MNCs scrambling to meet China’s looming data exit assessment deadline

Breaking News 22 February

MNCs scrambling to meet China’s looming data exit assessment deadline

As the deadline for the Cyberspace Administration of China (CAC’s) data exit security assessment nears, companies are scrambling to submit the required materials on time, sources familiar with the matter told PaRR.

The deadline is 1 March.

According to ‘Measures for the Security Assessment of Cross-border Transfer of Data’ (the Measures) published by the CAC last July, a company that processes important data or large volumes of personal data, as well as companies categorized as critical information infrastructure operators (CIIOs), will be required to pass a security assessment by the cyberspace watchdog prior to transferring relevant data abroad.

Coming into force in September 2022, the Measure gives a six-month grace period for companies to comply, which will end on 1 March. But the Measure did not elaborate on criterion for compliance.

After checking with regulators in mid-February, the first source, a data lawyer, said the criterion was receipt of a notice of acceptance from the CAC. Taking into account the five working days used by local regulators to review the materials, approximately one week to transfer the materials from a local agency to the CAC, and another seven working days for the CAC to accept the materials, the actual deadline was around 7 February, the source theorized.

According to the Measures, companies should submit relevant materials to their respective provincial Cyberspace Administration (CAs) to confirm their format is appropriate and the provincial CAs will transfer the materials to the central CAC for a more substantial assessment.

A source close to the CAC, said early this week that as long as companies submit materials to their local CAs, they are seen as being in compliance.

A third source, also a data lawyer, confirmed both scenarios and added that a notice of acceptance from the CAC is recommended to be on the safe side. But the problem here is that a large number of companies are facing delays in submitting materials even to the provincial CAs, and it is impossible for regulators to punish them all, said the third source.

The measures mainly apply to Chinese branches of multinationals and Chinese companies with an international presence. Due to the low threshold for filing stipulated in the Measures, the rules have covered a wide range of companies, as reported.

Failure to comply could result in hefty fines and risk seeing their cross-border data transfers being halted, according to the Personal Information Protection Law (PIPL), the Data Security Law (DSL) and the Cybersecurity Law (CSL).

As reported, preparing filing materials required by the measures is a costly and time-consuming process, which involves a thorough overhaul of companies’ data compliance, sorting out complex legal relationships between multiple players involved in the cross-border transfer of data, and the often troublesome back-and-forth between Chinese operations and their oversea parents.

The first source also acknowledged delays are common.

Shanghai Cyberspace Administration (Shanghai CA) disclosed in a press release that as of 16 February, the agency received more than 110 applications for data exit assessment.

The number is small, the first source said, estimating the total number of companies in Shanghai that meet the threshold for assessment to be in the hundreds, if not thousands.

It remains unknown what legal consequences will befall companies that fail to meet the deadline, considering the large number of delays, the third source said. But at least companies can continue to submit materials even after the 1 March deadline, the source added.

An official at the CAC said there is no specific criterion for compliance and companies can continue to submit applications after 1 March. In terms of legal consequences for failure to comply, the official said companies should keep abreast of official developments.

Tech experts

In addition to CAC officials, the administration has also brought in outside tech experts to work on applications, the first two sources said.

Shortage of manpower is one reason for processing delays, as data exit assessments require professional knowledge and technical expertise, the first source said, adding that tech experts are seconded from national and local Computer Network Emergency Response Technical Team (CERTs). CERT is a non-governmental non-profit cybersecurity technical center with branches in 31 provinces, autonomous regions and municipalities in China.

Did you enjoy this article?

Add the following topics to your interests and we'll recommend articles based on these interests.