9月1日,《数据出境安全评估办法》(《评估办法》)正式实施,数据领域法律专家告诉ALB,相关企业应协调资源,尽快开展数据合规升级工作。
作为企业跨境运营的常见商业场景,重要数据及个人信息的出境及交互都是维系企业正常业务运作的关键纽带。自“滴滴事件”为跨境数据传输敲响警钟后,本月,数据出境《评估办法》正式生效,新规给在华企业数据出境加上一道申报新手续,无疑将提高企业合规成本,相关企业亟需评估其可能对业务造成的影响。
值得注意的是,8月31日,就在《评估办法》生效前日,网信办发布了《数据出境安全评估申报指南(第一版)》,对数据出境安全评估申报方式、流程、材料等具体要求进一步作出说明,并附上申报材料要求、经办人授权委托书、数据出境安全评估申报书、数据出境风险自评估报告等材料。
谁是合规主体?
《评估办法》第2条规定,“数据处理者向境外提供在中华人民共和国境内运营中收集和产生的重要数据和个人信息的安全评估,适用本办法。法律、行政法规另有规定的,依照其规定。”汉坤律师事务所合伙人段志超律师对ALB解释道,《评估办法》所适用主体是“数据处理者”,但其含义并不清晰,其中也可能包括接受委托开展数据处理活动的主体。
段律师指出,实务中对此概念存在两种解读方式。“一种意见认为‘数据处理者’的定义应当参照《评估办法》上位法《个人信息保护法》中对‘个人信息处理者’的定义,理解为‘在数据处理活动中自主决定处理目的和处理方式的个人和组织’,不包含数据处理受托方;另一种意见则认为,此概念应当按照其字面含义理解为‘处理数据的个人和组织’,比前一种定义更广泛。”
此外,值得注意的是,“立法者在《评估办法》中避免使用‘个人信息处理者’这一表述,而是统一使用‘数据处理者’,可能是有意为之,希望将受托处理方的个人信息出境活动也涵盖在内”。因此,在段律师看来,更为广泛的界定,或将更贴合法规的体系解释与主管部门的监管思路。
“从本质上讲,那些处理或出口个人信息或重要数据超过一定数量的公司都需要申请评估。”鸿鹄律师事务所合伙人龚钰律师补充道。他指出:“此外,在大多数情况下,这些企业必须考虑将数据的本地存储作为出口的前提条件。”
具体到企业类型,“那些雇用大量员工、传输重要数据或处理大量消费者数据的公司更容易受到《评估办法》的影响,因此应尽早布局数据合规策略”,龚律师说。
段志超律师则分享道,7月以来,汉坤已持续接到各个行业领域客户关于数据出境合规的咨询,其中包括跨国企业,也包括在中国内地之外的国家与地区开展业务的本土企业。虽然企业在判断《评估办法》是否适用时,产业领域可能不是决定性因素,但不可否认,特定产业领域的企业可能需要特别关注数据跨境传输和处理。
段律师解释道:“处理大量个人信息的企业与处理数据敏感程度较高的企业,有可能成为《评估办法》实施过程中的监管重点。前者包括互联网、零售行业企业;后者典型如汽车、金融、医疗行业企业,这些企业需要重点关注新规对其数据跨境传输安排可能产生的影响。”
把握评估流程
自新规问世以来,诸多机构尝试以图解方式,概述未来数据出境的评估流程。总的来说,数据处理者需要在自评估基础上,首先向省级网信部门提交申请材料,省级部门检查材料完整度后,再统一提交国家网信办审查,整个流程可能需要45个工作日以上。
目前相关申请已按部就班展开,作为流程中的重要环节,企业如何应对“自评估”及“申报评估”两个阶段?专家表示,相关企业应首先对自评估予以足够重视。段志超律师指出,自评估阶段与申报评估阶段的依据标准虽然既不同又有所交叉,但对合规工作的要求是一以贯之的。
“根据《评估办法》第6条,数据处理者在向网信部门申报安全评估时需要提交自评估报告。这意味着,自评估将成为网信部门开展安全评估时重要的参考材料。”段律师说,“ 可以预见的是,若企业递交的自评估报告中可以针对申报评估阶段的评估内容作出有针对性的回应,将帮助企业增加申报评估阶段的确定 性 。”
龚钰律师则建议道,企业在考虑是否需要为数据出境申请安全评估时,需要首先对自己的数据出境情况展开彻底摸底,同时考虑本地数据存储的选择,以及评估后未获批准的可能后果。
如企业需要申请安全评估,龚律师建议其保留数据出境活动的记录,同时监测企业处理或对外传输的个人信息量。“企业应提前准备好进行自我评估,并与数据的境外接收方签订出口合同。”龚律师说,“同时,跨国公司还应考虑其供应商、供货商和客户签署的合同是否可行;如果不能通过评估将对业务连续性造成破坏,企业应提前对安全评估带来的不确定性有所应对。”
针对新规落地所带来的强监管态势,段志超律师则提示了“四步应对法”。首先,梳理实施情况,在监控立法动态的基础上,评估新规对企业数据跨境传输安排可能产生的影响;随后进行场景认定,确定数据出境场景及相关事实情况,为企业提供数据出境合规策略。
第三,实行合规性评估,协助企业开展数据出境活动合规分析及相关整改;最后则是安全性评估,协助企业撰写数据出境自评估报告,以及向网信部门申报数据出境安全评估。
此外,段律师还建议“企业内部应建立与完善数据出境相关的制度,除起草内部数据出境合规指引、建立数据出境审批机制与流程之外,企业还可以建立数据出境长期监测机制” ,作为应对数据跨境传输的长久之策。
港澳问题
此外,新规的实行对于港澳地区的影响也引发业内人士讨论。就此,龚钰律师表示:“就《评估办法》而言,香港和澳门特区当然被视为‘境外’,如有数据从内地流向香港和澳门,则需要考虑数据传输是否会受到新规影响,并及时接受数据安全评估。”
据悉,8月31日,香港个人资料私隐专员公署针对香港本地企业——包括在中国内地有运营业务的银行、保险公司、证券公司等——发出提醒,如企业踩到网信办要求“门槛”,则需有所行动,展开自评估。
《南华早报》在一篇报道指出,《 评估办法》的实施可能会影响香港作为国际企业通往内地市场的门户作用,并影响香港打造“亚太区数据中心基地”的雄心:作为亚太地区金融、贸易中心,香港承载着近万家跨国企业的总部或办公室,每年都要产生巨大的数据流。
不过,龚律师认为《评估办法》的实施并不会对香港的地位产生消极作用。“如果流向香港的数据可以在目前的数据出境制度下享受一定程度的优惠待遇,这也将会为两岸三地企业带来一些额外的驱动力。”他说。
GETTING UP TO DATE ON NEW DATA EXPORT REGULATIONS
The Measures for Data Export Security Assessment came into effect on September 1. Legal experts in the data field tell Asian Legal Business that companies must coordinate resources to upgrade their data compliance work as soon as possible.
The export and exchange of data and personal information is a common but important process for the cross-border operations of many enterprises.
