Recent Developments with China’s Regulations on Cross-border Transfer of Personal Information

China

With the enactment of China’s Personal Information Protection Law (PIPL) from 1 November 2021, many global companies doing business in China are concerned about how to conduct cross-border transfers of personal information (PI) compliantly under the PIPL. Article 38 of the PIPL prescribes that a data handler exporting PI from China should satisfy one of the following three channel options (i.e. Channel Options):

  • Undergo and pass the security assessment by the Cyberspace Administration of China (CAC);

  • Obtain a certification issued by a professional institution in accordance with the rules to be formulated by the CAC; or

  • Conclude the standard contractual clauses (SCCs) to be formulated by the CAC with the foreign recipients.

However, the mechanisms to implement the Channel Options were not provided in the PIPL as the CAC  was in the process of developing further rules and measures for implementation. With the recent publication of Measures on Security Assessment of Cross-border Data Transfer (Security Assessment Measures), the Technical Specifications for Certification of Personal Information Cross-border Processing Activities (Certification Specification), and the Draft Provisions on the Standard Contractual Clauses (Draft SCCs Provisions), the mechanisms to implement the Channel Options start to become clear and companies may start to evaluate the different options to decide which Channel Options will suit them best.

In this article, we will briefly introduce recent legislative developments of these provisions on cross-border PI transfer. We have also attached an Annex at the end of this article comparing the Channel Options based on such provisions.

Recent legislative developments on three Channel Options for cross-border PI transfer

  1. Measures on Security Assessment of Cross-border Data Transfer

  2. The official version of the Security Assessment Measures was promulgated on 7 July 2022, and will become effective on 1 September 2022. The CAC has also published an official Q&A session regarding the Security Assessment Measures.

    The Security Assessment Measures regulate the cross-border transfer of data (including PI and important data) that is subject to security assessment by the CAC. The measures prescribe the scope of cross-border data transfers subject to security assessments, the procedures and timeline for security assessment, the validity period of the security assessment, etc.

    The Security Assessment Measures provides a six-month grace period. Cross-border data transfer activities carried out before the effective date of the Security Assessment Measures should complete the rectification to follow the requirements of the Security Assessment Measures within six months after it takes force (i.e. before 1 March 2023).

    Below are some key take-aways of the Security Assessment Measures and the official Q&A session. 

    (1) Who should apply for the security assessment?

    Based on Article 4 of the Security Assessment Measures, the following cross-border data transfers are required to undergo and pass a security assessment before the transfer:

    • Exportation of important data by data handlers;

    • Exportation of PI by critical information infrastructure operators (CIIOs);

    • Exportation of PI by data handlers that process more than one million natural persons’ PI;

    • Exportation of PI by data handlers that export accumulatively over 100,000 natural persons’ PI from 1 January of the preceding year;

    • Exportation of PI by data handlers that export accumulatively over 10,000 natural persons’ sensitive PI from 1 January of the preceding year.

    The Security Assessment Measures do not define “data handler”, but the PIPL does define the data handler of PI, which is the entity or person that decides the purpose and method for the PI processing independently. In addition, the Draft Regulations on Network Data Security Administrations (Draft Network Data Regulations) issued by the CAC last November, also define the data handler as the entity or person that decides the purpose and method for the data processing independently. We understand that the data handler under the Security Assessment Measures shall be in line with the PIPL and the Draft Network Data Regulations, and therefore any data handler meeting the requirements under Article 4 of the Security Assessment Measures shall apply for a security assessment before the exportation of data.

    Notably, in the Q&A session the CAC clarifies that cross-border data transfers include: (1) transfer of data collected and generated from the operation in China out of China; and (2) data collected and generated from the operation in China that is stored in China, but foreign entities or individuals are allowed to access such data. Therefore, when calculating the amount of PI being exported, companies shall also take into account the amount of data that its offshore staff, partners, suppliers, etc. are able to access.

    (2) How to apply for the security assessment?

    The data handler must submit the following documents to the local CAC at the provincial level (Provincial CAC) to apply for a security assessment:

    • the application form;

    • the report on the self-risk assessment;

    • the contract or other binding legal documents contemplated to be signed with the offshore recipients (Legal Documents); and

    • other documents the CAC may request.

    The Security Assessment Measures further provide what aspects shall be covered in the self-risk assessment and the Legal Documents to be signed with the offshore recipients.

      (a) What aspects will be covered in the self-risk assessment?

