中文
Resource
Location : Home > Resource > Paper > Theoretical Deduction
Resource
Wang Ding | The Institutional Framework for Security Assessment of Cross-Border Data Transfer
2025-12-30 [author] Wang Ding preview:

[author]Wang Ding

[content]


The Institutional Framework for Security Assessment of Cross-Border Data Transfer



Wang Ding

Associate Professor, Beijing Electronic Science and Technology Institute


Abstract: The Personal Information Protection Law considers the provision of data to overseas by operators of critical information infrastructure and personal information processors who process a specified amount of personal information as a condition for security assessment. However, in practice, due to the different requirements for data export security assessment stipulated in the Cybersecurity Law, Data Security Law, and Personal Information Protection Law, there are differences in the types of personal information, sensitive personal information, and important data that need to be evaluated through security assessment, as well as differences in data export scenarios, which have led to unclear purposes of the security assessment system, misplaced regulations, confusing application rules, and misunderstandings of administrative relief mechanisms. In this regard, it should be clarified that data export security assessment belongs to data security review, and the purpose of security assessment is to safeguard national security and social public interests. Security assessment should be regarded as a necessary condition for important data export and an additional condition for personal information export, and the applicable rules of security assessment should be reexamined. The data security review system stipulated in Article 24 of the Data Security Law provides a legal basis for exempting judicial review of data export security assessments. At the same time, the court lacks the professional ability to review the conclusions of the security assessment entity, and the review of the legality of the procedure of data export security assessment may result in the administrative litigation process being idle, which can also prove the legitimacy of reevaluation as a relief mechanism for data export security assessment.

Keywords: security assessment of data cross - border transfer; personal information protection; data security; administrative relief


1.Introduction of the Research Problem

The Security Assessment of Data Export refers to an activity where a data processor declares to the cyberspace administration authorities in accordance with the law due to providing data to overseas parties. The cyberspace administration authorities organize and conduct assessment and review to decide whether to approve the data export. It is a key system for balancing national security interests and the legitimate rights and interests of data processors, and is related to a country's efforts to safeguard national security and the extent to which it promotes the free flow of data. Only through the scientific design of the Security Assessment of Data Export system can the safe and free cross-border data flow be realized.

The Cybersecurity Law of the People's Republic of China (hereinafter referred to as the Cybersecurity Law), the Data Security Law of the People's Republic of China (hereinafter referred to as the Data Security Law), and the Personal Information Protection Law of the People's Republic of China (hereinafter referred to as the Personal Information Protection Law) — which serve as the legal basis for China’s data security assessment system — respectively set forth general provisions on the circumstances under which security assessments are required for three types of subjects when providing data overseas: operators of critical information infrastructure, processors of important data, and processors of personal information. The Security Assessment Measures for Data Provision Abroad, formulated by the Cyberspace Administration of China (CAC) in 2022, inherits the spirit of the above three laws and lays down specific provisions on the applicable circumstances, assessment objects, assessment content, and assessment procedures of the security assessment of data export. In 2024, the State Council deliberated and adopted the Regulation on Network Data Security Management, and the CAC promulgated the Provisions on Promoting and Regulating Cross-border Data Flows, which made partial adjustments to the scope of data export subject to security assessment. In form, the three laws — the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law — all stipulate the security assessment system, and the Security Assessment Measures for Data Provision Abroad should provide overall provisions on the security assessment system to serve as the basis for the implementation of the security assessment systems stipulated in the three higher-level laws. However, the three laws have different focuses in their institutional purposes and adopt different application methods for security assessment, which makes it difficult to coordinate and justify the jurisprudential logic behind the legal provisions of the Security Assessment Measures for Data Provision Abroad, leading to numerous problems such as unclear institutional purpose of the security assessment of data export, misplaced institutional provisions, chaotic overseas data transfer rule system, and misinterpretation of the re-evaluation mechanism by practical departments. Although the Regulation on Network Data Security Management and the Provisions on Promoting and Regulating Cross-border Data Flows have rectified the above problems — no longer treating security assessment as an optional condition for the overseas transfer of personal information — this provision is still insufficient to fundamentally address the issues of unclear characterization and lack of systematicness in the institutional design of the security assessment system. Therefore, it is necessary to conduct a systematic interpretation of the security assessment systems for data export stipulated in the three laws from an academic perspective, clarify the different jurisprudential logics of the security assessment systems under different legal provisions, and on this basis, conduct a systematic interpretation and restructuring of the institutional positioning, applicable conditions, and remedy mechanism of the security assessment of data export, so as to enable the security assessment of data export to return to its proper legal position.

2.The Dual Institutional Purposes of the Security Assessment of Data Provision Abroad and Related Issues

The Security Assessment of Data Provision Abroad is a legal system jointly stipulated by the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. To fully take into account the legislative purposes of the above three laws, the design of specific mechanisms for security assessment in the Security Assessment Measures for Data Provision Abroad is overly broad, which has given rise to certain issues.

2.1 The Dual Institutional Purposes Endowed with the Security Assessment of Data Provision Abroad

The Security Assessment Measures for Data Provision Abroad endows the Security Assessment of Data Provision Abroad with dual institutional purposes: first, to protect the rights and interests of personal information; second, to safeguard national security and public interests. The above purposes are the further implementation of the legislative purposes of the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law.

First, to protect the rights and interests of personal information in accordance with the Personal Information Protection Law. The Personal Information Protection Law has specialized and concretized the provisions on protecting personal information in the Civil Code of the People's Republic of China, forming an institutional framework for protecting citizens' rights and interests of personal information. Among them, Article 1 of the Personal Information Protection Law identifies "protecting the rights and interests of personal information and regulating personal information processing activities" as its legislative purpose, and Articles 38 and 40 respectively stipulate that passing the security assessment shall be a necessary condition for personal information processors to provide personal information overseas. The Security Assessment Measures for Data Provision Abroad inherits the legislative purpose of the Personal Information Protection Law and identifies the circumstances where operators of critical information infrastructure and personal information processors of a specific scale provide personal information overseas as those that shall pass the security assessment, which helps to realize the legislative purpose of "protecting the rights and interests of personal information". Article 1 of the Security Assessment Measures for Data Provision Abroad also identifies "protecting the rights and interests of personal information" as the institutional purpose of the security assessment.

