Alert 03.10.23
Alert
Alert
03.22.23
In recent years, alongside the rapid development of the digital economy and the concomitant increase in data generation, collection, processing and monitoring in the People’s Republic of China (PRC or China), the Chinese government has accelerated efforts to establish a robust legal framework for data protection. Over the past five years, China has promulgated several major data protection laws, including the Cybersecurity Law (CSL) (effective from June 1, 2017), the Personal Information Protection Law (PIPL) (effective from November 1, 2021) and the Data Security Law (DSL) (effective from September 1, 2021), together with a series of implementation regulations and administrative guidance. These laws and regulations, particularly with respect to requirements on the processing of personal information and cross-border data transfer, pose significant challenges and compliance obligations for multinational companies when conducting business in and with China. This article outlines our observations of the mechanisms and practice of cross-border transfer of personal information under China’s current legal framework.
The PIPL provides three legal mechanisms for a personal information processor (PI Processor) in the mainland PRC to transfer personal information outside mainland China. (See our detailed analysis of the PIPL here).
Those legal mechanisms include:
Where the cross-border data transfer activities do not trigger the Mandatory CAC Security Assessment, PI Processors may choose either Third Party Security Certification or Standard Contract as a mechanism to transfer personal information overseas.
However, since the identification of the professional certification institutions and the details of the Third Party Security Certification procedures have not been clarified and published by the CAC, the Standard Contract mechanism might be more efficient for multinational companies to adopt for cross-border transfer of personal information if the Mandatory CAC Security Assessment does not apply.
We outline below the circumstances in which each of the above mechanisms would apply and discuss the compliance actions that multinational companies should consider taking from a practical perspective.
Mandatory CAC Security Assessment
On July 7, 2022, the CAC released the final version of the Measures on Security Assessment for Data Export (Security Assessment Measures). Further, CAC issued the Guidelines on Application for Security Assessment of Cross-Border Data Transfers (1st Edition) (Security Assessment Guidelines) on August 31, 2022. Both of the above measures and guidelines came into effect on September 1, 2022. According to the Security Assessment Measures and Security Assessment Guidelines, a Mandatory CAC Security Assessment applies to cross-border data transfers in any of the following circumstances:
“Important data” is defined as “data that may endanger national security, economic operation, social stability, public health and safety once it is tampered with, destroyed, leaked, or illegally obtained or used.” The concept of important data was first raised in the CSL, under which network operators in China are required to categorize data and formulate backup and encryption measures for the protection of “important data.” Also, according to the DSL, China will establish a data categorization and classification system and Chinese authorities will formulate a catalog of “important data.” To date, no such catalog has been made public. It is expected that the industry regulators will play a key role in defining and categorizing “important data” in each industry and formulate industrial rules or provide administrative guidance on identifying “important data.”
“CII” refers to important network facilities and information systems in important industries and fields, such as public communication and information service, energy, transportation, water resources, finance, public services, e-government affairs, science, technology and industry for national defense, as well as other important network facilities and information systems of which destruction, loss of function and data divulgence may seriously endanger national security, people’s livelihoods and public interests. On July 30, 2021, the State Council released the Regulation on Protection of Security of Critical Information Infrastructure, according to which the industry regulators supervising the important industries and fields underlined above would formulate their own rules for identifying CIIs within their respective industries.
In practice, the regulatory authority supervising each industry would identify and notify business operators in such industry that they are designated as CIIs. Multinational companies may consult with their respective industry regulators regarding whether they are categorized as CII operators. In general, if a company has not been notified by the industry regulator as CII operator so far, it is likely that it is not a CII operator at this stage. However, since a company’s business and size are developing and expanding and the industry regulators might update the rules from time to time, we recommend companies keep monitoring any changes to the definition of CII.
Third Party Security Certification
China’s National Information Security Standardization Technical Committee published Version 1 of the Security Certification Specifications for Handling Cross-Border Transfer of Personal Information (Certification Guidelines) issued on June 24, 2022. Within six months, it issued Version 2.0 of the Cross-border Certification Guidelines on December 16, 2022, with immediate effect. Furthermore, on November 18, 2022, the State Administration for Market Regulation (SAMR) and the CAC jointly issued Implementation Rules for Personal Information Protection Certification (Certification Rules). Version 1 of the Certification Guidelines limited the certification to cross-border data transfer within the group of multinational companies. Version 2 deletes such limitation and expands the scope of certification to all personal information cross-border processing activities.
Although certification is voluntary under the Certification Guidelines and Certification Rules, such guidelines and rules encourage companies to adopt the certification mechanism to improve data governance and compliance. The Certification Guidelines provide the basis for qualified third-party institutions to carry out certifications for cross-border personal information processing and transactions. The Certification Guidelines and Certification Rules require PI Processors to undergo self-assessment of the impact on data protection including the formulation of a self-assessment report and three-year report retention requirement. The PI Processors and overseas data receiving parties are also required to enter a legally binding and enforceable contract for the data cross-border processing. Thereafter, the PI Processor can make an application with a third-party certification institution for certification on the data process and cross-border transfer of the personal information. The certification institution will assess the application and conduct a technical verification and/or onsite inspection if necessary.
Once granted, the certification will be valid for three years. If the PI Processor wants to update the certification (if its name or registered address, certification requirements or certification scope change), it must apply within six months before the existing certification’s expiry.
Standard Contract
The CAC released the final version of the Measures on the Standard Contract for the Cross-border Transfer of Personal Information (Standard Contract Measures) on February 24, 2023, which includes a template Standard Contract. The Measures will take effect on June 1, 2023, but set forth a six-month grace period until December 1, 2023, to provide companies with time to take actions for compliance for cross-border transfer of personal information that occurred prior to June 1, 2023.
Based on the Standard Contract Measures, a PI Processor may choose to use the Standard Contract approach to comply with the cross-border data transmission requirements under the PIPL only when it fulfills all of the four conditions below:
The Standard Contract Measures explicitly prohibit a PI Processor from circumventing the Mandatory CAC Security Assessment by “breaking down” the amount of personal information concerned. Also, the measures require a PI Processor to enter into contracts with overseas recipients “strictly in accordance with the Standard Contract,” and any additional provisions agreed by the parties shall not contradict the Standard Contract.
Similar to the self-assessment required by the Certification Guidelines and Certification Rules, before transferring personal information overseas, the PI Processor is also required to conduct a personal information protection impact assessment (PIPIA) and prepare a report. Such a report must be retained for at least three years. A PI Processor must file (i) the executed Standard Contract and (ii) the PIPIA report to the provincial level counterpart of CAC within 10 working days after the Standard Contract comes into effect. The governing law of the Standard Contract shall be the law of the PRC.
Other Key Requirements on Cross-border Transfer of Personal Information
Conclusion
Multinational companies with business and operations in and with China are recommended to take the following appropriate compliance actions to facilitate cross-border data transfers during their business operations:
Monitor China’s legislation and enforcement developments and update data-related documentation accordingly.