New regulations related to the cross-border transfer of personal information

29.07.2022

(Author: Mrs. Mao Yahui)

 

During the last 30 days, three important regulations related to the cross-border transfer of personal information have been released. These regulations further specify the requirements for cross-border transfer according to Art. 38 of the Chinese Personal Information Protection Law (the “PIPL”). Only if at least one of the following three pre-conditions is fulfilled, companies are allowed to transfer personal data abroad:

 

1.    A security assessment organized by the Cyberspace Administration of China (the “CAC”) has been passed,
2.    A certification by a specialized agency has been done in accordance with the provisions of the CAC, and
3.    A standard contract formulated by the CAC has been concluded with the foreign recipient. 

 

Companies cannot select freely between the different options.

 

1.    Security Assessment 

 

Some companies have to pass a security assessment before they transfer personal information abroad. On July 7th, 2022, the CAC has released Security Assessment Measures for Outbound Data Transfers (the “Measures”), which shall come into force on September 1st, 2022. It specifies the threshold, the general procedures, the documents and the grace period for the security assessment. 

 

1.1    Threshold

 

The Measures specify that companies need to pass the security assessment under the following circumstances:

 

  • where a data processor provides critical data abroad. In general, the term critical data refers to the data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and security, etc.
  • where a key information infrastructure operator or a data processor processing personal information of more than one million individuals provides personal information abroad. This number refers to the amount of data processed in China and not to the amount of data transferred abroad. With this criterion, the Measures want to cover all major data processors in China regardless of the amount of data transferred aboard. 
  • where a data processor has provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals in total abroad since January 1 of the previous year. In this criterion of the Measures, the numbers mentioned actually refer to the amount of data transferred abroad. 
  • other circumstances prescribed by the CAC for which declaration for security assessment for outbound data transfers is required.
     

1.2    General procedures

 

The local CAC will be responsible for accepting the documents from companies, but the national CAC will be responsible for the assessment and issue the result. 
For specific procedures, please check the illustration as below. 

1.3   Documents 

 

In case a security assessment is required, the following documents shall be prepared and submitted to the local CAC at provincial level:

 

  • A declaration form
  • Self- assessment report on the risks of the outbound data transfer
  • The legal documents to be concluded by the data processor and the overseas recipient
  • Other materials necessary for security assessment.
     

1.4    Grace-period 

 

There is a six-month grace period since the effectiveness of the new regulation. This means companies reaching the thresholds mentioned above shall complete the security assessment latest until March 2023. However, the exact time period (year 2021 or 2022?) to be covered by the first report is not 100% clear. However, with regard to risk minimization companies should be prepared to submit data from January 1st, 2021 onwards.
Moreover, the results are valid for two years, commencing from the date when the results are issued, and companies need to declare anew assessment 60 working days before the expiry of the results if such cross-border transfer continues.

Therefore, companies should calculate and keep track of the amount of personal information it has processed locally and transferred abroad since January 2021 in order to evaluate whether a security assessment is required, and complete the assessment in time if necessary.
 

 

2.    Certification 

 

In addition, companies are allowed to transfer personal data abroad in case they are certified by a special agency. On June 24, 2022, the National Information Security Standardization Technical Committee (TC 260) has issued the Practice Guidelines for Cyber Security Standards—Security Certification Specifications for Cross-Border Processing of Personal Information, which set out the rules for the certification to be conducted by agencies for personal information protection. It defines the application scope of the certification, basic requirements, and responsibilities and obligations of companies.   

 

2.1    Scope

 

Certification can be adopted for the following limited scenarios: 

 

  • Cross-border processing activities of personal information between multinational companies or subsidiaries or affiliated companies of the same economic or business entity; or 
  • Companies, as defined in Art. 3.2 PIPL, processing personal information of Chinese individuals outside the territory of the People's Republic of China.
     

The certification option is not available to companies that are subject to a security assessment (see above No. 1). Actually, according to our understanding, the certification is the only option for foreign processors (Art. 3.2 PIPL), who do not have a subsidiary in China and thus cannot conclude a standard contract (see below No.3). For big multinationals with numerous subsidiaries, branches in China, certification may be a good option to save repetitive filings and documents to some extent compared to a standard contract.  

 

2.2    Basic requirements 

 

There are several basic requirements to be fulfilled by companies before they can be certified , e.g. designating a Data Protection Officer (DPO), establishing personal information protection department to fulfill the obligations of personal information protection, formulating the processing rules for cross-border data transfer. 

 

2.3    List of agencies

 

The list of qualified certification agencies has not been published yet. It is also unclear how the agency works together with the CAC. Therefore, certification is not a feasible option for cross-border data transfer at this stage. 

 

 

3.    Standard Contract 

 

On June 30th, 2022 the CAC released the Draft Standard Contractual Provisions for Cross-border Personal Information Transfer (the “Provisions”), including the annex of the draft standard contract. 

 

3.1    Scope 

 

Companies may provide personal information abroad by entering into the standard contract with the foreign recipient. This option is available to all data processors and therefore has the broadest application scope. Again, this option is not available for companies that are subject to a security assessment (see above No. 1). 

 

3.2    Impact assessment on personal information protection

 

Pursuant to Art. 55 PIPL, the Provisions further clarify the main content of the impact assessment that companies need to do before the cross-border transfer, such as lawfulness, legitimacy and necessity of the cross-border transfer, the obligations and responsibilities to be undertaken by the overseas recipient as promised etc.

 

 3.3    Content of the standard contract 

 

According to Art. 6 of the Provisions, a standard contract shall include the following content: the purpose, scope, type, sensitivity, quantity, method, storage period, storage place, the responsibilities and obligations, the technical and management measures to prevent possible security risks, the impact of the policies and regulations of the country or region where the overseas recipient is located on the compliance with the terms of the contract, etc.

 

3.4    Filing requirement 

 

In addition, companies should file the standard contract and the impact assessment report with the local CAC within ten working days after the effective date of the standard contract. 

 

 

4.    Conclusion 

 

As mentioned above, each regulation provides some long-awaited specific interpretations or requirements for cross-border data transfer (see the annex). Nevertheless, the system is not ready for practical implementation as the standard contract is not finalized yet and the list of certification agencies has not been published. However, we believe that such blanks will be made up piece by piece in the near future. Anyway, we will always keep you updated and please do not hesitate to contact us if you are interested in any of those topics and we are excited to discuss it with you!

 

 

Annex