The Measures for Data Export Security Assessment (Assessment Measures) officially came into effect this month and impose new application procedures for exports of data on enterprises operating in China that will undoubtedly increase the cost of compliance. Since the ‘Didi incident’ sounded the alarm bell for cross-border data transfers, there has been an urgent need for enterprises to assess the possible impact of the new regulations on their business.
it is worth noting that on August 31, one day before the Assessment Measures came into effect, the Cyberspace Administration of China (CAC) issued the Guidelines for Application for Data Export Security Assessment (First Edition). These guidelines provide details on the methods, procedures and materials for data export security assessment application and include requirements on application materials, handling person authorization, data export security assessment application form and data export risk self-assessment reports.
WHO NEEDS TO COMPLY?
Article 2 of the Assessment Measures stipulates that “these Measures shall apply to the security assessment of the provision overseas by data processors of important data and personal information collected and generated during operations within the territory of the People’s Republic of China, unless otherwise prescribed by laws and administrative regulations.”
Kevin Duan, Partner of Han Kun Law Offices, explains to ALB that the Assessment Measures apply to “data processors” but what a “data processor” means is unclear and may include a party who is entrusted to process data.
He points to two ways of interpreting this concept.
“One opinion holds that a ‘data processor’ should be defined by reference to the definition of ‘personal information processor’ in the Personal Information Protection Law, which is the superior law to the Assessment Measures. In this case, data processors should be understood as ‘individuals and organizations that independently determine the purposes and methods of processing during data processing activities’, and exclude parties entrusted with data processing,” said Duan.
“Another view is that ‘data processors’ should be taken literally as ‘individuals and organizations that process data’, which is broader than the first interpretation.”
In addition, it is worth noting that “the legislator avoided using the expression ‘personal information processor’ in the Assessment Measures, and instead used ‘data processor’ uniformly. This choice may be intentional in the hope of covering the personal information export activities of entrusted processors.”
Therefore, Duan feels that adopting a broader definition may fit better with the system for statutory interpretation and the regulatory direction of relevant authorities.
“In essence, those companies that process or export personal information exceeding a certain volume or export important data need to apply for the assessment,” adds James Gong, a partner at Bird & Bird. “in most circumstances, the companies must also consider local storage of data as a precondition for the export.”