Second, to safeguard national security and public interests in accordance with the Data Security Law and the Cybersecurity Law. The Data Security Law and the Cybersecurity Law have relatively similar legislative purposes, both including "safeguarding national security and public interests", and identifying the circumstances where operators of critical information infrastructure provide personal information overseas and other data processors provide important data overseas as those that shall undergo security assessment. The Security Assessment Measures for Data Provision Abroad reiterates the above circumstances in the scope of security assessment, which helps to further refine and implement the specific requirements of the Data Security Law and the Cybersecurity Law and achieve the purpose of "safeguarding national security and public interests". Although both the Data Security Law and the Cybersecurity Law list "protecting the legitimate rights and interests of citizens, legal persons and other organizations" as their legislative purpose, this is different from the legislative purpose of "protecting the rights and interests of personal information" under the Personal Information Protection Law. By imposing cybersecurity and data security protection obligations on network operators and data processors, the Data Security Law and the Cybersecurity Law help ensure the security of network operations and data security, thereby safeguarding national security and public interests at an abstract level; while the Personal Information Protection Law aims to ensure that personal information processing activities do not infringe on individuals' subjective interests by imposing personal information protection obligations on personal information processors, thereby safeguarding the rights and interests of personal information at a concrete level. In the scenario of data export, "protecting the legitimate rights and interests of citizens, legal persons and other organizations" is an objective effect arising from safeguarding national security and public interests, and national security and public interests are an abstract collection of the legitimate rights and interests of citizens, legal persons and other organizations. Therefore, the "legitimate rights and interests of citizens, legal persons and other organizations" referred to in the Data Security Law and the Cybersecurity Law are overall legal interests. In contrast, "protecting the rights and interests of personal information" is the most specific and direct legislative goal pursued by the Personal Information Protection Law, and the "rights and interests of personal information" it protects are individual legal interests. This means that the Data Security Law and the Cybersecurity Law do not contain the legislative purpose of directly protecting the rights and interests of personal information.

2.2 Problems Arising from the Dual Institutional Purposes of the Security Assessment of Data Provision Abroad

China has established two independent regulatory systems for data export by taking "important data" and "personal information" as the key anchors, which are stipulated separately in the Data Security Law, the Cybersecurity Law, and the Personal Information Protection Law. However, there are significant differences in the legislative positioning of different higher-level laws, making it impossible for the Security Assessment of Data Provision Abroad system to balance the dual institutional purposes of safeguarding national security and public interests and protecting the rights and interests of personal information.

2.2.1 There is Overlap between Security Assessment, Conclusion of Standard Contracts, and Certification by Professional Institutions

Taking security assessment, standard contracts, and certification by professional institutions as the three main conditions that personal information processors must meet when providing personal information overseas, the three have strong homogeneity in terms of specific content. The assessment content stipulated in the Security Assessment Measures for Data Provision Abroad can be fully covered by the content specified in the conclusion of standard contracts and the acquisition of professional certification. Therefore, these three elements are likely to make the security assessment a redundant institutional design. First, the content of the security assessment stipulated in Article 8 of the Security Assessment Measures for Data Provision Abroad overlaps with the content of the Personal Information Protection Impact Assessment stipulated in the Measures on the Standard Contract for Outbound Transfer of Personal Information; both include assessing the legality, legitimacy, and necessity of the purpose, scope, and method of data export. Second, according to the Measures for Certification of Personal Information Protection for Outbound Transfer of Personal Information (Exposure Draft) issued by the Cyberspace Administration of China (CAC) in January 2025, the jurisprudential logic followed by professional institution certification is to assess whether the overseas receiving entity or the receiving country has sound systems and technical capabilities to safeguard data security and protect the rights and interests of personal information through mechanisms such as establishing a whitelist of overseas entities. This mechanism is similar to the adequacy decision mechanism stipulated in Article 45 of the EU General Data Protection Regulation (GDPR). This mechanism can fully cover many contents in the security assessment that focus on reviewing the management and technical measures for the recipient to fulfill its obligations. Therefore, differentiated design should be adopted for the content of security assessment, conclusion of standard contracts, and certification by professional institutions; with reference to the Cybersecurity Review Measures, the review content should focus on national security or public interest risks, emphasizing the assessment of risks such as data export being illegally controlled, interfered with, tampered with, disclosed, or destroyed, as well as risks of being influenced, controlled, or maliciously exploited by foreign governments.

The homogeneity of the three systemssecurity assessment, standard contracts, and certification by professional institutionsstems from Article 38 of the Personal Information Protection Law, which designates these three systems as three parallel and optional conditions for personal information processors to provide personal information overseas. Since the Personal Information Protection Law clearly stipulates that personal information processors may choose the applicable conditions for personal information export, this indicates that the effects of protecting the rights and interests of personal information achieved by personal information processors meeting the three conditions of security assessment, standard contracts, and certification by professional institutions should be roughly equivalent. Consequently, the Security Assessment of Data Provision Abroad system has to balance the legislative purposes of safeguarding national security and public interests as well as protecting the rights and interests of personal information, and make comprehensive provisions on the assessment content, which thus leads to the homogeneity of the content of the three systems.

2.2.2 Excluding the act of Security Assessment of Data Provision Abroad from the scope of accepting cases in administrative litigation has no legal basis

Pursuant to Article 13 of the Security Assessment Measures for Data Provision Abroad, where a data processor has any objection to the assessment results, it may apply to the CAC for a re-assessment, and the re-assessment results are final conclusions. This means that the data processor can only apply to the CAC for a re-assessment to obtain remedy, and may not institute administrative litigation.

Positioning the purpose of the security assessment of data provision abroad as protecting the rights and interests of personal information means that the security assessment of data provision abroad is a system implemented in accordance with the Personal Information Protection Law. In this case, excluding the security assessment of data provision abroad from the scope of accepting cases in administrative litigation not only finds no legal basis in the Personal Information Protection Law, but also runs counter to the institutional logic of personal information processors safeguarding their legitimate rights and interests in accordance with the Personal Information Protection Law. On the one hand, if a personal information processor fails to perform the relevant obligations conferred by the Personal Information Protection Law, the administrative organ may impose administrative penalties on it or pursue other legal liabilities in accordance with the law; on the other hand, if a personal information processor is dissatisfied with the administrative penalty imposed by the administrative organ in accordance with the Personal Information Protection Law, it may seek remedy for its legitimate rights and interests through administrative litigation. Arguing a fortiori, if the security assessment of data provision abroad also falls under the statutory obligations imposed on personal information processors by the state in accordance with the Personal Information Protection Law to regulate personal information processing activities, then personal information processors shall equally have the right to institute administrative litigation against the act of CAC in refusing to approve data export. Remedy is an important mechanism for protecting the rights and interests of personal information. Article 45 of the GDPR identifies the availability of effective administrative and judicial remedies for data subjects as a condition for determining that a country or region provides adequate protection. This means that as long as the EU deems that a specific country or region meets the condition of enabling data subjects to obtain effective administrative and judicial remedies, EU data processors may directly provide personal data to the relevant country or region without other authorizations. Whether it is information subjects protecting their own information rights and interests or personal information processors safeguarding their legitimate rights and interests, the right to judicial remedy conferred on them by law is an inevitable requirement for the rule of law in personal information governance. Therefore, in the absence of explicit authorization in the Personal Information Protection Law for CAC to formulate rules excluding the act of security assessment of data provision abroad from the scope of accepting cases in administrative litigation, the provision in the Security Assessment Measures for Data Provision Abroad that does not allow personal information processors to seek right remedy through administrative litigation is not only inconsistent with the institutional logic of the Personal Information Protection Law, but also incompatible with the specific provisions of the Administrative Procedure Law of the People's Republic of China and relevant judicial interpretations.

