Home » National Cyberspace Administration of China Opens for Opinions on Preventing Security Risks of Data Outbound

National Cyberspace Administration of China Opens for Opinions on Preventing Security Risks of Data Outbound

by admin

Chinanews.com, October 29. The National Internet Information Office issued on the 29th the “Measures for Data Exit Security Evaluation (Draft for Solicitation of Comments)” (hereinafter referred to as the “Draft of Opinions”) for public comments. The provision of important data collected and generated during operations within the territory of the People’s Republic of China and personal information that is subject to security assessment according to law shall be provided for security assessment in accordance with the provisions of these Measures; if there are other provisions in laws and administrative regulations, the provisions shall be followed.

The “Draft Opinions” clarified that data exit security assessment adheres to the combination of pre-assessment and continuous supervision, and the combination of risk self-assessment and security assessment to prevent data exit security risks and ensure the orderly and free flow of data in accordance with the law.

The specific contents of the “Draft Opinions” are as follows:

Article 1 In order to regulate data export activities, protect the rights and interests of personal information, safeguard national security and social public interests, and promote the safe and free flow of data across borders, in accordance with the “Network Security Law of the People’s Republic of China”, “Data Security Law of the People’s Republic of China”, The “Personal Information Protection Law of the People’s Republic of China” and other laws and regulations formulate these measures.

Article 2 Data processors who provide important data collected and generated during operations within the territory of the People’s Republic of China and personal information subject to security assessment in accordance with the law shall conduct security assessments in accordance with the provisions of these Measures; where laws and administrative regulations provide otherwise , In accordance with its regulations.

Article 3 Data exit security assessment adheres to the combination of pre-assessment and continuous supervision, and the combination of risk self-assessment and security assessment to prevent data exit security risks and ensure the orderly and free flow of data in accordance with the law.

Article 4 If a data processor provides data overseas and meets one of the following circumstances, it shall apply to the national cybersecurity and informatization department through the local provincial cybersecurity and informatization department to declare the data exit security assessment.

(1) Personal information and important data collected and generated by operators of critical information infrastructure;

(2) The exit data contains important data;

(3) Personal information processors who have processed personal information of one million people provide personal information abroad;

(4) Cumulatively providing personal information of more than 100,000 people or sensitive personal information of more than 10,000 people abroad;

(5) Other circumstances required by the State Cyberspace Administration of China that require data exit security assessment.

See also  Lombardy, health file blocked since Saturday. “Servers overheated from the heat

Article 5 Before providing data overseas, data processors shall conduct self-assessment of data export risks in advance, focusing on the following items:

(1) The legality, legitimacy, and necessity of the purpose, scope, and method of data export and the processing of the data by the overseas recipient;

(2) The quantity, scope, type, and sensitivity of outbound data, and the risks that the outbound data may bring to national security, public interests, and the legitimate rights and interests of individuals or organizations;

(3) Whether the data processor’s management and technical measures and capabilities in the data transfer link can prevent risks such as data leakage and damage;

(4) The responsibilities and obligations promised by the overseas recipient, and whether the management and technical measures and capabilities to perform the responsibilities and obligations can guarantee the security of outbound data;

(5) The risks of data leakage, damage, tampering, abuse, etc. after the data is exported and re-transferred, and whether the channels for individuals to maintain their personal information rights and interests are unblocked, etc.;

(6) Whether the data export-related contracts concluded with overseas recipients fully stipulate the responsibility and obligation of data security protection.

Article 6 The following materials shall be submitted for the security assessment of the application data exiting the country:

(1) Declaration form;

(2) The self-assessment report of data exit risk;

(3) Contracts or other legally binding documents, etc. (hereinafter collectively referred to as contracts) drawn up between the data processor and the overseas recipient;

(4) Other materials required for safety assessment work.

Article 7 The national cyberspace administration department shall, within seven working days from the date of receipt of the application materials, determine whether to accept the evaluation and feedback the acceptance result in the form of a written notification.