As it is specific to the type of enterprises, Gong believes that “for companies that employ a large number of employees, export important data or process a large volume of consumer data, they are more susceptible to the security assessment and should plan for its impact as early as possible.”
Since July, Han Kun Law Offices has received multiple inquiries about data export compliance from clients in various industries, including multinational companies and local companies that operate in countries and regions other than Mainland China.
Enterprises in certain industry sectors may need to pay particular attention to the cross-border transfer and processing of data.
“Enterprises that process a large volume of personal information and those that process data with a high degree of sensitivity may become the focus of regulation during the implementation of the Assessment Measures,” explains Duan.
“The former includes enterprises in the Internet and retail industries, while the latter are typically those in the auto, financial and healthcare industries. Those enterprises need to focus on the possible impact of the new regulations on their cross-border data transfer arrangements.”
MASTERING THE ASSESSMENT PROCESS
Since the introduction of the new regulations, many institutions have attempted to outline the process of future data export assessment via graphs.
In general, a data processor needs to first submit application materials to a provincial cyberspace administration based on self-assessment, and after the provincial cyberspace administration has checked the completeness of the application materials, the materials will be submitted to the CAC for review. The entire process may take 45 working days or more.
Relevant application procedures have now been put into operation step by step. How enterprises should deal with “self-assessment” and “application for assessment”, two important phases during the entire process, are on the minds of many. Experts are of the view that companies should first pay sufficient attention to self-assessment.
To Duan, the criteria for the self-assessment phase and the application for assessment phase are both different and overlapping, but their requirements for compliance work are consistent.
“According to Article 6 of the Assessment Measures, a data processor is required to submit a self-assessment report when applying for security assessment to a cyberspace administration. This means that self-assessment will be an important reference for a cyberspace administration when it conducts security assessments,” says Duan.
“It is foreseeable that if the self-assessment report submitted by an enterprise can provide targeted responses to the areas of assessment in the application for assessment phase, it will help increase certainty of the application for assessment phase for the enterprise.”
Gong advises that when considering whether to apply for data export security assessment, a thorough mapping of the data exports by enterprises is often necessary. They should also consider the choice of local data storage and the possible consequences of non-approval after the assessment.
If an enterprise needs to apply for security assessment, Gong recommends that it keep records of data export activities and monitor the volume of personal information it processes or transfers.
“They should be prepared to conduct a self-assessment and enter into an export contract with the importers of the data,” says Gong.
“The multinationals should also consider whether it is feasible for its suppliers, vendors and clients to sign the contracts and how to cope with the uncertainty that is brought about by the need to go through the security assessment. This is particularly so given that failure to pass the assessment could disrupt business continuity.”
Duan suggests a “four-step method” for enterprises to respond to the implementation of the new regulations.
The first step is to sort out implementation situations. On the basis of monitoring legislative developments, they need to evaluate the possible impact of the new regulations on an enterprise’s cross-border data transfer arrangements.
The next step is to pinpoint data export scenarios and relevant facts, this helps with designing data export compliance strategies for the enterprise.
The third step is to make compliance assessments to assist the enterprise in conducting compliance analysis and related rectification of data export activities.
The final step is to conduct a security assessment and assist the enterprise in writing the data export self-assessment report and applying for data export security assessment to the relevant cyber-space administration.
Duan also suggests that an enterprise should establish and improve data export-related systems.
“In addition to drafting internal data export compliance guidelines and establishing data export examination and approval mechanisms and procedures, it can also establish a long-term monitoring mechanism for data export as a long-term solution to cross-border transfer of data,” he says.
HONG KONG AND MACAU
The impact of the new regulations on Hong Kong and Macau has also sparked discussions among industry players.
“For the purpose of the Measures, Hong Kong and Macau will be considered overseas. Companies with data flows from Mainland to Hong Kong and Macau will need to consider whether the data flows could be impacted by the Measures and subject to the security assessment,” says Gong.
In a statement published on August 31, Hong Kong’s Office of the Privacy Commissioner for Personal Data reminded local enterprises – including banks, insurance companies and securities firms that do business on the Mainland – to take steps and conduct a self-assessment if they meet the CAC’s criteria.
Implementation of the Assessment Measures could have an impact on Hong Kong’s role as a gateway for international companies to the Mainland market and efforts to become a data centre base.
Hong Kong is already home to more than 10,000 multinationals that generate huge data flows.
However, Gong does not believe that the implementation of the Assessment Measures will negatively affect Hong Kong’s status.
“If data flows to Hong Kong could enjoy preferential treatment under the current data export regime, then it would give some extra momentum to the plan,” he says.