Background
China is putting cross-border data transfers by multinational companies and others under the toughest government oversight ever.
On June 1, the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information came into effect, requiring certain personal data processors, including companies handling data on fewer than 1 million people, to sign contracts with overseas recipients before sending data abroad.
Those new rules became the latest effort by Beijing to tighten its grip over domestic data to protect national security. This article is trying to summarize the Principles & of China’s data cross-border transfer and give some compliance advice to the multinational companies
Legislations
The Chinese data protection regime, consisting of the Cybersecurity Law of the People’s Republic of China (“CSL”), the Data Security Law of the People’s Republic of China (“DSL”), the Personal Information Protection Law of the People’s Republic of China (“PIPL”) as well as extensive supplementary implementing regulations, which has certain extra-territorial effect imposes comprehensive data protection rules and compliance impact on companies with businesses in China, data cross-border transfer supervision among which has always been the supervision focus. Companies concerning processing of personal information of individuals residing within the territory of China during business operation could fall within the regulatory scope, irrespective of whether or not the companies are established in China.
Along with the official release of the Measures on Standard Contract for Cross-border Transfers of Personal Information (“Measures for CN SCCs”) by the Cyberspace Administration of China (“CAC”) with its Annex of the Standard Contract for Cross-border Transfers of Personal Information (“CN SCCs”), effective as of June 1, 2023; the Measures for the Security Assessment of Data Cross-border Transfer (“Measures for the Security Assessment), effective as of September 1, 2022 and the Practice Guideline for Cybersecurity Standards-Specification for Security Certification of Cross- Border Transfers of Personal Information V2.0 (“Specification V2.0”) by the TC260* on December 16, 2022, the implementing rules for data cross-border transfer mechanisms in China, i.e., the CAC Security Assessment, the CN SCCs as well as the Certification, have been settled.
*TC260= National Information Security Standardization Technical Committee of China
Key points
CAC Security Assessment (Effective as of Sep 1, 2022)
Applicable scope (Personal information + Important Data) When cross-border transfer of:
· Important Data*;
· Personal Information* (“PI”) by Critical Information Infrastructure* Operators (“CIIOs”) or by data processors processing PI over 1 million individuals;
· PI of 100,000 individuals or sensitive PI of 10,000 individuals accumulatively since January 1 of the previous year; or
· Other circumstances prescribed by the CAC. (Art.4, the Measures for the Security Assessment)
Basic obligations
· Risk assessment required: self- assessment for risks of data cross- border transfers prior to filing for the CAC Security Assessment; (Art.5, Art.8 of the Measures). The self- assessment report for risks of cross- border transfers, shall be prepared strictly in accordance with the CAC Template at the Data Cross-border Transfer Security Assessment Filling Guide (1st edition);
· Data processing agreement to be concluded by the data processor and the overseas recipient. Submission of relevant materials for filing as required. (Art.6, the Measures)
When will the transfers become compliant
· Receive validation for passing the Security Assessment by the CAC. The validity lasts for 2 years unless any re- filing required. (Art.14, the Measures)
Legal reference
CSL, Art.37, DSL, Art.31 and PIPL, Art.36, 38 and 40; Measures for the Security Assessment of Data Cross-border Transfer, effective as of Sep 1, 2022
CN SCCs (Effective as of Jun 1, 2023)
Applicable scope (Personal information only)
Shall meet the following cumulative criteria:
· Not CIIOs;
· Processing PI less than 1 million individuals;
· Not reaching PI of 100,000 individuals accumulatively for cross-border transfers since January 1 of the previous year; and
· Not reaching sensitive PI of 10,000 individuals accumulatively for cross-border transfers since January 1 of the previous year.
And if any other circumstances prescribed by the CAC (Art.4, the Measures for CN SCCs)
Basic obligations
· PIA required: Shall prepare the PIA report, in strict accordance with the Template at the Filing Guide for Standard Contract for Cross- border Transfer of Personal Information (1st edition) issued by the CAC. (Art.5, the Measures for CN SCCs)
· Filing required: Shall, within ten working days after the effective date of the CN SCCs, file with the cyberspace administration at the provincial level: the CN SCCs concluded; PIA report. (Art.7, the Measures for CN SCCs)
When will the transfers become compliant The cross-border transfers of PI at issue shall only be carried out until the CN SCCs concluded enter into force, also the CAC validates the filing of such transfers from supervisory perspective. (Art.6, the Measures for CN SCCs)
Comparison with EU SCCs
· Do not distinguish processing relationships
(e.g., modules of C-C, C-P) in the text;
· Specify that the SCCs shall be concluded between a PI Processor* and the overseas recipient.
Legal reference
PIPL, Measures on Standard Contract for Cross-border Transfers of Personal Information, effective as of Jun 1, 2023, 6 month grace period.
Certification (Recommendatory guideline)
Applicable scope - (Personal information only)
· Intra-group cross-border transfer of PI among MNCs, subsidiaries or affiliates of the same business entity; The Chinese entity of the MNCs may be the certified body under this scenario and bear legal liabilities; or
· Extra-territorial application of the PIPL pursuant to Art.3.2 of the Law. Specialized agencies or designated representatives established in China for entities subject to the PIPL pursuant to Art.3.2 of the Law may be the certified body under this scenario and bear related legal liabilities (Art.2, the Specification V2.0)
Basic obligations
· Legally binding data processing agreements;
· Organizational management (Appointments of DPO, PI protection organizations, etc.);
· Rules for cross-border transfers abided by both PI processor and the overseas recipient;
· PIA, focusing on, in addition to potential risks of cross-border transfer, any third country data protection legislation including government access request, etc.
