The PIPL provides three legal mechanisms for a personal information processor (PI Processor) in the mainland PRC to transfer personal information outside mainland China. (See our detailed analysis of the PIPL here).
Those legal mechanisms include:
- Undergoing a mandatory security assessment (Mandatory CAC Security Assessment) under the administration of the Cyberspace Administration of China (CAC);
- Obtaining a personal information protection certification from a CAC-recognized professional institution (Third Party Security Certification); or
- Entering into a standard contract with overseas recipients for sharing/transferring personal information (Standard Contract).
Where the cross-border data transfer activities do not trigger the Mandatory CAC Security Assessment, PI Processors may choose either Third Party Security Certification or Standard Contract as a mechanism to transfer personal information overseas.
However, since the identification of the professional certification institutions and the details of the Third Party Security Certification procedures have not been clarified and published by the CAC, the Standard Contract mechanism might be more efficient for multinational companies to adopt for cross-border transfer of personal information if the Mandatory CAC Security Assessment does not apply.
We outline below the circumstances in which each of the above mechanisms would apply and discuss the compliance actions that multinational companies should consider taking from a practical perspective.
Mandatory CAC Security Assessment
On July 7, 2022, the CAC released the final version of the Measures on Security Assessment for Data Export (Security Assessment Measures). Further, CAC issued the Guidelines on Application for Security Assessment of Cross-Border Data Transfers (1st Edition) (Security Assessment Guidelines) on August 31, 2022. Both of the above measures and guidelines came into effect on September 1, 2022. According to the Security Assessment Measures and Security Assessment Guidelines, a Mandatory CAC Security Assessment applies to cross-border data transfers in any of the following circumstances:
- When a data processor in China transfers “important data” outside China;
- When a critical information infrastructure (CII) operator in China transfers personal information outside China;
- When a data processor in China that processes personal information of one million or more individuals exports or transfers personal information outside China;
- When a data processor in China who, since January 1 of the previous year, has cumulatively transferred personal information of more than 100,000 individuals or has cumulatively transferred sensitive personal information of more than 10,000 individuals, transfers personal information outside China; or
- Other situations requiring security assessment in accordance with PRC laws and regulations.
“Important data” is defined as “data that may endanger national security, economic operation, social stability, public health and safety once it is tampered with, destroyed, leaked, or illegally obtained or used.” The concept of important data was first raised in the CSL, under which network operators in China are required to categorize data and formulate backup and encryption measures for the protection of “important data.” Also, according to the DSL, China will establish a data categorization and classification system and Chinese authorities will formulate a catalog of “important data.” To date, no such catalog has been made public. It is expected that the industry regulators will play a key role in defining and categorizing “important data” in each industry and formulate industrial rules or provide administrative guidance on identifying “important data.”
“CII” refers to important network facilities and information systems in important industries and fields, such as public communication and information service, energy, transportation, water resources, finance, public services, e-government affairs, science, technology and industry for national defense, as well as other important network facilities and information systems of which destruction, loss of function and data divulgence may seriously endanger national security, people’s livelihoods and public interests. On July 30, 2021, the State Council released the Regulation on Protection of Security of Critical Information Infrastructure, according to which the industry regulators supervising the important industries and fields underlined above would formulate their own rules for identifying CIIs within their respective industries.
In practice, the regulatory authority supervising each industry would identify and notify business operators in such industry that they are designated as CIIs. Multinational companies may consult with their respective industry regulators regarding whether they are categorized as CII operators. In general, if a company has not been notified by the industry regulator as CII operator so far, it is likely that it is not a CII operator at this stage. However, since a company’s business and size are developing and expanding and the industry regulators might update the rules from time to time, we recommend companies keep monitoring any changes to the definition of CII.
Third Party Security Certification
China’s National Information Security Standardization Technical Committee published Version 1 of the Security Certification Specifications for Handling Cross-Border Transfer of Personal Information (Certification Guidelines) issued on June 24, 2022. Within six months, it issued Version 2.0 of the Cross-border Certification Guidelines on December 16, 2022, with immediate effect. Furthermore, on November 18, 2022, the State Administration for Market Regulation (SAMR) and the CAC jointly issued Implementation Rules for Personal Information Protection Certification (Certification Rules). Version 1 of the Certification Guidelines limited the certification to cross-border data transfer within the group of multinational companies. Version 2 deletes such limitation and expands the scope of certification to all personal information cross-border processing activities.