3.Reflection on the Positioning of the System of Security Assessment of Data Provision Abroad

Among the above-mentioned problems arising from the security assessment of data provision abroad bearing dual institutional purposes, the overlap between the security assessment, the conclusion of standard contracts, and the certification by professional institutions is a problem of unclear positioning and poor complementarity among the three mechanisms in the scenario of personal information export; while excluding the act of security assessment of data provision abroad from the scope of accepting cases in administrative litigation is a problem that the system of security assessment of data provision abroad itself struggles to achieve coordination and self-consistency. It can thus be seen that the Security Assessment Measures for Data Provision Abroad cannot balance the two legislative purposes of safeguarding national security, public interests and protecting the rights and interests of personal information. The reason is that the legislative purposes of different higher-level laws determine that the security assessment of data provision abroad needs to apply different assessment mechanisms. The focus of the security assessment of data provision abroad is national security risks, rather than the risk of damage to the rights and interests of personal information. Therefore, China's legislation takes protecting the rights and interests of personal information as the legislative purpose of the Security Assessment Measures for Data Provision Abroad, which is the root cause of the above-mentioned problems.

3.1 The Purpose of the System of Security Assessment of Data Provision Abroad Should Be Positioned as Safeguarding National Security and Public Interests

Besides being listed in Article 38 of the Personal Information Protection Law as one of the three parallel conditions applicable to personal information processors when providing personal information overseas—alongside the conclusion of standard contracts and certification by professional institutions—the security assessment of data provision abroad is also identified by the Personal Information Protection Law, the Cybersecurity Law, and the Data Security Law as a necessary condition for data export. Article 37 of the Cybersecurity Law requires operators of critical information infrastructure to conduct a security assessment when providing personal information and important data overseas; Article 31 of the Data Security Law stipulates that specialized administrative measures for the outbound transfer of important data shall be formulated by CAC in conjunction with the relevant departments of the State Council; Article 40 of the Personal Information Protection Law stipulates that operators of critical information infrastructure and personal information processors that process personal information reaching the quantity specified by CAC shall pass the security assessment when providing personal information overseas. Thus, through a "qualitative + quantitative" model, the three laws clarify three types of scenarios where data processors must pass the security assessment when providing data overseas: first, the outbound transfer of important data by all data processors; second, the outbound transfer of personal information by operators of critical information infrastructure; third, the outbound transfer of personal information by personal information processors that meet the specified quantity requirement.

From the qualitative perspective, all important data provided by data processors overseas and personal information provided overseas by operators of critical information infrastructure—regardless of the quantity—must undergo the security assessment of data provision abroad. "Important data" is a type of data classified based on its importance in economic and social development. According to the Data Security Law, due to the significance of "important data" in economic and social development and the severe harm that may result from its illegal acquisition or use, classified protection is implemented for it. Pursuant to the Security Protection Regulations for Critical Information Infrastructure, "critical information infrastructure" refers to important network facilities and information systems in key industries and fields, as well as others that may seriously endanger national security, the national economy and people's livelihood, and public interests if damaged, disabled, or suffer data leakage. In these key areas and industries, if data can flow freely across borders, it may be used by other countries for precision profiling and intelligence analysis, thereby threatening national security. Therefore, the provision of important data overseas and the personal information processed by operators of critical information infrastructure—regardless of quantity—must undergo the security assessment. The reason is that such data are directly related to national security and public interests, and the purpose of the security assessment is to prevent national security and public interest risks that may be posed by data export.

From the quantitative perspective, the third type of scenario that must undergo the security assessment of data provision abroad is the activity of personal information processors that meet the specified quantity requirement providing personal information overseas. Why is the requirement of "specified quantity" set? Because the outbound transfer of a single piece or a small amount of personal information will not cause harm to national security and public interests, but "when general data such as personal information converges to a certain scale, it reaches the level of involving national security and public security", and others may analyze information that endangers national security and public interests from it. For example, in November 2017, the company owning the US fitness app Strava released a heatmap of GPS locations of more than 30 million global users, exposing the accurate coordinates of US military bases and combat zones in Afghanistan and Syria. This is an example of the leakage of large-scale aggregated personal information endangering national security. Article 7 of the Cybersecurity Review Measures clearly stipulates that network platform operators holding personal information of more than 1 million users must apply for cybersecurity review when going public abroad, which is set based on this logic. In addition, the more sensitive the information, the more valuable it is for analysis and utilization. The Security Assessment Measures for Data Provision Abroad and the Provisions on Promoting and Regulating Cross-border Data Flows specifically distinguish between sensitive personal information and general personal information. They stipulate that data processors that cumulatively provide personal information (excluding sensitive personal information) of more than 1 million people or sensitive personal information of more than 10,000 people overseas since January 1 of that year shall undergo the security assessment when providing personal information abroad.

In summary, although the specific contents of the qualitative provisions in the Cybersecurity Law and the Data Security Law differ from the quantitative provisions in the Personal Information Protection Law, the Security Assessment Measures for Data Provision Abroad "uniformly regulates such different types of data, indicating that China does not strictly distinguish between different data types and conducts integrated assessment of them all from the perspective of risks". This reflects that the security assessment of data provision abroad is a system for safeguarding national security and public interests, bearing the important role of pre-event assessment and check for data export and preventing national security and public interest risks.

3.2 Misalignment of the Provisions of the System of Security Assessment for Personal Information Export

The system of security assessment bearing the institutional purpose of protecting the rights and interests of personal information not only leads to the overlap between the security assessment, the conclusion of standard contracts, and the certification by professional institutions, but also results in the lack of legal basis for excluding the security assessment from the scope of accepting cases in administrative litigation. This is because the three higher-level laws—the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law—have different legislative purposes and all stipulate the security assessment system. However, the Security Assessment Measures for Data Provision Abroad must balance the legislative purposes of the three higher-level laws and design the specific mechanisms of the security assessment based on this. Therefore, the root cause of the problem is that Articles 38 and 40 of the Personal Information Protection Law stipulate the system of security assessment for personal information export, requiring the Security Assessment Measures for Data Provision Abroad to balance the requirement of protecting the rights and interests of personal information under the Personal Information Protection Law in both its legislative original intention and specific institutional design.

