The long awaited details with respect to cross border data transfer under the China Personal Information Protection Law (PIPL) have very recently been published by the Chinese authorities. The details are set out in three documents:
- final Certification Guidelines for Cross Border Data Transfer (网络安全标准实践指南 – 个人信息跨境处理活动安全认证规范 “) (“Certification Guidelines“) released on 24 June 2022;
- draft Standard Contractual Clauses Provisions (个人信息出境标准合同规定) (“China SCCs Provisions”) released on 30 June 2022; and
- final Security Assessment Measures for Outbound Data Transfers (数据出境安全评估办法) (“Security Assessment Measures”) released on 7 July 2022.
The PIPL, which came into effect on 1 November 2021, specifies four cross-border data transfer mechanisms. These recently published documents provide further detail with respect to three of these mechanisms.
- Security assessment
One of the mechanisms is to undergo and pass a security assessment by the Cyberspace Administration of China (CAC). The Security Assessment Measures provide details regarding this mechanism,
- The Security Assessment Measures will take effect on 1 September 2022. However, there is a six-month grace period, which means companies will need to pass the assessment by 28 February 2023.
- The following Personal information handlers (PI handlers) must undergo a security assessment before transferring data outside of China (i.e. they cannot rely on other cross border transfer mechanisms):
(1) PI handler who processes important data;
(2) PI handler who is a critical information infrastructure operator (CIIO);
(3) PI handler who processes more than 1 million individuals’ personal information;
(4) PI handler who has transferred more than 100,000 individuals’ personal information since 1 January of the previous year; and
(5) PI handler who has transferred more than 10,000 individuals’ sensitive personal information since 1 January of the previous year.
- The term “Important data” is defined under the Security Assessment Measures, but the definition is rather vague and is still open to further interpretation by industry-specific authorities. In addition, a PI handler who processes important data should also follow the requirements of the Data Security Law.
- In terms of the CAC approval procedure, a PI handler will need to (1) conduct a self-assessment of the risks relating to the transfer, (2) sign a legal instrument with the offshore recipients, and (3) file these documents with an application form to the CAC at the provincial level. It may take up to 57 working days to obtain the results of the security assessment.
- The results of the security assessment will remain valid for two years. If the PI handler plans to continue cross-border data transfer activities, it should renew the assessment 60 working days before the expiration date.
- Also, no regions (including Hong Kong Special Administrative Region) are excluded from this security assessment, meaning that data transfer from China to Hong Kong will be considered a cross border data transfer and the relevant entities will need to comply with this requirement.
- Obtain certification
Another mechanism is to obtain certification according to the regulations of the CAC. The Certification Guidelines provide details regarding this mechanism.
- The Certification Guidelines took immediate effect on 24 June 2022.
- Certification can be obtained under two circumstances: (1) cross-border personal information transfers within multinational group company or within the subsidiaries or affiliated companies of the same economic or entity; (2) personal information processing by overseas handlers covered by Article 3(2) of the PIPL (i.e. where the handler provides products or service to individuals in China, or analyses the behaviour of individuals in China).
- The certification shall be applied for by the domestic affiliates or the designated China representatives of the applicant.
- The applicant will be assessed against certification requirements relating to data agreements, personal information protection officer, protection of data subject rights etc.
- The Certification Guidelines do not identify any certification bodies or provide any details regarding the certification process, which may be specified in future guidance.
- Standard Contractual Clauses
The third mechanism is to enter into the standard contractual clauses as prescribed by the CAC. The draft China SCCs Provisions relate to this mechanism.
- The draft China SCCs Provisions were published for public consultation (which ended on 29 July 2022). Given the fast-paced development of the PIPL, we anticipate that the draft China SCCs Provisions will be finalized and take effect in the short term (likely in the next few months).
- The draft China SCCs Provisions include a template of the Standard Contractual Clauses (“China SCCs”). The China SCCs (once finalized) cannot be modified but the parties may agree on additional provisions to supplement the base provisions. It is also anticipated that the China SCCs will become the most widely adopted cross border transfer mechanism due to their accessibility.
- The China SCCs can only be relied on if the following conditions are met: (1) the PI handler is not a CIIO; (2) the PI handler processes no more than 1 million individuals’ personal information; (3) the PI handler has transferred no more than 100,000 individuals’ personal information since 1 January of the previous year; and (4) the PI handler has transferred no more than 10,000 individuals’ sensitive personal information since 1 January of the previous year.
- The PI handler must also conduct a personal information protection impact assessment (PIPIA) and file the PIPIA together with the signed China SCCs with the local CAC within ten (10) working days.
- An overseas handler who directly collects personal information from individuals in China will not be able to rely on the China SCCs due to absence of a counter party. In this situation, the overseas PI handler will need to adopt other cross border transfer mechanism such as obtaining certification.
As is apparent from these publications, each of the cross border transfer mechanisms can only be relied on if certain conditions are met. To determine the appropriate cross border transfer mechanism, and organisation should consider the following:
- whether it is a CIIO;
- whether it processes “important data” or “large-scale personal information” (i.e. 1 million individuals in China);
- the number of individuals whose personal information / sensitive personal information it has transferred overseas since 1 Jan 2021 (i.e. > 100,000 individuals’ personal information or >10,000 individuals’ sensitive personal information), which should include data that is being accessed overseas; and
- the nature of transfer (e.g. intragroup or not),
Regarding the security assessment mechanism, a six-month grace period is provided (i.e. the assessment must be passed by 28 February 2023). Companies who are subject to the security assessment (but do not wish to localize data storage) should either consider ways to avoid the threshold (e.g. reduce the amount of exported data), or start preparing for the assessment.
Regarding the security certification mechanism, it remains impractical to rely on this mechanism given the ambiguity around the certification process. Companies who wish to rely on this mechanism should monitor the latest legal developments in this regard.
Regarding the China SCCs, although it is currently still in draft, we anticipate that it will take effect in the next few months. Companies who wish to rely on this mechanism will likely need to amend their existing data agreements and should start the conversation with their China counterparts in preparation for this.
Shanghai Pacific Legal’s Erin Yang has also contributed to this article.
Disclaimer: Norton Rose Fulbright has an informal referral and cooperation relationship with Shanghai Pacific Legal, a domestic law firm in China. The relationship between both firms is complementary to each other’s practice aspirations and offerings to their respective clients.