Answering a reporter’s question on "Data Exit Security Assessment Method"

2025年2月22日 | admin | C3

  Cctv news: On July 7, the National Internet Information Office announced the Measures for the Evaluation of Data Exit Security (hereinafter referred to as the Measures). The relevant person in charge of the National Internet Information Office answered the reporter’s questions about the Measures.

  Q: Please briefly introduce the background of the promulgation of the Measures?

  A:In recent years, with the vigorous development of the digital economy, cross-border activities of data have become increasingly frequent, and the demand for data leaving the country by data processors has increased rapidly. At the same time, due to the differences in legal systems and protection levels in different countries and regions, the security risks of data leaving the country are correspondingly prominent. Cross-border data activities not only affect personal information rights and interests, but also relate to national security and social public interests. Many countries and regions in the world have explored the system of data cross-border security management from their own and local realities. The formulation and promulgation of the Measures is an important measure to implement the relevant provisions of the Cyber Security Law, the Data Security Law and the Personal Information Protection Law. The purpose is to further standardize data exit activities, protect personal information rights and interests, safeguard national security and social public interests, and promote the safe and free flow of data across borders.

  Q: What does the outbound data activity referred to in the Measures mean?

  A:The data exit activities mentioned in the Measures mainly include: First, the data processors transmit and store the data collected and generated in domestic operations abroad. Second, the data collected and generated by the data processor are stored in China and can be accessed or called by overseas institutions, organizations or individuals.

  Q: What circumstances need to declare data exit security assessment?

  A:The "Measures" clarify four situations in which data exit security assessment should be declared: First, data processors provide important data overseas. Second, key information infrastructure operators and data processors who handle personal information of more than 1 million people provide personal information overseas. Third, since January 1 of last year, data processors who have provided 100,000 personal information or 10,000 sensitive personal information overseas have provided personal information overseas. Fourth, other situations stipulated by the national network information department that need to declare data exit security assessment.

  Q: What are the main contents of data exit security assessment?

  A:Data exit security assessment focuses on the risks that data exit activities may bring to national security, public interests and the legitimate rights and interests of individuals or organizations, mainly including the following matters: First, the legality, legitimacy and necessity of the purpose, scope and methods of data exit. Second, the influence of data security protection policies and regulations and network security environment in the country or region where the overseas recipient is located on the security of outbound data; Whether the data protection level of overseas recipients meets the requirements of People’s Republic of China (PRC) laws, administrative regulations and mandatory national standards. Third, the scale, scope, type and sensitivity of outbound data, and the risks of being tampered with, destroyed, leaked, lost, transferred or illegally obtained or used during and after leaving the country. Fourth, whether data security and personal information rights can be fully and effectively guaranteed. Fifth, whether the legal documents to be concluded between the data processor and the overseas receiver fully stipulate the responsibility and obligation of data security protection. Sixth, compliance with laws, administrative regulations and departmental rules of China. Seventh, other matters that the national network information department believes need to be evaluated.

  Q: In order to standardize the data exit safety assessment activities, what specific procedures are defined in the Measures?

  A:The "Measures" clarified the specific process of data leaving the country. First, pre-assessment. Before providing data abroad, data processors should first carry out self-assessment of data exit risks. The second is to declare the assessment. If the data exit safety assessment is met, the data processor should declare the data exit safety assessment to the national network information department through the local provincial network information department. The third is to carry out evaluation, and the national network information department will decide whether to accept the evaluation within 7 working days from the date of receiving the application materials; Complete the data exit security assessment within 45 working days from the date of issuing the written acceptance notice; If the situation is complicated or the materials need to be supplemented or corrected, it may be appropriately extended and the data processor may be informed of the expected extended time. Fourth, re-evaluation and termination of exit. If the validity period of the evaluation results expires or the re-evaluation situation stipulated in these Measures occurs within the validity period, the data processor shall re-declare the data exit safety evaluation. If the data outbound activities that have passed the evaluation no longer meet the requirements of data outbound safety management in the actual processing process, the data processor shall terminate the data outbound activities after receiving the written notice from the national network information department. If the data processor needs to continue to carry out data exit activities, it shall make rectification as required, and re-apply for evaluation after the rectification is completed.

  Q: How to protect the legitimate rights and interests of data processors such as business secrets in the evaluation process?

  answerThe Measures stipulate that relevant institutions and personnel involved in safety assessment shall keep confidential the state secrets, personal privacy, personal information, business secrets, confidential business information and other data they know in performing their duties according to law, and shall not disclose them or illegally provide them to others or use them illegally.

  Q: What other provisions have been clarified in the Measures?

  A:In addition to the above assessment contents, specific procedures, confidentiality requirements and other management measures, the Measures also clarify that the national network information department is responsible for deciding whether to accept the safety assessment, and organize relevant departments in the State Council, provincial network information departments and specialized agencies to carry out the safety assessment according to the application. The provincial network information department is responsible for receiving the application materials for data exit security assessment and completing the completeness inspection. Any organization or individual who finds that a data processor provides data overseas in violation of these measures may report to the network information department at or above the provincial level.

  Q: When will the data processor declare the data exit security assessment?

  A:The data processor shall declare and pass the data exit safety assessment before the data exit activities occur. In practice, it is advisable for data processors to declare data exit safety assessment before signing data exit related contracts or other legally binding documents (hereinafter referred to as legal documents) with overseas recipients. If the assessment is declared after signing the legal document, it is suggested to indicate in the legal document that this document shall take effect after passing the data exit security assessment, so as to avoid possible losses caused by failure to pass the assessment.

  Q: What are the possible results of the exit security assessment of enterprise declaration data?

  A:First, the declaration will not be accepted. For those that do not fall within the scope of security assessment, the data processor can carry out data exit activities through other legal channels stipulated by law after receiving the written notice that the national network information department will not accept it. The second is to pass the safety assessment. After receiving the written notice of passing the assessment, the data processor can carry out data exit activities in strict accordance with the declared items. Third, it failed the safety assessment. If the data exit safety assessment fails, the data processor shall not carry out the declared data exit activities.

  Q: What should I do if I disagree with the evaluation results?

  A:If the data processor disagrees with the evaluation results, it can apply to the national network information department for re-evaluation within 15 working days after receiving the evaluation results, and the re-evaluation results are final.

  Q: How long is the validity of the results of the data exit security assessment?

  A:The validity period of the results of data exit safety assessment is 2 years, counting from the date when the assessment results are issued. If it is necessary to continue to carry out data exit activities after the expiration of the validity period, the data processor shall re-apply for evaluation 60 working days before the expiration of the validity period.

  Q: How to investigate the legal responsibility for violating the Measures?

  A:The Measures clarify that if a data processor violates the provisions of these Measures, it shall be handled in accordance with the provisions of the Network Security Law, the Data Security Law, the Personal Information Protection Law and other laws and regulations; If a crime is constituted, criminal responsibility shall be investigated according to law.

  Q: How do the three ways link up the relationship between the provision of personal information overseas, security assessment, standard contract and personal information protection certification?

  A:The scope of application of the Measures has been made clear, and a security assessment should be declared for the data exit of personal information processors to which security assessment is applicable; The data exit situation of personal information processors outside the scope of application of the Measures can meet the conditions for cross-border provision of personal information through personal information protection certification or signing a standard contract formulated by the national network information department, so as to facilitate personal information processors to carry out data exit activities according to law.