In January 2022, BIMCO reported on China’s DSL regulation could disrupt data exchange for international shipping, where it said it believed that the trio of data regulations would profoundly impact the international shipping industry until the implementation process had been clarified by the Chinese administration.
Last week, China unveiled a new regulation called “Measures for Security Assessment for Outbound Data Transfer” as a natural development of its trio of data regulations.
[smlsubform prepend=”GET THE SAFETY4SEA IN YOUR INBOX!” showname=false emailtxt=”” emailholder=”Enter your email address” showsubmit=true submittxt=”Submit” jsthanks=false thankyou=”Thank you for subscribing to our mailing list”]
According to the Measures, a data handler is not only obliged to conduct a self-assessment but also a security assessment conducted by the Chinese cyberspace administration on the risk of the outbound data transfer.
The Measures define four different categories where an official security assessment for the outbound data transfer is mandatory:
- A data handler who transfers Important Data abroad;
- A critical information infrastructure operator, or a data handler processing the personal information of more than 1 million individuals, who, in either case, transfers personal information abroad;
- A data handler who has, since January 1 of the previous year cumulatively transferred abroad the personal information of more than 100,000 individuals, or the sensitive personal information of more than 10,000 individuals;
- Other circumstances where the security assessment for the outbound data transfer is required by the State Cyberspace Administration.
A self-assessment is a prerequisite for the administrative security assessment where it focuses on the risks of the outbound data transfer, such as:
- The legality, legitimacy and necessity of the purpose, scope and methods of the outbound data transfer, and the processing of the data by the foreign recipient;
- The scale, scope, type and sensitivity of the outbound data transfer, and the risks to national security, the public interest or to the legitimate rights and interests of individuals or organisations, caused by the outbound data transfer;
- The duties and obligations which the foreign recipient commits to perform, and whether the foreign recipient’s organizational and technical measures and capabilities in terms of performing the duties and obligations can guarantee the security of the outbound data transfer;
- The risks of the data being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the outbound data transfer, and whether there is a smooth channel for safeguarding personal information rights and interests;
- Whether the responsibilities and obligations for data security protection are fully agreed in relevant contracts for the outbound data transfer, or other legally binding documents to be concluded with the foreign recipient;
- Other matters that may affect the security of the outbound data transfer.
In addition, the Measures require the data handler to sign a legal paper with their foreign recipient in term of the responsibilities and obligations for data security protection. It is worth highlighting that any violation of the Measures will be punished in accordance with the trio of data regulations, and any sever violations may trigger criminal prosecution.
Since the Measures will come into effect on 1 September 2022, it triggered an urgency for all data handlers to know how to comply, which of course includes many international shipping companies.
International shipping is considered as “critical information infrastructure operators” according to Article 31 of the CSL. Therefore, many international shipping companies, managers, flag states and P&I clubs must self-assess their huge data processes when dealing with huge cargo data, ships’ AIS data and emission data and seafarers’ personal data
said BIMCO.
