The National Internet Information Office announced the "Measures for Evaluation of Data Outbound Security"

On July 7, the National Internet Information Office announced the "Measures for Evaluation of Data Outbound Security" (hereinafter referred to as the "Measures"), which will be implemented from September 1, 2022. The relevant person in charge of the National Internet Information Office stated that the "Measures" aims to implement the provisions of the "Network Security Law", "Data Security Law", and "Personal Information Protection Law", standardize data outbound activities, protect personal information rights and interests, safeguard national security, and safeguard national security With the public interest of the society, promote cross -border security and free flow of data, and effectively keep the development of security and promote security with development.

In recent years, with the vigorous development of the digital economy, data cross -border activities have become increasingly frequent, and data processor's data outbound demand has grown rapidly. Clarifying the specific provisions of the data outbound security assessment is the need to promote the healthy development of the digital economy and prevent and resolve the risks of cross -border security, it is the need to safeguard national security and public interests, and to protect the rights and interests of personal information. The "Measures" stipulate the scope, conditions and procedures of data outbound security assessment, which provides specific guidelines for data outbound security assessment.

The "Measures" clearly states that data processors provide these measures to provide important data collected and generated in the operation of the People's Republic of China and the security assessment of the security assessment of personal information. The principles of data outbound security assessment adhere to the combination of pre -evaluation and continuous supervision, and the combination of risk self -assessment and security assessment.

The "Measures" stipulates that the situation of data outbound security assessment should be declared, including data processors with important data, key information infrastructure operators and processing data processors with more than 1 million personal information to provide personal information to overseas, self -top From January 1st, the data processors with a total of 100,000 personal information or 10,000 sensitive personal information have been provided to the abroad to provide personal information overseas and other situations required to declare data outbound security assessment stipulated by the national network information department.

The "Measures" put forward specific requirements for data outbound security assessment, stipulating that data processors shall carry out self -assessment of data outbound risk before reporting data outbound security assessment and clarify key evaluation matters. The data processor clearly stipulates the liability obligations of data security protection in the legal documents set up with an overseas receiving party, and the situation that affects data outbound security during the validity period of the data outbound security assessment shall be re -approved. In addition, it also clarifies the data outbound security assessment procedures, supervision and management systems, legal responsibility, and requirements for compliance rectification requirements.

National Internet Information Office Order

No. 11

The "Evaluation Measures for Data Outbound" was reviewed and approved by the 1022 1022 of the National Internet Information Office on May 19, 2022. It is now announced and implemented from September 1, 2022.

Zhuang Rongwen, director of the National Internet Information Office

July 7, 2022

Data outbound security assessment method

Article 1 In order to regulate data outbound activities, protect personal information rights, safeguard national security and social public interests, and promote cross -border security and free flow of data, in accordance with the "Cyber ​​Security Law of the People's Republic of China", "Data Security Law of the People's Republic of China", The "Personal Information Protection Law of the People's Republic of China" and other laws and regulations formulate these measures.

Article 2 Data processors provide security evaluations of important data and personal information that are collected and generated in the operation of the People's Republic of China to provide security evaluations. These measures are applicable. If laws and administrative regulations have other provisions, in accordance with their provisions.

Article 3 The data outbound security assessment adheres to the combination of pre -evaluation and continuous supervision, the combination of risk self -assessment and security assessment, prevent data outbound security risks, and ensure the orderly and free flow of data in accordance with the law.

Article 4 If the data processor provides data to overseas, if there is one of the following circumstances, it shall report the data outbound security assessment to the national network information department through the provincial online information department of the local area:

(1) Data processors provide important data to overseas;

(2) Data processors with key information infrastructure operators and processing more than 1 million personal information provides personal information to the abroad;

(3) Data processors with a total of 100,000 personal information or 10,000 sensitive personal information from the last year from January 1 last year provide personal information to the abroad;

(4) Other situations stipulated by the national network information department to declare data outbound security assessment.

Article 5 Data processors shall carry out self -assessment of data outbound risks before applying for data outbound security assessment, and focus on the following matters:

(1) Data outbound and overseas receiving party's legality, scope, and method of processing data, legality, legitimacy, and necessity;

(2) The scale, scope, type, and sensitivity of outbound data. The outbound outbound outbound may bring the risk of national security, public interest, individual or organization's legitimate rights and interests;

(3) The responsibility and obligations committed by the overseas receiving party, as well as whether the management and technical measures and capabilities of fulfilling responsibility obligations can ensure the security of outbound data;

(4) The risk of tampering, destruction, leakage, loss, transfer or illegal use of data after the data out of China and exit, whether the channels for the protection of personal information rights and interests are unobstructed;

(5) Whether the data outbound related contracts formulated by the foreign receiver or other legal effects (hereinafter referred to as legal documents) have fully agreed the liability of the data security protection;

(6) Other matters that may affect data outbound security.

Article 6 The assessment of the outbound data outbound data shall be submitted to the following materials: (1) The application for the application;

(2) Evaluation report of data outbound risk;

(3) Data processors and legal documents planned by the receiving party overseas;

(4) Other materials needed for safety assessment work.

Article 7 The provincial online information department shall complete the complete inspection within 5 working days from the date of receiving the application materials. If the application materials are complete, the application materials are submitted to the national network information department; if the application materials are not complete, the data processor shall be returned and the materials need to be supplemented in one sex.

