Previously, we reported that China released a draft measure entitled Measures on Security Assessment of Data Exports (数据出境安全评估办法(征求意见稿) (link in Chinese) and solicited comments that were due by November 28. Recently, a group of more than 25 business associations sent a letter to China's cybersecurity agency, offering both general and specific comments on the proposed measure. They cautioned against imposing restrictions on data that were more burdensome than necessary, and they also called for equal treatment.
In the letter, the group acknowledged that the “ability to transfer data securely across transnational digital networks is of central importance to the national policy objectives of many countries, including China.” It also argued that the ability to transfer data “supports shared economic prosperity” and “supports innovation and transnational research and development (R&D), as well as intellectual property protection and enforcement.”
The group then offered some general suggestions that the measures:
(1) not impose greater restrictions on data transfers than necessary; (2) afford equal treatment to Chinese and foreign enterprises, services, and technologies; and (3) be administered in a uniform, impartial, and reasonable manner with a view to ensuring non-discriminatory and streamlined approvals.
In addition, the group offered comments on some specific provisions.
For instance, Article 6(3) of the draft requires data exporters to submit contracts or other legal documents with overseas data recipients for the purpose of security assessment. The group said that the required documents “should be narrowed to focus on safeguards pertaining to data transfers. As drafted, it could unnecessarily expose trade secrets and other non-relevant information.”
The draft also has a provision that identifies the elements to be included in a data transfer contract (Article 9). The group argued that the requirements “should be aligned with the ’standard contracts’ provided for under PIPL Article 38(3)” and “designed to be interoperable with other global frameworks, such as EU GDPR standard contractual clauses or the APEC Cross-Border Privacy Rules.”
In addition, the draft stated that a successful security review would be valid for two years. On this issue, the group argued that the validity period “should be extended to avoid creating procedural bottlenecks and undue burdens on the CAC and private enterprises.”
The draft listed five scenarios under which data exporters shall apply for security review, including personal data exports from personal information processors who have processed personal information of one million people or more and exportation of personal information of more than 100,000 people cumulatively or sensitive personal information of more than 10,000 people.
The group asked to review these criteria in terms of: “(1) whether these thresholds, determinative criteria, and ex ante mandatory security reviews are in fact necessary to achieve China’s relevant public policy objectives; (2) whether other less onerous alternatives could feasibly achieve those policy objectives with fewer data transfer restrictions; (3) the impacts (economic and non-economic) of various alternatives on enterprises and other persons that depend upon the transfer of data; and (4) the grounds for concluding that a particular alternative is preferable to others.”
Signatories to the letter include Africa Information and Communication Technologies Alliance, AmCham China, Asia Cloud Computing Association, BSA | The Software Alliance, European Automobile Manufacturers’ Association, Coalition of Services Industries, Global Data Alliance, Information Technology Industry Council, US Chamber of Commerce, and US-China Business Council.