3.2.1 The Personal Information Protection Law Should Not Regard the Security Assessment as an Optional Condition for Personal Information Export

The Personal Information Protection Law was formulated earlier than the Security Assessment Measures for Data Provision Abroad. When designing the personal information export system, legislators could not have anticipated that the subsequent formulation of the data provision abroad security assessment system by CAC would need to coordinate with and succeed to the specific requirements of the Cybersecurity Law and the Data Security Law regarding the data export security assessment system. Therefore, Article 38 of the Personal Information Protection Law lists the security assessment as one of the conditions that personal information processors must meet when providing personal information overseas, alongside the conclusion of standard contracts and certification by professional institutions. The preconditions for personal information export designed in Article 38 of the Personal Information Protection Law are intended to fully protect the rights and interests of personal information, avoiding harm to such rights and interests due to factors such as inadequate systems and underdeveloped technologies of the personal information recipient. To safeguard personal information rights and interests, the EU GDPR also sets thresholds for personal information export. Specifically, when a data processor in an EU member state provides personal information to a country or region outside the EU, it shall first determine whether the personal information recipient is located in a country or region that provides adequate protection in accordance with Article 45 of the GDPR. If the recipient is in a country or region recognized as providing adequate protection, the data processor may provide personal information to it unconditionally; if not, the data processor must meet the personal information export conditions through mechanisms such as concluding standard contracts or obtaining third-party certification in accordance with Article 46 of the GDPR. Although Article 38 of the Personal Information Protection Law stipulates that the security assessment, standard contracts, and professional institution certification are optional conditions for personal information processors to provide personal information overseas, the three systems actually differ in their target positioning, implementation mechanisms, and application effects. For example, a comparison of the provisions on security assessment and standard contract conclusion shows that even if a personal information processor agrees on content such as "the purpose, method, and scope of personal information export" through a standard contract, it does not mean it has met the data security risk prevention standards required by the security assessment; conversely, after a personal information processor passes the security assessment and provides personal information to an overseas entity, it may lose control over the personal information, so it is still necessary to impose restrictions on the overseas entity through a standard contract. Since Article 38 of the Personal Information Protection Law (formulated in 2021) lists the security assessment, standard contracts, and professional institution certification as parallel optional conditions for personal information export, the Security Assessment Measures for Data Provision Abroad (formulated the following year) had to balance the legislative purpose of protecting personal information rights and interests under the higher-level law, resulting in numerous assessment contents unrelated to safeguarding national security and public interests. Removing the security assessment from the optional conditions for personal information export would help further narrow down its applicable scenarios, aligning the legislation with the policy orientation of regulating and promoting the legal, orderly, and free flow of data.

The Provisions on Promoting and Regulating Cross-border Data Flows clearly distinguishes between the conditions under which personal information processors shall apply the security assessment and those under which they may optionally adopt the conclusion of standard contracts or certification by professional institutions when providing personal information overseas. It specifies that data processors other than operators of critical information infrastructure are not required to apply for the security assessment, conclude standard contracts, or obtain certification by professional institutions if they cumulatively provide personal information (excluding sensitive personal information) of fewer than 100,000 people overseas since January 1 of that year; they shall conclude standard contracts or obtain certification by professional institutions if they cumulatively provide personal information (excluding sensitive personal information) of more than 100,000 but fewer than 1 million people, or sensitive personal information of fewer than 10,000 people overseas since January 1 of that year; they shall apply for the security assessment if they cumulatively provide personal information (excluding sensitive personal information) of more than 1 million people or sensitive personal information of more than 10,000 people overseas since January 1 of that year. The above provisions are inconsistent with Article 38 of the Personal Information Protection Law, which lists the security assessment, standard contracts, and certification by professional institutions as optional conditions for personal information export. We can either regard this provision in the Provisions on Promoting and Regulating Cross-border Data Flows as a refinement of Article 38 of the Personal Information Protection Law or as a "correction" to it. The issuance of the Provisions on Promoting and Regulating Cross-border Data Flows not only clarifies that the security assessment is no longer an optional condition for personal information export as stipulated in Article 38 of the Personal Information Protection Law but also provides detailed provisions on the "quantity specified by CAC" as stipulated in Article 40 of the Personal Information Protection Law. In summary, the security assessment should not be an optional condition for personal information export.

3.2.2 Misplacement of Attribution of the Provision "Personal Information Export Must Undergo the Security Assessment"

Article 40 of the Personal Information Protection Law, through a "qualitative + quantitative" model, clearly stipulates that operators of critical information infrastructure and personal information processors that meet the specified quantity requirement shall pass the security assessment when providing personal information overseas.

From the qualitative perspective, first, operators of critical information infrastructure shall pass the security assessment when providing personal information overseas. To ensure the security of critical information infrastructure, the Cybersecurity Law (formulated in 2016) has already stipulated that the personal information and important data collected and generated by operators of critical information infrastructure must undergo the security assessment before being transferred overseas. To maintain the integrity of the rule system, the Personal Information Protection Law repeats the provision that operators of critical information infrastructure shall pass the security assessment when providing personal information overseas in Chapter III "Rules for the Cross-border Provision of Personal Information". Although the provision of personal information overseas by operators of critical information infrastructure falls within the scope of regulating personal information processing activities and is related to Chapter III "Rules for the Cross-border Provision of Personal Information" of the Personal Information Protection Law, from the perspective of the nature and purpose of this provision, requiring such operators to pass the security assessment is not to protect personal information rights and interests, but to safeguard national security and public interests. Therefore, although the provision that operators of critical information infrastructure shall pass the security assessment when providing personal information overseas formally belongs to the scope of Chapter III of the Personal Information Protection Law, it has deviated from the legislative scope of the Personal Information Protection Law in terms of legislative purpose and provision nature.

