FAQ for China Cross Border Data Transfer (Part 1)

Member Login

sign out

FAQ for China Cross Border Data Transfer (Part 1) - SEP 2023

#Data Securityby ED03

Uploading Date: 2023-09-29 19:04:48

As the most important supporting regulation of the "Personal Information Protection Law," the "Measures for Security Assessment of Cross-Border Data Transfer" (the "Measures") officially came into effect on September 1, 2022. Article 20 of the "Measures" provides a six-month grace period for enterprises that have already engaged in cross-border data activities. This means that relevant enterprises should complete rectification by March 1 of this year (the "deadline"). Enterprises that have not yet triggered the obligation to declare a security assessment can also choose to do so. Considering that the deadline is approaching, we have selected ten questions worth attention for enterprises, combined with some confusion encountered by some enterprises in the assessment and our practical experience, and provided answers. We hope this will be helpful for enterprises concerned about the security assessment of cross-border data transfer.

Q1: How can an enterprise determine if it needs to apply for a security assessment for cross-border data transfer?

Answer: Enterprises should primarily refer to Article 4 of the Measures and assess based on their own business situation. Specifically, if an enterprise falls into any of the following situations, it is obliged to complete the declaration of the security assessment of cross-border data transfer within the specified time frame: the enterprise processes personal information of over one million individuals and provides such information to overseas parties; the enterprise is an operator of critical information infrastructure ("CIIO") and provides personal information to overseas parties; the enterprise has provided personal information to overseas parties one million times in two years; the enterprise has provided sensitive personal information to overseas parties ten thousand times in two years; or the enterprise provides important data to overseas parties. Of course, the methods for determining each of these situations and the actual process of conducting self-assessment may vary. For example, in the case of CIIO, in practice, it is often confirmed based on whether the competent authority has issued a notice and combined with self-assessment. For enterprises that handle personal information of one million individuals, even if there is only a small amount of cross-border data transfer (such as employee data transfer), according to the provisions of the Measures, they should still apply for a security assessment. Regarding important data, except for a few industries (such as automobiles and surveying), most industries do not have specific regulations or guidelines for determining whether data constitutes important data. In the process of conducting self-assessment, when determining whether the data being transmitted across borders constitutes important data, enterprises often need to combine the definition of important data and conduct self-assessment based on the results of potential damages in the event of data leakage.

Regarding personal information, according to the response we obtained from the Cyberspace Administration of China ("CAC"), when an enterprise assesses the volume of cross-border personal information or sensitive personal information over the past two years, it needs to estimate the total number of cross-border individuals based on various business scenarios in the past two years. This is used to determine whether it triggers the obligation to declare a security assessment. Specifically, let's assume that an enterprise's volume of cross-border personal information in 2021 and 2022 is 50,000 individuals each year. By early 2023, after interpreting the regulations, the enterprise believes that from January 1 of the previous year (2022) to 2023, the volume of personal information it transmitted across borders did not exceed 100,000 individuals, so it chooses not to apply for a security assessment. However, according to regulatory requirements, the aforementioned determination is considered a misinterpretation of "avoiding" the statutory obligation to declare and is not compliant. When determining whether the conditions for triggering the declaration of a security assessment for cross-border data transfer are met (i.e., two years with 100,000 individuals' worth of personal information or 10,000 individuals' worth of sensitive personal information), enterprises should estimate the total volume of cross-border personal information based on the actual business conducted in the past two years. For example, when assessing whether a security assessment for cross-border data transfer is required in 2023, the correct method is to estimate whether the enterprise triggers the obligation to declare a security assessment based on the total number of cross-border individuals or sensitive personal information over the complete two-year period from 2021 to 2022.

Q2: When enterprises apply for a security assessment of cross-border data transfer, they should follow the guidance provided in the "Guidelines for Filing Security Assessments of Cross-Border Data Transfer (First Edition)" and its attachments.

Answer: We understand that for the outbound transfer of personal information, it is feasible for domestic data processors and foreign data recipients to sign the "Standard Contract for Outbound Transfer of Personal Information" released by the Cyberspace Administration of China (CAC) to meet the requirements of the Measures for a "legal document". This approach is practical because both the Measures and the Standard Contract are issued by the CAC, providing regulatory consistency. Upon careful examination of Article 9 of the Measures and the clauses of the Standard Contract, it is evident that most of the requirements in Article 9 of the Measures are covered by the terms of the Standard Contract. However, certain aspects of Article 9(1) and 9(4) of the Measures are not explicitly reflected in the template clauses of the Standard Contract. In such cases, data processors and foreign recipients should supplement and specify these relevant clauses by adding them as appendices during the process of signing the Standard Contract for Outbound Transfer of Personal Information.

Q3: How should we understand the relationship between the requirements of the "Measures" regarding "legal documents" and the Appendix "Standard Contract for Cross-Border Data Transfer of Personal Information" in the "Provisions on the Standard Contract for Cross-Border Data Transfer of Personal Information (Draft for Solicitation of Comments)"?

Answer: We understand that for the cross-border transfer of personal information, domestic data handlers and overseas data recipients sign the "Standard Contract for Cross-Border Data Transfer of Personal Information" released by the Cyberspace Administration of China (CAC) to meet the "legal documents" requirement of the "Measures." This approach is practical because both the "Measures" and the "Standard Contract for Cross-Border Data Transfer of Personal Information" are issued by the CAC. From the perspective of regulatory authorities, this approach is consistent. By carefully reviewing Article 9 of the "Measures" and the clauses of the "Standard Contract for Cross-Border Data Transfer of Personal Information," it is not difficult to see that most of the requirements in Article 9 of the "Measures" are covered by the clauses specified in the "Standard Contract for Cross-Border Data Transfer of Personal Information." However, some content from Article 9(1) and 9(4) of the "Measures" is not reflected in the template clauses of the "Standard Contract for Cross-Border Data Transfer of Personal Information." Therefore, data handlers and overseas recipients should add relevant clauses and make supplementary agreements in the process of signing the "Standard Contract for Cross-Border Data Transfer of Personal Information."

Q4: How should we understand the relationship between the requirements of the "Measures" regarding "legal documents" and the Appendix "Standard Contract for Cross-Border Data Transfer of Personal Information" in the "Provisions on the Standard Contract for Cross-Border Data Transfer of Personal Information (Draft for Solicitation of Comments)"?

Regarding the cross-border transfer of personal information, based on the response we obtained from the Cyberspace Administration of China (CAC), domestic data handlers and overseas data recipients estimate the total number of cross-border transfers in the past two years based on various business scenarios to determine whether the threshold for triggering a security assessment declaration obligation under the "Measures" has been met. Specifically, if, for example, a company's cross-border transfer of personal information in 2021 and 2022 is 50,000 times, when evaluating in early 2023 whether a security assessment declaration is required, the correct method is to estimate the total number of cross-border transfers of personal information or sensitive personal information in complete two years from 2021 to 2022.

If you want to get more hlep on China Cross Border Data Transfer, please contact assisitant@bestao-consulting.com