Business Law

Cross-Border Data Transfer Mechanism in China and Its Compliance

Business Law Business Law Internet & Privacy Law Committee
Please share:

Qian Sun[1]

                 The 2016 Cybersecurity Law (“CSL”) is the first top-level legislation imposing a data localization requirement on the operators of critical information infrastructure (“CII”) in China. Article 37 of the 2016 CSL provides that personal information and important data generated during the CII operation must be stored within China. CII operators, however, may transfer these types of data abroad upon the successful completion of a security assessment and compliance with other requirements of laws and regulations.[2] The 2021 Personal Information Protection Law (“PIPL”) establishes a framework for personal information (“PI”) cross-border transfers.[3] It extends the application scope beyond just CII operators to those companies that process personal information exceeding an amount threshold designated by the Cyberspace Administration of China (“CAC”) and specifies the conditions for personal information export by other general companies that do not fall under the above categories. 

                 In addition to the data localization requirement for CII operators as provided by the 2016 CSL, other processors that process a certain amount of personal information exceeding the volume threshold established by the CAC must store within China the personal information produced or collected in China. They must not transfer such personal information to any foreign countries unless they pass a security assessment organized by the CAC or the law or regulation provides otherwise (Article 40).[4]

            To transfer personal information abroad, processors shall meet one of the following conditions: 

  • Pass a security assessment organized by the CAC.
  • Obtain personal information protection certification from a professional organization designated by the CAC. 
  • Enter into a standard contract to be formulated by the CAC with the foreign recipient to specify the rights and obligations of both parties. 
  • Carry out the provisions in international treaties or agreements that China has concluded or acceded to, where they have specified the conditions on transferring personal information outside China (Article 38).[5]

            Other than the above conditions, all cross-border transfers must also satisfy with a necessity test (that is, the transfer must be necessary for legitimate business or other needs), and exporters must:

  • Take necessary measures to ensure that the personal information processing by the foreign recipient complies with standards comparable to those set out under the PIPL (Article 38).[6] 
  • Inform the individual of the name and contact information of the foreign recipient, processing purpose and method, types of personal information to be transferred, and the way and procedure for the individual to exercise the rights prescribed by the PIPL to the foreign recipient (Article 39).[7]
  • Obtain separate consent from the individual (Article 39).[8] 

            Processors must not provide personal information stored in China to foreign judicial or law enforcement authorities, unless otherwise approved by the Chinese regulatory authority in accordance with the applicable Chinese law, the international conventions or bilateral treaties signed by China, or on reciprocal basis (Article 41).[9] This aligns with the requirements under Article 36 of the 2021 Data Security Law (“DSL”).[10]

1. Security Assessment

                 On July 7, 2022, the Cyberspace Administration of China (CAC) issued the Measures on Data Export Security Assessments, with effective date on September 1, 2022. The measures implement the provisions of the Cybersecurity Law, Data Security Law and Personal Information Protection Law in relation to the scope, procedures, and evaluation criteria for conducting data export security assessments. The measures apply to security assessments of important data, that is, data that, once tampered with, destroyed, leaked or illegally obtained or used, could endanger national security, economic operation, social stability, public health and security and personal information collected and generated during operations in China and transferred abroad by a data processor.[11]

            According to Article 4 of the Measures, data processors that fall under any of the following circumstances must apply for an official security assessment through the competent, provincial level office of the CAC before transferring data overseas:

  • Data processors who transfer important data abroad;
  • Critical information infrastructure (CII) operators or data processors that process the PI of more than one million individuals, who transfer PI abroad; or
  • Data processors who have, since January 1 of the previous year, cumulatively transferred abroad the PI of more than 100,000 individuals or the sensitive PI of more than 10,000 individuals.[12]

Before exporting data, data processors must conduct self-assessments of, and prepare reports on, the risks involved in exporting the relevant data. Applicants for an official security assessment must submit the self-assessment report, together with copies of draft agreements between the data processor and the overseas data recipient and other documents to the relevant CAC office, which must organize and generally complete the assessment within forty-five working days from the date of issuing a written notice of acceptance.[13]