Secondly, from the quantitative perspective, personal information processors that process a certain volume of personal information shall pass the security assessment when providing personal information overseas—this is a new provision introduced by the Personal Information Protection Law. Is there a direct connection between processing personal information "up to the specified quantity" and protecting personal information rights and interests? The answer to this question is negative. Protecting personal information rights and interests does not use the quantity of personal information processed as a standard to impose obligations on personal information processors. For example, according to Article 14, Paragraph 1 of the Personal Information Protection Law, personal information processors may process personal information on the basis of the individual's full informed consent. We cannot regard this as a requirement for personal information processors to process a certain quantity of personal information; even if a personal information processor only processes the personal information of one individual in a single personal information processing activity, it must comply with this provision. This is because the personal information rights and interests of each individual have independent value, and it is not only when personal information reaches a certain scale that it becomes necessary to protect personal information rights and interests. The fact that the quantity of personal information has no bearing on the necessity of protecting personal information rights and interests indicates that this provision of the Personal Information Protection Law has exceeded the legislative purpose of "protecting personal information rights and interests."

Since the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law all mention the security assessment system in their specific provisions, the Security Assessment Measures for Data Provision Abroad and the Provisions on Promoting and Regulating Cross-border Data Flows need to refine and implement the provisions in the above three higher-level laws, implement the legislative purposes of the three laws, and design the specific mechanisms of the security assessment of data provision abroad. Therefore, the existing problems of the current security assessment system for data provision abroad are not caused by the Security Assessment Measures for Data Provision Abroad and the Provisions on Promoting and Regulating Cross-border Data Flows themselves, but by the misplacement of the provisions in Articles 38 and 40 of the Personal Information Protection Law.

3.3 The Normative Approach to the Security Assessment of Personal Information Export

Regulating the cross-border transfer of personal information is not necessarily all for the purpose of protecting personal information rights and interests. The Committee on Foreign Investment in the United States (CFIUS)—a specialized government body responsible for managing foreign investment and safeguarding national security—includes foreign investments in U.S. enterprises involving critical information infrastructure, critical technologies, and sensitive personal data within its jurisdiction for review, "restricting non-Americans' access to data through national security exceptions." Articles 38 and 40 of the Personal Information Protection Law respectively stipulate scenarios where the security assessment serves as an optional condition for personal information export and where it acts as a necessary condition. As mentioned earlier, the core legislative purpose of the Personal Information Protection Law is "protecting personal information rights and interests," and the two mechanisms of concluding standard contracts and obtaining professional institution certification are sufficient to meet this legislative purpose in the context of personal information export. Therefore, the provision in Article 38 of the Personal Information Protection Law that lists the security assessment as one of the optional conditions for personal information export is not entirely reasonable. Meanwhile, Article 40 of the Personal Information Protection Law specifies scenarios where the security assessment is mandatory for personal information export, but the purpose of the security assessment in such cases is to safeguard national security and public interests, rather than the "protection of personal information rights and interests" that the personal information protection legislation is supposed to bear.

As noted previously, the provisions on concluding standard contracts and obtaining professional institution certification are already capable of meeting the requirements for protecting the rights and interests of personal information subjects. The security assessment of data provision abroad is a system formulated under the guidance of the Overall National Security Outlook and within the framework of the rules on data and personal information export stipulated in the three higher-level laws—the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law—with its purpose should be positioned to safeguard national security and public interests. Thus, the security assessment of personal information export falls within the legislative scope of the Data Security Law, and its specific provisions should not be included in the Personal Information Protection Law, which takes protecting personal information rights and interests as its core purpose. The reason why China included provisions on the security assessment of data export by operators of critical information infrastructure in the Cybersecurity Law (formulated in 2016) is that there was no legislative plan for the Data Security Law at the time of formulating the Cybersecurity Law, so legislators incorporated a number of data security provisions into the Cybersecurity Law.

In the future, when China amends the Data Security Law and the Personal Information Protection Law, the design of a reference clause can not only resolve the existing problem of legislative misplacement but also ensure the integrity of the system of Chapter III "Rules for the Cross-border Provision of Personal Information" in the Personal Information Protection Law. Specifically, first, the content of Article 40 of the Personal Information Protection Law should be incorporated into the Data Security Law, which shall stipulate that operators of critical information infrastructure and personal information processors that meet the specified quantity requirement must undergo the security assessment when providing personal information overseas; second, a reference clause should be adopted in the Personal Information Protection Law, and the relevant content of Article 40 should be revised to: "Where operators of critical information infrastructure and personal information processors that process personal information up to the specified quantity have the genuine need to provide personal information overseas, the relevant provisions of the Data Security Law shall apply."

4.Applicable Rules for the Security Assessment of Data Provision Abroad

According to the provisions of the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, the the Regulation on Network Data Security Management, the Security Assessment Measures for Data Provision Abroad, and the Provisions on Promoting and Regulating Cross-border Data Flows, the applicable scenarios for the security assessment of data provision abroad include: operators of critical information infrastructure providing personal information and important data overseas, important data processors providing important data overseas, and operators of critical information infrastructure and personal information processors that meet the specified quantity requirement providing personal information overseas. The above scenarios must undergo the security assessment of data provision abroad without the need to conclude standard contracts or obtain certification by professional institutions. If a personal information processor provides personal information overseas but fails to meet the "qualitative + quantitative" conditions stipulated in Article 40 of the Personal Information Protection Law, yet has cumulatively provided personal information (excluding sensitive personal information) of more than 100,000 but fewer than 1 million people, or sensitive personal information of fewer than 10,000 people overseas since January 1 of that year, it shall choose one of the two options—concluding standard contracts or obtaining certification by professional institutions—to apply. The above two types of scenarios are shown in Figure 1:

Figure 1: Applicable Rules for Security Assessment, Standard Contracts, and Professional Institution Certification in Data Export

To address issues such as the overlap between the security assessment of data export, the conclusion of standard contracts, and the certification by professional institutions, it is not only necessary to adjust the content of the security assessment system from the Personal Information Protection Law to the Data Security Law, but also to conduct a systematic reconstruction of the systems of security assessment, standard contract conclusion, and professional institution certification applicable to data export. From the perspective of data types, the scenarios where data export requires the security assessment can be divided into two categories: important data export and personal information export. Based on this classification, the rule system for data export can be scientifically reconstructed.

First, the security assessment should be a necessary condition for the export of important data. The Cybersecurity Law requires operators of critical information infrastructure to undergo the security assessment when providing important data overseas, while the Data Security Law stipulates that all data processors must pass the security assessment when providing important data overseas. This means that under current legislation, all cases of important data export require the security assessment. From a qualitative perspective, as the "top tier" in terms of data export risks, important data—regardless of its volume—may pose a serious threat to national security and public interests once illegally utilized. Therefore, to safeguard national security and public interests, all activities involving the provision of important data overseas must pass the security assessment. This institutional design is consistent with the provisions of the current Cybersecurity Law and Data Security Law. In contrast, activities involving the provision of personal information overseas that do not meet the specified quantity requirement have no connection with important data, so the security assessment should not be regarded as an optional condition for personal information export.