Although certification is voluntary under the Certification Guidelines and Certification Rules, such guidelines and rules encourage companies to adopt the certification mechanism to improve data governance and compliance. The Certification Guidelines provide the basis for qualified third-party institutions to carry out certifications for cross-border personal information processing and transactions. The Certification Guidelines and Certification Rules require PI Processors to undergo self-assessment of the impact on data protection including the formulation of a self-assessment report and three-year report retention requirement. The PI Processors and overseas data receiving parties are also required to enter a legally binding and enforceable contract for the data cross-border processing. Thereafter, the PI Processor can make an application with a third-party certification institution for certification on the data process and cross-border transfer of the personal information. The certification institution will assess the application and conduct a technical verification and/or onsite inspection if necessary.
Once granted, the certification will be valid for three years. If the PI Processor wants to update the certification (if its name or registered address, certification requirements or certification scope change), it must apply within six months before the existing certification’s expiry.
The CAC released the final version of the Measures on the Standard Contract for the Cross-border Transfer of Personal Information (Standard Contract Measures) on February 24, 2023, which includes a template Standard Contract. The Measures will take effect on June 1, 2023, but set forth a six-month grace period until December 1, 2023, to provide companies with time to take actions for compliance for cross-border transfer of personal information that occurred prior to June 1, 2023.
Based on the Standard Contract Measures, a PI Processor may choose to use the Standard Contract approach to comply with the cross-border data transmission requirements under the PIPL only when it fulfills all of the four conditions below:
- It is not a CII operator;
- It processes personal information of less than one million people;
- It has cumulatively transferred personal information of less than 100,000 people overseas since January 1 of the previous year; and
- It has cumulatively transferred sensitive personal information of less than 10,000 people overseas since January 1 of the previous year.
The Standard Contract Measures explicitly prohibit a PI Processor from circumventing the Mandatory CAC Security Assessment by “breaking down” the amount of personal information concerned. Also, the measures require a PI Processor to enter into contracts with overseas recipients “strictly in accordance with the Standard Contract,” and any additional provisions agreed by the parties shall not contradict the Standard Contract.
Similar to the self-assessment required by the Certification Guidelines and Certification Rules, before transferring personal information overseas, the PI Processor is also required to conduct a personal information protection impact assessment (PIPIA) and prepare a report. Such a report must be retained for at least three years. A PI Processor must file (i) the executed Standard Contract and (ii) the PIPIA report to the provincial level counterpart of CAC within 10 working days after the Standard Contract comes into effect. The governing law of the Standard Contract shall be the law of the PRC.
Other Key Requirements on Cross-border Transfer of Personal Information
- Separate Consent: One issue to be clarified during the enforcement practice is that the template Standard Contract attached to the Standard Contract Measures removes the separate consent requirements on cross-border transfers under all legal bases, though separate consent is explicitly required under the PIPL. According to the template Standard Contract, a separate consent by individual is only required where the legal basis for processing of personal information is based on the consent of the data subjects. If the cross-border data transfer is based on other legal bases, such as for the performance of a contract to which the individual is a party or is necessary for the human resource management, or performance of statutory duties or obligations, there would be no obligation for the PI Processor under the template Standard Contract to obtain a separate consent from data subjects for the cross-border transfer. However, it remains to be seen how the authorities would implement such provision in practice.
- Cross-Border Transfer in Response to Investigation or Legal Action of Foreign Jurisdiction: Article 36 of DSL provides that data stored within China shall not be provided to foreign legal or enforcement authorities unless approval is obtained from competent Chinese authorities. This restriction on transfer and production of data applies to all types of data. The PIPL (Article 41) contains an identical provision to prohibit the transfer of personal information to the foreign judicial or law enforcement authorities without the approval of a designated Chinese authority. Neither the DSL nor the PIPL provides further details on the scope of this restriction or the mechanics of seeking such approval.
Multinational companies with business and operations in and with China are recommended to take the following appropriate compliance actions to facilitate cross-border data transfers during their business operations:
- Undergo self-assessment to evaluate if a proposed cross-border data transfer is subject to the Mandatory CAC Security Assessment;
- Seek professional assistance in preparing the relevant documentation for cross-border transfer, e.g., a cross-border data transfer agreement and self-assessment report;
- Develop consent mechanisms for data collection and processing and formulate privacy notices and consent forms to ensure requisite consents are obtained for the data processing and cross-border transfer;
- Establish self-assessment protocol and formulate self-assessment system;
- Designating a qualified data protection personnel in China and organize internal trainings to familiarize employees with the relevant compliance parameters;
- Establish risk mitigation and reporting mechanisms in response to data breaches and other possible data risks; and
Monitor China’s legislation and enforcement developments and update data-related documentation accordingly.