China Clarifies Cross Border Data Transfer Rules
In November 2021, China introduced their core personal data protection regulations: the Personal Information Protection Law (PIPL). The PIPL applies to personal information, which is information that may be used to identify natural persons.
Article 73 of the PIPL uses the term “personal information processing entity” to refer to an “organisation or individual that independently determines the purposes and means for processing of personal information”. This is comparable to the Data Controller role recognised under the General Data Protection Regulation (GDPR).
When conducting an international data transfer outside of China, a processing entity is required to:
- provide individuals with certain specific information about the transfers and obtain separate expressed consent (Article 39);
- adopt the necessary precautions to ensure that the overseas recipients can provide the same level of protection as required under the PIPL (Article 38); and
- carry out a personal information protection impact assessment (Article 55).
Aside from the three prior requirements, Article 38 of the PIPL establishes the three transfer mechanisms that processing entities may use to facilitate the transfer of information outside of China. These three methods are as follows:
- security assessment,
- standard contractual clauses, and
Which mechanism is to be used is dependent on the status of the processing entity.
Critical information infrastructure operators (CIIOs), and others processing a significant volume of personal information, are obliged to undergo the security assessment administered by the Cyberspace Administration of China. The process is described in the Rules for the Security Assessment for Cross-Border Data Transfer, published on 7 July 2022, and which will come into effect on 1 September 2022.
If a processing entity is not a CIIO but meets either of the two following “volume” requirements, it must also undergo the security assessment:
- The processing of over one million individuals personal data; or
- The transfer of more than 100,000 individuals personal data abroad, or transferred more than 10,000 individuals sensitive personal data abroad.
Sensitive personal data is defined by Article 28 of the PIPL as “personal information that, once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14”.
Non-CIIOs that do not meet the thresholds as set out in these Rules are not obligated to undergo a security assessment, but must choose one of the following lawful transfer mechanisms:
- Obtaining a personal information protection certification issued by a professional institution in accordance with rules specified by the Cyberspace Administration of China (CAC).
- Entering into agreement based on Standard Contractual Clauses (SCCs) stipulated by the CAC with the data recipient outside China.
Security Assessment process update
On 7 July 2022, the CAC published the Rules for the Security Assessment for Cross-Border Data Transfer (the Rules). The Cyber Security Law (2017), Data Security Law (2021), and Personal Information Protection Law (2021) all require companies to undergo a security assessment in specific scenarios. The recently published Rules have now codified the security assessment requirements under all three fundamental data protection laws.
A processing entity that transfers important data out of China is also subject to the security assessment requirement, however “important data” is yet to be defined by legislation.
Article 8 of the Rules lays out the criteria the security assessment focuses on, including: the legitimacy and necessity of the purpose and method of the cross-border transfer; the level of protection offered to the transferred data under local laws and the recipient’s policies; the amount, type and sensitivity of the data, as well as risks of leakage, loss or illegal access during and after the transfer; and the adequacy of the agreement between the data processing entity and oversea data recipient.
Security Assessment procedure
Article 6 of the rules requires data processing entities to submit the following materials when aplying for the security assessment for cross-broder data transfer:
- Application form.
- Self-assessment report.
- The agreement to be entered into between the data processing entity and overseas recipient or legally binding documents.
- Other materials required for the security assessment.
Standard Contracts (SCs)
The CAC issued the draft “Regulations of Standard Contracts for Cross-border Transfer of Personal Information,” on 30 June 2022. These regulations are in the public draft phase of legislative drafting, and there may be significant changes prior to the finalisation of the SCs. Although the SCs have some similarities with the GDPR SCCs, China’s SCs maintain some significant Chinese characteristics, such as application scope, governmental filing obligations, governing law, and dispute resolution clauses.
Article 38.3 of the PIPL states that when personal information processing entities need to transfer personal data outside of China, the final transfer mechanism is to obtain a “personal information protection certification” offered by “professional institutions” in accordance with CAC rules. As with the standard contractual clauses, the CAC is working on guidance on the process of obtaining a personal information protection certification, but draft regulations have been issued. There are no insights as to when the CAC will start to provide for the certification of professional institutions, so this mechanism of data transfers is yet to be realised.
Find out more
This article was produced by Edward Sheehan, Legal Manager and CIPM of RsA asia, China, A CELIA Alliance member firm.
For further information or if you have any queries relating to the content of this communication, please contact us.
CELIA Alliance members are identified here. Members of the CELIA Alliance are each independent law firms and do not practice law jointly with any other member of the CELIA Alliance. “CELIA Alliance” and “CELIA” are not trading names. For more information about the CELIA Alliance click here.
Content is for general information purposes only. The information provided is not intended to be comprehensive and it does not constitute or contain legal or other advice. If you require assistance in relation to any issue please seek specific advice relevant to your particular circumstances. In particular, no responsibility shall be accepted by the authors or by Abbiss Cadres LLP for any losses occasioned by reliance on any content appearing on or accessible from this newsletter. For further legal information click here.
Circular 230 disclosure
To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.
If you would like to copy or otherwise reproduce this article then you may do so provided that: (1) any such copy or reproduction is for your own personal use or if it is made available to any third party it is done so on a free of charge basis; and (2) the article is reproduced in full together with the contact details, disclaimer and any logos as they appear on each article.