Data Security Law and Personal Information Protection Law are the two most important regulations that took effect in 2021. Together, they are shaping the foundations for data privacy and security in the Chinese regulatory landscape.

However, few details were given regarding how the regulations would be enforced and what concrete steps multinational companies needed to take for their cross-border data transfer activities to be compliant. 

On July 7 2022, the Cyberspace Administration of China (CAC) promulgated the Measures for Security Assessment of Data Exports, which officially took effect on September 1, 2022. The measures gave guidelines on the steps of applying a CAC data export assessment for data processors who met certain criteria (more on the criteria below). A six month grace period was given according to the Measures. 

That puts March 1, 2023 as the deadline for applying the CAC data export risk assessment.

What is the CAC assessment and why should we care about it?

In a nutshell, CAC mandates all data controllers who meet one of the following criteria to apply for a data export security assessment through the provincial offices of CAC: 

• Data processors who transfer Important Data overseas
• CIIO (Critical Information Infrastructure) or data processors who transfer more than 1 million people’s Personal Information (PI) data
• Data processors who have transferred over 100,000 persons PI data or 10,000 persons sensitive PI data overseas since January 1 the previous year (2021)
• Other scenarios which are defined by CAC

From the above broadly defined criteria, our assumption is that most multinational companies – ones with business operations in China and are sharing the same global SaaS platforms with their headquarters or other regional offices – will be required to hand in the CAC assessment application by March 1, 2023.  

Should you be worried about the upcoming CAC assessment?

Since the measures came into effect, major global law firms have published their opinion papers and guidance to help their clients navigate through the new requirements. You can find some examples here: The CAC assessment collection Part 1, 2, and 3.

Two things worth noting here: 

• Despite the newly published measures, the guidelines from CAC are still kept fuzzy in regards to some aspects. For example, there is no clear definition of “Important Data” yet. The last criterion “other scenarios defined by CAC” also seems to be kept in place just to give more flexibility in the interpretation of the law. 
• The deadline is approaching. Note that one of the required application documents is a self-assessment within three months before the application date. The clock is ticking. If you are a multinational company and a data exporter by definition of the CAC, you should already be preparing the self-assessment and re-formulating certain clauses within the contracts with the data recipients overseas. There is no time for “wait and see.” 

Odaseva’s recommendation

Given the uncertainties both in how the guidelines are going to be interpreted and how the authorities will enforce them on the multinational companies, our recommendation is to take the double-secured route – by all means you should be preparing all the documents to apply for the assessment (if you have not started yet); at the same time, you could “hedge” the risk by implementing data residency rules for the sensitive data in your global SaaS environment. 

Odaseva’s Data Residency for Salesforce will isolate the sensitive data (such as Personal Information data) in your CRM system and make sure they will not be stored, processed, or even viewed outside of the territory of China. 

By implementing such tools, you can make sure that the data localization rule is executed to the highest degree in your global IT environment. You will be showing the authority that you are taking serious measures to make sure that the data export rules are respected and honored. 

Another option is to leverage Salesforce Core on Ali Cloud that will be available by the end of this year. This means an Org split that needs to be prepared at all levels: business, architecture, data and technology. Odaseva can also help on this matter.

We at Odaseva can help you navigate through this critical phase. Contact us today for more information.