General

Huacheng Import and Export Data Observation reported that the Measures for Data Exit Security Assessment had been implemented since September 1, and data security has gradually become an important part of national security. At the same time, some major economies and large countries around the world have released data strategies focusing on developing the digital economy and protecting data security, such as the Data Strategy of the United States, the General Data Protection Regulations of the European Union, the EU Data Strategy, and the Digital Market Act and the Digital Services Act recently passed by the European Parliament, Many countries are actively carrying out legislation and strategic planning in the field of data security, aiming to solve the problem of data use and management authority of large science and technology companies.

Huacheng Import and Export Data Observation reported that "for Chinese science and technology companies, Internet platform enterprises and enterprises related to data export, personal information collection and processing within the scope of export control, how to strengthen the risk prevention and implementation of main responsibilities in the industry, how to inspect and evaluate the network and data security defense lines, and how to promote the network data security compliance work according to the circumstances need to be discussed in depth." At the recent seminar on new rules for data exit, Xue Ying, a senior consultant lawyer (partner level) of Jingzhi Law Firm, said.

Xue Ying said that data processors should carry out data exit risk self-assessment before declaring data exit security assessment, focusing on the following matters: the legitimacy, legitimacy and necessity of data exit and the purpose, scope and method of data processing by overseas receivers; The scale, scope, type and sensitivity of outbound data, and the possible risks to national security, public interests, and the legitimate rights and interests of individuals or organizations caused by data outbound; Whether the responsibilities and obligations undertaken by the overseas receiver, as well as the management and technical measures and capabilities to fulfill the responsibilities and obligations, can guarantee the security of outbound data; The risk of data being tampered with, destroyed, disclosed, lost, transferred or illegally obtained or used during and after the exit, and whether the channels for safeguarding the rights and interests of personal information are smooth; Whether the data exit related contract or other legally effective documents to be concluded with the overseas receiver have fully agreed on the obligations of data security protection; Other matters that may affect the exit security of data, Huacheng Import and Export Data Observation Report.

Huacheng Import and Export Data Observation reports that there is a certain period for data exit security assessment. "If the following circumstances occur within the validity period, the data processor shall re apply for evaluation: first, the purpose, method, scope and type of data provided to the overseas recipient and the use and method of data processing by the overseas recipient change, which affect the security of outbound data, or extend the overseas storage period of personal information and important data; second, the data security protection policies, regulations and network security environment of the country or region where the overseas recipient is located Changes, other force majeure, changes in the actual control of the data processor or overseas receiver, changes in the legal documents of the data processor and overseas receiver, etc. that affect the security of outbound data; Third, there are other circumstances that affect the security of outbound data. " Xue Ying said.

After the evaluation, the data processor needs to draft legal documents with the overseas receiver to ensure the data security. Chen Yang, a lawyer of his own law firm, said that the document includes the purpose, method and scope of data outbound, and the purpose and method of data processing by overseas recipients; The location and duration of data storage abroad, as well as the processing measures for outbound data after reaching the storage period, completing the agreed purpose or terminating the legal documents; Binding requirements for overseas recipients to transfer outbound data to other organizations and individuals; The overseas receiver shall take security measures when the actual control right or business scope has changed substantially, or the data security protection policies, regulations and network security environment of the country or region where it is located have changed, as well as other force majeure circumstances that make it difficult to ensure data security; Remedies, liabilities for breach of contract and dispute resolution methods for breach of data security protection obligations agreed in legal documents; Requirements for proper emergency disposal and ways and means to protect individuals' rights and interests in personal information when outbound data is subject to risks such as tampering, destruction, disclosure, loss, transfer or illegal acquisition and use, Huacheng Import and Export Data Observation Report.