The national network information department shall determine whether to accept and notify the data processing in writing within 7 working days from the date of receiving the application materials.

Article 8 Data Outbound Security Evaluation Focus on Evaluation of Data Outbound Campaign may bring the risks of national security, public interests, individuals, or organizations, and mainly include the following items:

(1) The legality, legitimacy, and necessity of the purpose, scope, method, etc. of data outbound;

(2) Policy and regulations of data security protection policies and regulations where the overseas receiving party is located or region of the region and the influence of network security environment on the security of outbound data; Requirements;

(3) The scale, scope, type, and sensitivity of outbound data, and the risk of tampering, destruction, leakage, loss, transfer or illegal utilization after departure and exit;

(4) Can data security and personal information rights be fully effective;

(5) Whether the data processor and the overseas receiving party have fully agreed the liability for data security protection;

(6) Comply with Chinese laws, administrative regulations, and departmental regulations;

(7) The national network information department believes that other matters that need to be evaluated.

Article 9 Data processors shall clearly stipulate the liability obligations of data security protection in the legal documents set up with overseas receiving parties, including at least the following:

(1) The purpose, method, and data scope of data outbound, and the purpose and method of processing data to process data overseas;

(2) Data preserve the location and period of preservation overseas, as well as the processing measures for exit data after the preservation period, the completion of the agreed purpose, or the termination of the legal documents;

(3) For the restraint requirements of other organizations and individuals;

(4) In substantial changes in the actual control of the overseas receiving party or the scope of the business, or the changes in the data security protection policies and regulations of the country and region, and the occurrence of other non -resistant circumstances that causes difficulty to ensure data security, it should be taken. measure;

(5) Remedial measures, liability and dispute solutions that violate the data security protection obligations agreed in legal documents;

(6) When the outbound data is tampered with, destroyed, leaked, lost, transferred, or illegally obtained, illegal utilization, etc., it is necessary to properly carry out the requirements and methods of emergency response and ensure that individuals protect their personal information rights and interests.

Article 10 After the national network information department accepts the declaration, organize a security assessment of relevant departments, provincial online information departments, specialized agencies, etc. according to the application.

Article 11 During the security assessment process, if the application materials submitted by the data processor do not meet the requirements, the national network information department may ask it to supplement or correct it. If the data processor does not replenish or corrected, the national network information department may terminate the security assessment.

Data processors are responsible for the authenticity of the materials submitted. If they deliberately submitted false materials, they will not be treated in accordance with the evaluation, and the corresponding legal responsibilities shall be investigated according to law.

Article 12 The national network information department shall complete the data outbound security assessment within 45 working days from the date of issuing the data processor; if the situation is complicated or the required or corrected materials, the data processing can be appropriately extended and the data processing can be notified The time of the extension is expected.

The evaluation results shall notify the data processing in writing.

Article 13 If the data processor has objections to the evaluation results, he may apply to the national network information department for re -evaluation within 15 working days of the evaluation results. The re -evaluation results are the final conclusion.

Article 14 The results of the results of the data outbound security assessment are valid for 2 years, and calculated from the date of the evaluation results. If one of the following circumstances appears within the validity period, the data processor shall re -apply for evaluation:

(1) The purpose, method, scope, type, type, type, type, and overseas receiving party's use of data to process data will affect the security of outbound data, or extend the period of overseas preservation of personal information and important data;

(2) Data security protection policies and regulations where the overseas receiving party is located or regional data security environment and network security environment, as well as other non -resistant cases, data processing, or the actual control of the overseas receiving party changes, data processor and foreign receiver legal documents change Wait for the safety of outbound data;

(3) Other situations that affect the security of outbound data.

If the validity period expires, the data processing activities need to be carried out, and the data processor shall re -apply for evaluation before 60 working periods of the validity period.

Article 15 Relevant agencies and personnel participating in the safety assessment work shall keep confidentiality in accordance with the law such as national secrets, personal privacy, personal information, business secrets, and confidentiality business information that they know. Illegal use.

Article 16 Any organization or individual finds data processors who provide data to overseas in violation of these measures, and may report to the online information departments at or above the provincial level.

Article 17 If the national online information department finds that the data outbound activities that have been evaluated will no longer meet the requirements of data outbound security management, the data processor shall be notified in writing to terminate the data outbound event. If the data processor needs to continue to carry out data outbound activities, rectification shall be rectified as required, and the evaluation shall be reorganized after the rectification is completed.

Article 18 If you violate the provisions of these Measures, it is dealt with in accordance with the "Law of the People's Republic of China", the "Data Security Law of the People's Republic of China", and the "Personal Information Protection Law of the People's Republic of China" and other laws and regulations; responsibility.

Article 19 The important data referred to in these Measures refers to data once tampered with, destruction, leaked, or illegally obtained, illegal use, etc., which may endanger national security, economic operation, social stability, public health and security.

Article 20 These Measures will be implemented from September 1, 2022. If the data outbound activities that have been carried out before the implementation of these measures do not meet the requirements of these Measures, the rectification shall be completed within 6 months from the date of the implementation of these Measures.

Source: Internet Information China

Review: Tan Jianping

Edit: Xie Xing

- END -