Second, the security assessment should be an additional condition for personal information export. Compared with non-personal information such as important data, personal information export only needs to avoid harm to personal information rights and interests in general circumstances, except for preventing risks to national security and public interests in specific situations. In the context of data export, there are multiple ways to protect personal information rights and interests. For example, the Personal Information Protection Law stipulates three main methods—security assessment, conclusion of standard contracts, and certification by professional institutions—for different personal information processors to choose and apply according to specific circumstances. In addition, the Personal Information Protection Law reserves room for establishing other mechanisms, specifying "other conditions stipulated by laws, administrative regulations, or CAC" beyond the above three methods. However, the three methods—security assessment, conclusion of standard contracts, and certification by professional institutions—differ in their institutional objectives, implementation mechanisms, and application effects. Concluding a standard contract is a legal act where parties reach a consensus, agreeing on matters related to personal information export and obligations concerning the protection of personal information rights and interests. Its juridical logic is to establish a restrictive mechanism constrained by contract clauses, endorsed by the mutual trust of equal civil subjects, and sanctioned by civil liability, based on the principle of autonomous contracting. Certification by professional institutions refers to a system where professional institutions approved by the national market supervision and administration department assess and confirm the management and technical capabilities of data recipients to determine whether they have the ability to protect personal information. Its juridical logic is that professional institutions verify whether overseas receiving entities or countries have sound systems and technical capabilities to maintain data security and protect personal information rights and interests—similar to the adequacy protection recognition mechanism stipulated in Article 45 of the EU GDPR. Although the methods adopted and effects pursued by concluding standard contracts and obtaining professional institution certification are different, both aim to protect personal information rights and interests. In contrast, the security assessment of data export is a procedure organized and carried out by CAC, an administrative organ, throughout the process. CAC at the national and provincial levels conduct a comprehensive review and assessment of the legality, legitimacy, and necessity of data export, as well as the potential risks to national security and public interests. Its juridical logic is that state organs directly intervene in data flow activities between equal civil subjects to conduct review and assessment of national security risks.

When personal information processors provide personal information overseas, all such activities involve the personal information rights and interests of data subjects, and it is necessary to ensure that the recipient is subjectively willing and objectively capable of protecting personal information rights and interests. However, not all activities of personal information processors providing personal information overseas will pose risks to national security and public interests—only when the personal information provided overseas meets qualitative or quantitative standards is it necessary to pay attention to and prevent such risks. From the perspective of steadily expanding institutional opening-up and better adapting to the requirements of international treaties such as the Comprehensive and Progressive Agreement for Trans-Pacific Partnership, the scope of application of the data export security assessment should be limited to the necessary extent. Article 7 of the Provisions on Promoting and Regulating Cross-border Data Flows, which restricts the conditions for mandatory security assessment of personal information export to "cumulatively providing more than 1 million pieces of personal information excluding sensitive personal information or more than 10,000 pieces of sensitive personal information overseas since January 1 of that year," is consistent with this approach, but the Provisions separates the scenarios requiring data export security assessment from those where parties may choose to conclude standard contracts or obtain professional institution certification, stipulating that personal information providers overseas no longer need to conclude standard contracts or obtain professional institution certification, making it difficult to balance the protection of personal information rights and interests with the safeguarding of national security interests. Regarding the conditions for personal information export, personal information processors should focus on "resolving overseas security risks of personal information rather than emphasizing domestic supervision before personal information is exported." Positioning the security assessment as a national security review system rather than a system for protecting personal information rights and interests means that while conducting security assessments on eligible personal information export activities, mechanisms for protecting personal information rights and interests such as concluding standard contracts or obtaining professional institution certification should also be selected and applied. Therefore, in the context of personal information export, concluding standard contracts or obtaining professional institution certification for the purpose of protecting personal information rights and interests should be a mandatory condition for personal information processors that meet quantitative requirements to provide personal information overseas, and when personal information export activities meet qualitative or quantitative requirements, the security assessment procedure should additionally apply. Thus, a two-tier rule system for personal information processors providing personal information overseas can be constructed: the first tier consists of conditions that personal information processors meeting the first-tier volume threshold must satisfy—concluding standard contracts or obtaining professional institution certification, whose purpose is to ensure that the overseas recipient’s personal information processing activities meet the standards for protecting personal information rights and interests, preventing the personal information of Chinese citizens from flowing into "protection gaps," and personal information processors may choose either option or are encouraged to do both to build a multi-dimensional barrier for protecting personal information rights and interests; the second tier is an additional condition that personal information processors meeting qualitative requirements or the second-tier volume threshold must satisfy—passing the security assessment, whose institutional purpose is to safeguard national security and public interests, and as a mandatory additional condition for personal information export, passing the security assessment cannot replace concluding standard contracts or obtaining professional institution certification but is an extra requirement to be met on the basis of either, with the conditions for triggering the security assessment mechanism including qualitative criteria operators of critical information infrastructure providing personal information overseas and quantitative criteria personal information processors that process a specified quantity of personal information providing personal information overseas.

Designing the data export security assessment as a subsequent condition rather than a parallel condition for concluding standard contracts or obtaining professional institution certification is an inevitable requirement for clarifying the relationships between the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, and it is also a better model for balancing the safeguarding of national security, the protection of personal information rights and interests, and the promotion of the free cross-border flow of data. Article 8, Item 5 of the Security Assessment Measures for Data Provision Abroad can indirectly verify the rationality of this two-tier rule system. This provision identifies whether the legal documents to be concluded between the data processor and the overseas recipient fully stipulate the responsibilities and obligations for data security protection as a key matter for assessment and review. This means that personal information export activities must undergo security assessment after meeting the requirements of concluding legal documents such as standard contracts, reflecting the rationality of positioning the security assessment as a subsequent procedure to standard contracts and professional institution certification. It can even be argued that in the context of personal information export, the completion of concluding standard contracts or obtaining professional institution certification should be part of the review content of the security assessment.

In summary, constructing the data export rule system based on data types should first involve distinguishing between important data and personal information. Any data processor providing important data that is not personal information overseas shall directly apply the security assessment system. Personal information processors providing personal information overseas shall follow the two-tier rule system: personal information processors that meet the first-tier volume threshold shall conclude standard contracts or obtain professional institution certification when providing personal information overseas. If a personal information processor is an operator of critical information infrastructure or meets the second-tier volume threshold, it must pass the security assessment organized by the cyberspace administration on the basis of concluding standard contracts or obtaining professional institution certification when providing personal information overseas. The data export rule system constructed based on data types is shown in Figure 2.

