Chinanews Client Beijing, October 29th (Reporter Wu Tao) On the 29th, the State Internet Information Office issued a notice for public comments on the "Measures for Data Exit Security Evaluation (Draft for Comment)" (hereinafter referred to as the "Draft for Comment").

Image source: Screenshot of the "Netcom China" official account.

In these cases, you need to declare the data exit security assessment

  The "Draft for Comments" pointed out that if data processors provide data overseas and meet one of the following circumstances, they should apply to the national cybersecurity and informatization department for data exit security assessment through the local provincial cybersecurity and informatization department.

  Including personal information and important data collected and generated by operators of critical information infrastructure; outbound data contains important data; personal information processors who have processed personal information up to one million people provide personal information abroad; cumulatively provide more than Personal information of more than 100,000 people or sensitive personal information of more than 10,000 people; other situations that require data exit security assessment as specified by the national cybersecurity and informatization department.

  Public information shows that many Internet companies currently have tens of millions or even hundreds of millions of users.

This means that these companies may need to conduct data outbound security assessments when they need to export data in the future, such as listing overseas.

Since the beginning of this year, many companies have announced the suspension of listing overseas.

Data exit security assessment focuses on assessing these risks

  According to the "Draft for Comments", data processors should conduct self-assessment of data export risks before providing data overseas.

For example, the legality, legitimacy, necessity, etc. of the purpose, scope, and method of data processing by the data export and overseas recipients.

  The "Draft for Comments" also pointed out that the data exit security assessment focuses on assessing the risks that data exit activities may bring to national security, public interests, and the legitimate rights and interests of individuals or organizations.

  For example, the amount, scope, type, and sensitivity of outbound data, and the risks of leakage, tampering, loss, destruction, transfer, or illegal acquisition or illegal use during and after exiting the country.

  It also includes whether data security and personal information rights can be fully and effectively protected; compliance with Chinese laws, administrative regulations, and departmental rules, etc.

Data overseas recipients need to clarify the purpose and use

  The "Draft for Comments" also pointed out that the contract between the data processor and the overseas receiver fully stipulates the responsibility and obligation of data security protection, which should include but not limited to the purpose, method and scope of the data out of the country, and the purpose and method of the overseas receiver to process the data. Wait.

  It also includes the location and duration of data storage overseas, as well as the processing measures for outbound data after the retention period has been reached, the agreed purpose is completed, or the contract is terminated; in the event of data leakage and other risks, appropriate emergency response should be carried out and an unobstructed channel for individuals to maintain their personal information rights and interests ,and many more.

  In short, the "Draft for Comment" clarifies that data exit security assessment adheres to the combination of pre-assessment and continuous supervision, and the combination of risk self-assessment and security assessment to prevent data exit security risks and ensure the orderly and free flow of data in accordance with the law.

(over)