The security assessment procedure focuses on evaluating the risks arising from data exports to national security, the public interest, and the rights and interests of individuals or organizations, including (among others) the legality, legitimacy and necessity of the purpose, scope and method of the data export, the scale, scope, types and sensitivity of the data to be transferred, the risks that the data may be tampered with, destroyed, leaked, lost, transferred, illegally obtained or illegally used, and the data security protection policies and regulatory environment in the region or country to which the data is exported.[14]

To determine whether a data processor is a CII operator, in practice, it is mostly combined by whether it has been notified by the competent department and self-assessment. As for a processor that processes the PI of more than one million individuals, even if there is only a small amount of data being exported (such as employee data export), according to the provisions of the Measures, it should also undergo a security assessment. As for important data, except for a few industries, such as automotive, surveying and mapping, most industries do not have special regulations or guidelines for evaluating what constitutes important data. In the process of self-assessments, enterprises often need to combine the definition of important data with the possible harm caused by data leakage to judge whether the data to be transferred across borders constitutes important data. It would appear that a wide range of companies would be subject to the requirement to complete a security assessment with the CAC before they transfer personal information out of China.

2. Security Certification

Data processors who are neither CII operators nor processors processing statutory number of individuals’ personal information may choose to obtain security certification from qualified certification institutions.

On June 24, 2022, the National Information Security Standardization Technical Committee (“TC260”) published the Practice Guideline for Cybersecurity Standards-Security Specification for Cross-border Personal Information Processing Activities (“Certification Specification 1.0”), which provides guidance on the implementation of the Certification and clarify this voluntary process may be used in two scenarios:

  • Intra-group data transfer: Cross-border transfers of personal data within a multinational company or between subsidiaries or affiliated companies of the same entity;
  • Cross-border data transfers by foreign PI Processors: Processing of personal information of individuals within the PRC by overseas PI Processors subject to the extraterritorial reach of the PIPL.[15]

The Certification Specification at first does not apply to cross-border personal information transfers between unrelated entities. However, less than six months later, on December 16, 2022, TC260 released the updated version of the Practice Guideline for Cybersecurity Standards-Security Specification for Cross-border Personal Information Processing Activities (“Certification Specification 2.0”), which eliminates the limitation and expands the application scope to any “personal information processors who carry out cross-border processing activities.”[16] Certification Specification 2.0 sets out several application requirements including legally binding documents between personal information processors and overseas recipients in which they undertake civil legal liability for the infringement of personal information rights and interests, and clearly agree on the civil legal liability to be borne by both parties. Similarly to security assessment, data processors must conduct self-assessments of the impact on PI protection made by PI processors prior to cross-border transfer. [17]

After the certification institution evaluates the materials and inspect the applicant’s operations on site and issue relevant reports, it will issue a certificate to those that meet the certification requirements. The certificate is valid for three years. If the PI processor wishes to renew the certification, it must apply with six months before existing certification’s expiration. 

3. Standard Contractual Clause

            On February 24, 2023, the CAC published the Measures on Standard Contracts for the Export of Personal Information, together with the Standard Contract, which takes effect on June 1, 2023.[18] The Measures address one of the three conditions for cross-border transfers of PI under Article 38 of the PIPL. According to Article 4 of the Measures, the Standard Contract is to be used by data processors that meet all of these conditions:

  • Are not CII operators;
  • Process the PI of less than one million data subjects;
  • Have exported the PI of less than 100,000 individuals since January 1 of the preceding year; and
  • Have exported the sensitive PI of less than 10,000 individuals since January 1 of the preceding year.[19]

            Before exporting the personal information, a data processor must conduct a personal information transfer impact assessment that addresses the lawfulness, legitimacy, and necessity of the PI processing activities, the quantity, scope, type, and relative sensitivity of the personal information and risk to individuals, the responsibilities and obligations of the overseas data recipient, the risk of outbound personal information suffering from tampering, damage, leakage, abuse, and so on of the personal information once exported, and the impact of the data protection policies and regulations of the overseas destination on the performance of the Standard Contract.[20] The Measures require the data processor to file the executed Standard Contract and impact assessment report with the competent, provincial-level CAC office within ten working days after the effective date of the signed Standard Contract and to execute and refile new or amended Standard Contract where there is a change in purpose, scope, types, amount, method, retention period, storage location or overseas recipient’s processing purpose and method; or there are major changes of personal information protection laws and regulation in the overseas destination that may affect individuals’ rights and interests.[21]

            Before executing the Standard Contract, the exporter (equivalent to “controller” under GDPR) needs to carefully assess its current personal information processing activities and decide on whether the Standard Contract can be used to satisfy the requirement for outbound data transfer. For processors that are not CII operators or do not reach the statutory threshold amount of processed or exported personal data, they can benefit from using the more simplified method of the Standard Contract rather than undergo a mandatory security assessment. In a balanced manner, the Standard Contract allocates personal data protection obligations between data exporters and data importers, though exporters may find it difficult to convince importers to accept the provisions of joint and several liability for data subjects. The Standard Contract may become the most popular mechanism for cross-border data transfer compliance.

[1] Qian Sun is a J.D. and Privacy Law Certificate Candidate for the Class of 2023 at Santa Clara University School of Law.

[2] Translation: Cybersecurity Law of the People’s Republic of China (Effective June 1, 2017), Digital China, Stanford University, https://digichina.stanford.edu/work/translation-cybersecurity-law-of-the-peoples-republic-of-china-effective-june-1-2017/.

[3] Translation: Personal Information Protection Law of the People’s Republic of China – Effective Nov. 1, 2021, Digital China, Stanford University, https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the-peoples-republic-of-china-effective-nov-1-2021/.

[4] Translation: Personal Information Protection Law of the People’s Republic of China – Effective Nov. 1, 2021, Digital China, Stanford University, https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the-peoples-republic-of-china-effective-nov-1-2021/.

[5] Id.

[6] Id.

[7] Id.

[8] Id.

[9] Id.

[10] Translation: Data Security Law of the People’s Republic of China (Effective Sept. 1, 2021), Digital China, Stanford University, https://digichina.stanford.edu/work/translation-data-security-law-of-the-peoples-republic-of-china/.

[11]Outbound Data Transfer Security Assessment Measures (Jul.7, 2022), Digital China, Stanford University, https://digichina.stanford.edu/work/translation-outbound-data-transfer-security-assessment-measures-effective-sept-1-2022/.

[12] Id.

[13] Id.

[14] Id., Article 8.

[15]Practice Guideline for Cybersecurity Standards-Security Specification for Cross-border Personal Information Processing Activities, Article 1, https://www.tc260.org.cn/upload/2022-06-24/1656064151109035148.pdf (in Chinese).

[16] Practice Guideline for Cybersecurity Standards-Security Specification for Cross-border Personal Information Processing Activities, Article 1, https://www.tc260.org.cn/upload/2022-12-16/1671179931039025340.pdf (in Chinese).

[17] Id., Article 5

[18] Article 13, Measures on Standard Contracts for the Export of Personal Information, http://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm (in Chinese).

[19] Id., Article 4.

[20] Id., Article 5.

[21] Id., Article 8.

Related Content
«
»

Forgot Password

Enter the email associated with you account. You will then receive a link in your inbox to reset your password.

Personal Information

Select Section(s)

CLA Membership is $99 and includes one section. Additional sections are $99 each.
  • $99
  • $99
  • $99
  • $99
  • $99
  • $99
  • $99
  • $99
  • $99
  • $99
  • $99
  • $99
  • $99
  • $99
  • $99
  • $99
  • $99
Total: $0.00

Payment