Figure 2: Data Export Rule System Constructed Based on Data Types

5.Administrative Remedy Mechanism for the Security Assessment of Data Export: Justification of the Legitimacy of Reassessment

The administrative remedy mechanism for the security assessment of data export is an integral part of the security assessment system for data export. The security assessment of data export takes safeguarding national security and public interests as its institutional objective, which determines the nature of the security assessment system for data export and the design of the corresponding remedy mechanism. The Security Assessment Measures for Data Provision Abroad identifies "applying to the national cyberspace administration for reassessment" as the remedy method for data processors against the security assessment result, and explicitly stipulates that the reassessment result is the final conclusion. This means that "reassessment" as an administrative remedy mechanism is the only remedy method for data processors against the security assessment result. If a data processor has objections to the security assessment result made by the cyberspace administration, it can only apply to the national cyberspace administration for reassessment and cannot obtain remedies through administrative litigation or administrative reconsideration. In addition, the reassessment result made by the national cyberspace administration is the final conclusion, and even if the data processor still has objections to the reassessment result, it cannot initiate administrative litigation or apply for administrative reconsideration. From the perspective of the nature of the security assessment of data export and the theory of the scope of accepting cases in administrative litigation, taking reassessment as the remedy mechanism for the security assessment has legal basis and legitimate grounds.

5.1 Legal Basis for the Non-Litigability of the Act of Data Export Security Assessment

Defining the nature of the security assessment of data export requires clarifying two issues: first, whether the security assessment falls under the data security review system stipulated in Article 24 of the Data Security Law; second, whether the security assessment constitutes an administrative act.

First, the security assessment of data export falls under the data security review system stipulated in Article 24 of the Data Security Law. Article 24 of the Data Security Law puts forward the concept of "data security review system" and explicitly requires national security review for data processing activities that may affect national security. It is based on the provisions of Article 59 of the State Security Law of the People's Republic of China, which states that "the state shall establish systems and mechanisms for national security review and supervision, conduct national security reviews on foreign investments, specific items and key technologies, network information technology products and services, construction projects involving national security matters, and other major matters and activities that affect or may affect national security, so as to effectively prevent and defuse national security risks." Therefore, data security review is a form of national security review, an act of conducting national security review to effectively prevent risks posed by data processing activities to national security. However, does the security assessment of data export belong to the data security review system? Academic circles have disputes over this issue. Some scholars believe that although the security assessment has similar functions to data security review, it is not the same system. The institutional purpose of the security assessment is to safeguard national security and public interests, and data export is a key link that may affect data security. Therefore, it can be inferred from both the institutional purpose and the nature of the act that the security assessment of data export is a form of data security review, and the nature of the security assessment of data export is national security review. Before the promulgation of the Provisions on Promoting and Regulating Cross-border Data Flows, the security assessment of data export, standard contracts, and professional certification were systems that personal information processors could freely choose to apply when providing personal information overseas. Some scholars argued that standard contract and professional certification procedures are initiated by enterprises' applications, while security reviews are proactively launched by regulatory authorities, so the security assessment of data export does not belong to data security review. However, after the promulgation of the Provisions on Promoting and Regulating Cross-border Data Flows, it is clearly stipulated that the security assessment is no longer listed in parallel with standard contracts and professional institution certification for personal information processors to freely choose; instead, different scenarios applicable to the security assessment, standard contracts, and professional institution certification are distinguished. This provision fully confirms that the security assessment of data export has the special attribute of national security review. In fact, the national security review system includes both scenarios of proactive review by administrative organs and scenarios of review by administrative organs upon application. The former includes the cybersecurity review imposed on Didi Chuxing Technology Co., Ltd. by seven departments including the Cyberspace Administration of China in 2021, and the cybersecurity review imposed on Micron Technology, Inc. by the Cyberspace Administration of China in 2023; the latter includes the scenario stipulated in the Cybersecurity Review Measures that online platform operators must undergo cybersecurity review before listing overseas. This means that whether a type of security review has the nature of national security review has nothing to do with its initiation method. Therefore, the security assessment of data export belongs to the data security review system stipulated in Article 24 of the Data Security Law and is a form of data.

Second, the security assessment of data export is a typical administrative act. The security assessment of data export refers to an activity where data processors file an application with the cyberspace administration in accordance with three higher-level laws—the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law—and the Security Assessment Measures for Data Provision Abroad when providing data overseas, and the cyberspace administration organizes and conducts the assessment and review to decide whether to approve the data export. Although academic circles have debated endlessly over the definition of the concept of administrative act and there are disputes over paths to reform the concept such as limited horizontal expansion, overall horizontal expansion, and vertical expansion, some scholars have also specifically demonstrated whether the security assessment of data export constitutes an administrative act. However, the act of security assessment of data export is not in the vague area of administrative acts but a clear and typical administrative act. Precisely speaking, the act of security assessment of data export has all the external characteristics of administrative license in administrative acts, and is essentially an act where the administrative subject, upon application by the administrative counterpart and after legal review, approves the latter to engage in specific activities. The security assessment is an administrative license, and administrative license is a macro procedural mechanism of administrative acts that adjusts social interest relations, while data security review is a meso procedural mechanism that adjusts national security interests and the interests of data processors in the field of data export security. Therefore, administrative license and data security review are not mutually exclusive concepts divided based on the same standard; instead, in the case of security assessment of data export, the administrative license procedure includes the data security review procedure and is formally a higher-level system of data security review. According to the provisions of the Administrative Procedure Law, when a data processor believes that the administrative decision made by the cyberspace administration refusing to approve its provision of data overseas infringes on its legitimate rights and interests, it shall have the right to file an administrative lawsuit with the people's court in accordance with the law. However, the Administrative Procedure Law also excludes administrative acts that are finally ruled by administrative organs as prescribed by law from the scope of accepting cases in administrative litigation. As a "departmental rule" formulated by the Cyberspace Administration of China, the Security Assessment Measures for Data Provision Abroad itself has no right to exclude security assessment decisions from the scope of accepting cases in administrative litigation, but the Data Security Law, as its higher-level law, provides a legal basis for excluding data security review acts from the scope of accepting cases in administrative litigation. Article 24 of the Data Security Law clearly stipulates the data security review system: the security review decision made by the state "in accordance with the law shall be the final decision," thereby excluding the channel for data processors to obtain remedies through administrative litigation under the data security review system. The security assessment of data export belongs to the data security review system, which can justify the legality of the security assessment system of data export taking reassessment as the remedy mechanism and the reassessment conclusion as the final conclusion. However, to further clarify that the security assessment system falls under the data security review system stipulated in Article 24 of the Data Security Law and resolve theoretical confusion about whether Article 24 of the Data Security Law is the legal basis for the non-litigability of the security assessment, it is advisable for the Security Assessment Measures for Data Provision Abroad to revise the expression of "the reassessment result is the final conclusion" in Article 13 to "pursuant to the provisions of Paragraph 2 of Article 24 of the Data Security Law, the reassessment result is the final conclusion."