Article 8: Data exit security assessment focuses on the risks that data exit activities may bring to national security, public interests, and the legitimate rights and interests of individuals or organizations, mainly including the following items:

(1) The legality, legitimacy, and necessity of the purpose, scope, and method of data export;

(2) The data security protection policies and regulations of the country or region where the overseas recipient is located and the impact of the network security environment on the security of outbound data; whether the data protection level of the overseas recipient meets the laws, administrative regulations and mandatory national standards of the People’s Republic of China Require;

(3) The quantity, scope, type, and sensitivity of outbound data, and the risks of leakage, tampering, loss, destruction, transfer, or illegal acquisition or illegal use during and after leaving the country;

See also  Jamundi and the environment

(4) Whether data security and personal information rights can be fully and effectively protected;

(5) Whether the contract between the data processor and the overseas receiver fully stipulates the responsibility of data security protection;

(6) Compliance with Chinese laws, administrative regulations, and departmental rules;

(7) Other matters deemed necessary by the national cyberspace administration.

Article 9 The contract concluded between the data processor and the overseas receiver fully stipulates the responsibility and obligations of data security protection, and shall include but not limited to the following contents:

(1) The purpose, method and scope of data export, the purpose and method of data processing by overseas receivers, etc.;

(2) The location and duration of data storage overseas, and the processing measures for data going abroad after the storage period is reached, the agreed purpose is fulfilled, or the contract is terminated;

(3) Binding clauses restricting the transfer of outbound data by overseas recipients to other organizations and individuals;

(4) The security measures that the overseas receiver should take when the actual control or business scope has changed substantially, or the legal environment of the country or region where it is located makes it difficult to ensure data security;

(5) Responsibilities for breach of data security protection obligations and binding and enforceable dispute resolution clauses;

(6) In the event of data leakage and other risks, properly carry out emergency response and ensure unobstructed channels for individuals to safeguard their personal information rights.

Article 10: After the national cybersecurity and informatization department accepts the application, it shall organize the industry competent department, relevant departments of the State Council, provincial cybersecurity and informatization departments, and specialized agencies to conduct security assessments.

For the export of important data, the State Cyberspace Administration of China shall solicit the opinions of relevant industry authorities.

Article 11 The State Cyberspace Administration shall complete the data exit security assessment within 45 working days from the date of issuance of the written acceptance notice; if the situation is complicated or supplementary materials are needed, it can be extended appropriately, but generally no more than 60 tasks day.

The results of the evaluation will be notified to the data processor in writing.

Article 12 The validity period of the data outbound assessment result is two years. If one of the following situations occurs during the validity period, the data processor shall re-apply and evaluate:

(1) The purpose, method, scope, and type of data provided overseas, and the use and method of data processing by overseas recipients have changed, or the overseas retention period of personal information and important data has been extended;

(2) Changes in the legal environment of the country or region where the overseas receiver is located, changes in the actual control of the data processor or the overseas receiver, changes in the contract between the data processor and the overseas receiver, etc. may affect the security of outbound data;

See also  Suspect of murder of Peter R. de Vries apologizes: “If I could go back, I would have done it differently”

(3) There are other situations that affect the security of outbound data.

If the validity period expires and it is necessary to continue the original data export activities, the data processor shall re-apply for evaluation 60 working days before the validity period expires.

Those who fail to re-apply for evaluation in accordance with the provisions of this Article shall stop data export activities.

Article 13 The data processor shall submit the evaluation materials in accordance with the provisions of these Measures. If the materials are incomplete or do not meet the requirements, they shall be supplemented or corrected in a timely manner. If they refuse to supplement or correct, the national cyberspace administration may terminate the security assessment; data processing The person is responsible for the authenticity of the submitted materials, and if false materials are deliberately submitted, they shall be handled as if the assessment fails.

Article 14 Relevant institutions and personnel involved in security assessment work shall keep confidential the state secrets, personal privacy, personal information, business secrets, confidential business information and other data that they learn in the performance of their duties, and shall not disclose or illegally provide them to others.

Article 15: Any organization or individual who discovers that the data processor has not provided data overseas in accordance with the provisions of these Measures may lodge a complaint or report to the cybersecurity and informatization department at or above the provincial level.

Article 16 If the national cyberspace administration finds that the data export activity that has passed the assessment no longer meets the data export security management requirements in the actual processing process, it shall revoke the assessment result and notify the data processor in writing, and the data processor shall terminate the data export activity. . If it is necessary to continue to carry out data export activities, the data processor shall make rectification as required, and re-apply for evaluation after the rectification is completed.

Article 17 Violation of the provisions of these Measures shall be handled in accordance with the “Network Security Law of the People’s Republic of China”, “Data Security Law of the People’s Republic of China”, “Personal Information Protection Law of the People’s Republic of China” and other laws and regulations; Be held criminally responsible.

Article 18 These measures shall come into force on the day of the year and month.

.

You may also like

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy