China’s new outbound data transfer regulation triggers uncertainty for international shipping

Published: 12 July 2022

• Print page
• Email page
• Tweet

Last week, China unveiled a new regulation called “Measures for Security Assessment for Outbound Data Transfer” (“the Measures”) as a natural development of its trio of data regulations. According to the Measures, a data handler is not only obliged to conduct a self-assessment but also a security assessment conducted by the Chinese cyberspace administration on  the risk of the outbound data transfer.

The Measures define four different categories where an official security assessment for the outbound data transfer is mandatory:

• a data handler who transfers important data abroad
• a critical information infrastructure operator, or a data handler processing the personal information of more than 1 million individuals, who, in either case, transfers personal information abroad
• a data handler who has, since January 1 of the previous year cumulatively transferred abroad the personal information of more than 100,000 individuals, or the sensitive personal information of more than 10,000 individuals, or

• other circumstances where the security assessment for the outbound data transfer is required by the State Cyberspace Administration.
  
  A self-assessment is a prerequisite for the administrative security assessment where it focuses on the risks of the outbound data transfer, such as
  
  
• the legality, legitimacy and necessity of the purpose, scope and methods of the outbound data transfer, and the processing of the data by the foreign recipient
• the scale, scope, type and sensitivity of the outbound data transfer, and the risks to national security, the public interest or to the legitimate rights and interests of individuals or organisations, caused by the outbound data transfer
• the duties and obligations which the foreign recipient commits to perform, and whether the foreign recipient’s organizational and technical measures and capabilities in terms of performing the duties and obligations can guarantee the security of the outbound data transfer
• the risks of the data being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the outbound data transfer, and whether there is a smooth channel for safeguarding personal information rights and interests
• whether the responsibilities and obligations for data security protection are fully agreed in relevant contracts for the outbound data transfer, or other legally binding documents to be concluded with the foreign recipient and
• other matters that may affect the security of the outbound data transfer.
  
  In addition, the Measures requires the data handler to sign a legal paper with their foreign recipient in term of the responsibilities and obligations for data security protection. It is worth highlighting that any violation of the Measures will be punished in accordance with the trio of data regulations, and any sever violations may trigger criminal prosecution.
  
  Since the Measures will come into effect on 1 September 2022, it triggered an urgency for all data handlers to know how to comply, which of course includes many international shipping companies. International shipping is considered as “critical information infrastructure operators” according to Article 31 of the CSL. Therefore, many international shipping companies, managers, flag states and P&I clubs must self-assess their huge data processes when dealing with huge cargo data, ships' AIS data and emission data and seafarers’ personal data. The core questions are how to arrange the so-called “self-assessment” and how to apply the administrative security assessment.
  
  In order to guide our members to better understand the Measures, BIMCO is collaborating with the China Shipowner’s Association and the Pudong government to host a small-scale live seminar (free of charge) in Shanghai in the afternoon of 15 July 2022. The speakers will be from the Shanghai Branch of the National Computer Network Emergency Response Technical Team/Coordination Centre of China (CHCERT), Shanghai Institute of cyberspace security industry, Shanghai Data Compliance and Security Industry Development Expert Group.
  
  If you are a BIMCO member and would like to attend, please contact Mr. Wei Zhuang to reserve a place. Space is limited, so places will be allocated on  a “first come first served” basis.