5.2 Legitimate Grounds for the Non-Litigability of the Act of Data Export Security Assessment

Precisely because the security assessment of data export falls under the data security review system stipulated in Article 24 of the Data Security Law, it has legal basis for being excluded from the scope of accepting cases in administrative litigation. But what are the grounds for this provision? Its rationality lies in the fact that administrative litigation must conduct legality review not only on the substantive conclusions of administrative acts but also on the procedures of administrative acts. However, in the field of the act of security assessment of data export, it is difficult for courts to achieve the effect of safeguarding the legitimate rights and interests of data subjects whether they review the substantive conclusions or the procedures.

First, courts lack the professional capacity to review the substantive conclusions of data export security assessments. The reason why the data security review system stipulated in Article 24 of the Data Security Law excludes the channel for parties to obtain remedies through administrative litigation is that the data security review system is not a mere legal act; to a greater extent, it is a risk assessment activity that examines the security of data processing activities and the potential national security risks they may pose. This risk assessment activity involves numerous complex factors and professional judgments beyond legal matters, posing varying degrees of challenges to all countries. For example, even though the European Commission has officials with professional and technical knowledge and a team of high-level lawyers, it cannot accurately determine the data protection level of third countries' legislation. In addition, security assessments also involve issues of data sovereignty. Due to significant differences in policies on data processing activities among various countries and regions, specific practices have shown a trend of politicization and blocization. Although no country has completely prohibited data export, all countries impose restrictions on data export based on specific industries or specific processes and services. Some scholars even argue that it is necessary to adopt rules of recognition and respect, as well as rules of renunciation and restraint from diplomatic principles to respect data sovereignty. It can be seen from the assessment procedure designed in the Security Assessment Measures for Data Provision Abroad that the cyberspace administration is unable to independently assess and review data export declarations, but needs to organize relevant competent departments, local cyberspace administrations, specialized institutions, etc., to participate in the assessment based on the declaration situation. Therefore, if a data processor disagrees with the security assessment result and files an administrative lawsuit with the court, the judicial organs also lack the professional capacity to conduct substantive review of whether the cyberspace administration's decision refusing to approve data export is correct. It is evident that remediating the act of data export security assessment through administrative litigation has no practical substantive significance.

Second, courts conducting legality review on the procedures of data export security assessments will lead to idle running of administrative and judicial procedures and waste administrative and judicial resources. The data export security assessment procedures stipulated in the Security Assessment Measures for Data Provision Abroad mainly involve two aspects: first, the subject of data export security assessment. According to Article 10 of the Security Assessment Measures for Data Provision Abroad, after accepting a declaration, the national cyberspace administration shall, based on factors such as territorial and industry-specific management, organize competent data authorities, local cyberspace administrations, professional institutions in relevant industries and other departments to jointly conduct the security assessment. However, no matter which departments or institutions the cyberspace administration selects to form the assessment subject, it falls within the scope of the national cyberspace administration's exercise of discretion, which relates to the rationality of the administrative act rather than its legality. In accordance with the principle of legality review under the Administrative Procedure Law, courts have almost no room for judicial review and lack the professional capacity to review this issue. Second, the time limit and notification form for data export security assessment. According to Article 12 of the Security Assessment Measures for Data Provision Abroad, the time limit for security assessment by the national cyberspace administration is 45 working days in principle, which may be extended under special circumstances; at the same time, the assessment result shall be notified to the data processor in writing. If the assessment exceeds the statutory time limit or the cyberspace administration fails to notify the result to the data processor in writing, what consequences will such an act lead to in administrative litigation? According to the provisions of the Administrative Procedure Law, if an administrative act has minor procedural irregularities but does not actually affect the plaintiff's rights, the court shall confirm the administrative act as illegal without revoking it. In addition, according to the Interpretation of the Supreme People's Court on the Application of the Administrative Procedure Law of the People's Republic of China (Fa Shi [2018] No. 1) issued in 2018, both minor violations of processing time limits and minor violations of notification procedures fall under the "minor procedural irregularities" stipulated in the Administrative Procedure Law. In the data export security assessment procedure, if the cyberspace administration slightly exceeds the time limit for the security assessment or uses an incorrect notification form, neither will affect the validity of the already made decision refusing to approve data export, and the court will only confirm the procedural irregularities in the security assessment process. In other words, if the cyberspace administration commits a serious delay in making the security assessment decision, even if the court does not apply a judgment confirming illegality but a revocation judgment, the cyberspace administration can still reissue the decision refusing to approve data export in strict accordance with the time limit provisions. This means that the substantive content of the cyberspace administration's previous administrative decision refusing to approve data export will not be changed. In summary, even if data processors are allowed to file administrative lawsuits regarding procedural issues of security assessments, whether the court makes a judgment confirming illegality or a revocation judgment, it will not change the substantive decision made by the cyberspace administration. Instead, it will lead to idle running of administrative and judicial procedures and consume resources of all parties. Article 24 of the Data Security Law clearly stipulates that "the security review decision made in accordance with the law shall be the final decision" for the data security review system. This provision not only excludes the security assessment system from the scope of accepting cases in administrative litigation but also from the scope of accepting cases in administrative reconsideration. The reasoning for excluding security assessment conclusions from the scope of administrative reconsideration is roughly consistent with the reasoning for excluding them from administrative litigation as mentioned above.

6.Conclusion

Clarifying the institutional positioning that the data export security assessment belongs to the legislative scope of the Data Security Law and limiting its institutional purpose to safeguarding national security and public interests can fundamentally clarify the legal relations concerning the data export security assessment system stipulated in different laws such as the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, and straighten out the applicable scenarios of the data export security assessment as well as specific mechanisms including its objects, content, and procedures. More importantly, this theory can clarify the significant differences between the data export security assessment, standard contracts, and professional institution certification in terms of institutional objectives, implementation mechanisms, and application effects from a legal logical perspective, providing a theoretical basis for reconstructing a data export rule system that balances the safeguarding of national security and personal information rights and interests and enables the precise hierarchical functioning of various systems. In the future, when China amends the three laws—the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law—it will be necessary to consider redesigning and making overall arrangements for the data export security assessment system.