· Effective response to data subject request, provide substantial protection to data subject rights. (Art.5, Art.6, the Specification V2.0)
· When will the transfers become compliant
· Having approved by a qualified certification body, the validity certificate lasts for 3 years
Legal reference
PIPL, Practice Guideline for Cybersecurity Standards- Specification for Security Certification of Cross- Border Transfers of Personal Information V2.0 by the TC 260
FAQs
What is “cross-border transfer”?
Data cross-border transfer refers to Important Data or PI collected and generated by a data processor during operation within the territory of China being transferred overseas or being accessed by overseas institutions, organizations or individuals. key points: 1) Data type: Important Data or PI collected and generated in domestic operations; 2)Method: physical transfer and remote access; 3)“Overseas”: other countries/regions outside Mainland China, including Hong Kong SAR, Macao SAR and Taiwan; 4) Parties: Data exporter discloses by transmission or otherwise makes the data, subject to this processing, available to data importer.
How to understand the “threshold”?
• 1 million- “data processors processing PI over 1 million individuals”: the overall volume of data processed by the data processor, including data of customers, users, employees, etc. For group companies, it is generally considered that the volume of individuals shall be calculated separately for various entities.
• 100,000, 10,000- “cross-border transfer of PI of 100,000 individuals or sensitive PI of 10,000 individuals accumulatively since January 1 of the previous year”: it is believed that if the same data processor involves in providing PI to different recipients, the volume involved should be calculated cumulatively.
About localization?
• On one hand, CIIOs with PI and Important Data collected and generated during its operation within the territory of the People's Republic of China are subject to localization requirements and shall pass the CAC Security Assessment when truly necessary to provide such data overseas for business purposes.
• On the other hand, there is no necessary correspondence between CAC Security Assessment and data localization by current laws and regulations. With reference to consultation with the CAC, if a company triggers the CAC Security Assessment, it shall conduct the filing as required and the data cross-border transfers can only be carried out lawfully after passing the Security Assessment. The filing for the CAC Security Assessment does not necessarily lead to data localization requirements.
• Processing of Important Data by data processors also do not necessarily fall within the localization requirement, unless as otherwise stipulated by laws and regulations such as the Several Provisions on Automotive Data Security Management (for Trial Implementation) for auto sector and other regulated sectors.
Relationship between binding legal documents and the CN SCCs.
The binding legal documents required under the CAC Security Assessment and the Certification, from legal nature, differ from the CN SCCs, as the CN SCCs is one of the cross-border transfer regulatory mechanism under the PIPL. Though in the context of data cross-border transfer, the CN SCCs may overlap with abovesaid legal documents on the value orientation and certain contents for protecting the rights and interests of data subjects, etc. It shall be noted that legal documents under the Assessment may entail Important Data protection which cannot be found in the text of the CN SCCs.
Whether the CN SCCs or the Certification?
The Certification is relatively a long-term mechanism for regular data transfers for scenarios especially of intra- group processing activities and can count as a relatively stable and continuous mechanism. The Certification Mechanism to certain extent is similar to the binding corporate rules (“BCRs”) under the GDPR which shares similar requirements such as legally binding agreements, organizational management; rules for cross-border transfers, etc. The CN SCCs, as opposed to the Certification, can be a more flexible transfer tool, suitable for relatively short-term, temporary cross-border transfers or continuous transfers with various kinds of business partners based on relatively simple and clear processing purposes, etc.
Compliance advice
1. Overall strategy for data cross-border transfers
Stringent data cross-border transfer regulation will be the continuous supervision focus. Time for companies to develop overall strategy has come as the fundamental laws as well as the supplemental rules have been settled for implementation. With respect to the applicability of the Chinese data protection regime with respect to the data cross-border transfers at issue, please note that due to the extra-territorial effect of related legislation, companies concerning processing of personal information of individuals residing within the territory of China during business operation could fall within the regulatory scope, irrespective of whether or not the companies are established in China.
2. Data inventory, identification of data cross-border transfer scenarios
Carry out data stocking taking in combination with various business scenarios, e.g., with respect to volume, scope, type, sensitivity, etc. of PI transferred, purpose, method of cross-border transfers, overseas systems, etc. Conduct self check with respect to high risk points such as identification of Important Data, CII determination, etc., put prior focus on business lines with over 1 million users, or Important Data, etc.
3. Choose cross-border transfer mechanism
Choose the appropriate cross-border transfer mechanism as stipulated by the laws closely based on the factual situations of the processing at question and company operations.
4. Risk assessment and rectification
Self assessment with respect to risks of cross-border transfers is required for all cross-border transfer mechanisms.
• Conduct self-assessment for risks of data cross-border transfers (before any rectification)
• Make rectification accordingly, including legal bases, compliance management, technical and organizational measures, compliance policies, data processing agreements, etc.
• Self-assessment after rectification, combined with the status quo of business and compliance control after compliance rectification.
5. Implementation of the cross-border transfer mechanism selected
File for CAC Security Assessment;
Conclude the CN SCCs and file accordingly; or
Apply for Security Certification of Cross- Border Transfers of Personal Information.
If you want to get more information on China Data cross-border transfers, BESTAO has a group of professional experts and can help you on the compliance.
edited - Alice CHEN