly:
1. Conduct a data inventory to determine whether important or personal information has been exported and whether you meet the thresholds set out in Article 4 of the Measures.
a. Check whether these data transfers are necessary and determine whether they can be performed entirely within China.
b. Pay particular attention to the extent of collection of online tracking data (egcookies and web beacons) when this data is processed internationally.
2. Conducting data protection impact assessments on existing and future practices. Leverage and extend your EU DPIA to meet PIPL requirements quickly and cost-effectively.
3. Consider updating DPAs to incorporate global updates, including those under PIPL, GDPR and the UK. Although the assessment deadline is September 1, 2022, many companies are using the EU SCC deadline of December 27, 2022 as the driving force to address global DPA updates.
4. Update internal policies and procedures to ensure these security assessments are conducted in a timely manner. Although there has not been much enforcement activity under PIPL, once the safety assessment becomes effective on September 1, 2022, it will include a specific action point and submission requirement that the CAC can use in connection with any investigation or regulatory action that it might do. Also note that for existing data export activities, remediation must be completed by March 1, 2023.
As always, Troutman Pepper’s Privacy + Cyber Practice stands ready to assist with global privacy and security compliance, including developing and conducting threshold analysis and security assessments under PIPL, if required.
 Important dates are in Article 20 of the Measures and refers to dates affecting national security, economic operation, social stability, public health, security, etc.