      Article 5 of the Security Assessment Measures provides that the data handler must conduct a self-risk assessment before applying for the security assessment, which should focus on the assessment of the following aspects:

      • the lawfulness, legitimacy, and necessity of the purpose, scope, and method of data exportation and the offshore recipient’s processing;

      • the scale, scope, type, and sensitivity of the data exported, and the risks that the data exportation may bring to national security, public interests, and the legitimate rights and interests of individuals or organisations;

      • the offshore recipient's commitment to assume responsibility and obligations, as well as whether their management and technical measures and capacities to fulfil their responsibilities and obligations can ensure the security of the data exported;

      • the risk of data being tampered with, destroyed, leaked, lost, transferred or illegally obtained or illegally used during and after the exportation, and whether the channels for safeguarding the rights and interests of PI are open; and

      • Whether the Legal Documents to be signed with the offshore recipient adequately allocate responsibilities and obligations for data security protection.

      (b) What aspects must be covered in the Legal Document to be signed with the offshore recipients?

      Article 9 of the Security Assessment Measures further provides that the Legal Document to be signed with the offshore recipients must include the following:

      • The purpose, method of the data exportation and the scope of data, and the usage and method of data processing by the offshore recipient;

      • The place and duration of data storage outside China, as well as the measures to handle the data exported after the retention period is reached, the agreed purpose is completed, or the Legal Document is terminated;

      • Binding requirements for the offshore recipient to transfer the exported data to other organisations or individuals;

      • the security measures to be taken by the offshore recipient in case of substantial changes in actual control or business scope, or changes in the data security protection policies and regulations and network security environment in the country or region where the offshore recipient is located, as well as other force majeure circumstances that make it difficult to ensure data security;

      • remedial measures in case of breach of the security protection obligations provided in the Legal Document, liability for breach and dispute resolution mechanism; and

      • requirements to carry out proper emergency response and safeguard the means and ways that individuals may protect the rights and interests of their PI if the exported data has been tampered with, damaged, and suffered leakage, loss, transfer or illegal access, illegal use or was exposed to other risks.

    (3) How long does it take to complete the security assessment?

    Under the Security Assessment Measures, the security assessment must go through the phases indicted in the table below. Based on the timeline set forth, it will take up to 57 working days to obtain the results of the security assessment upon the submission of the application if the documents submitted are complete and the case is not complicated. In case there is a need to supplement the documents, or the case is complicated, it may take a longer time to obtain the results. 

    No.

    Phase

    Timeline

    Note

    1

    Check by the Provincial CAC of the completeness of application materials

    Within five working days of the submission

    If the materials are complete, the provincial CAC will transfer the application materials to the CAC.

    2

    Review by the CAC to decide whether to accept the application

    Within seven working days of CAC’s receipt of the application materials

    • The CAC will issue a written notice to the applicant on whether the application is accepted, meaning that the written notice will be issued not only for acceptance of the application, but also for non-acceptance.
    • Based on the Q&A session, if the CAC decides not to accept the application, it does not mean the data cannot be transferred out of China but indicates that the data exportation is not subject to security assessment and therefore for the cross-border transfers of PI, the data handler may explore the other Channel Options (i.e. the certification or the SCCs) to export PI. For non-personal data, we understand if the application is not accepted, it is likely the data exported does not constitute important data and thus can be transferred without further procedures unless it is subject to other sector-specific requirements.

    3

    Security assessment to decide whether to approve the transfer

    Within 45 working days of the issuance of notice on accepting the application. The timeline can be extended if the CAC requests further documents or the case is complicated.

    • The CAC will coordinate with the relevant department of the State Council, the Provincial CAC, and professional intuitions for the security assessment.
    • If the data handler passes the security assessment, it may export the data according to the scope of the application.
    • If the data handler does not pass the security assessment, it may not carry out the data exportation activities described in the application.
    • The data handler may apply to the CAC for review within 15 working days after the decision is made if it objects to the results of the security assessment. The result of the review by the CAC is final.

    (4) Renewal and re-application

    The result of the security assessment will remain valid for two years and will expire after two years from the issuance of the results. If the data handler plans to continue the data exportation activities within the scope of the security assessment after the expiration date, it should renew the security assessment 60 working days before the expiration date.

    Moreover, if during the valid term of the security assessment any of the following occurs, the data handler must re-apply for the security assessment:

    • Any change occurs to the purpose, method, scope and type of data exported and the usage and method of data processing by the offshore recipient, which affects the security of the data exported, or the retention period of PI and important data stored outside China is extended; 

    • Changes in data security protection policies and regulations and network security environment in the country or region where the offshore recipient is located, as well as other force majeure circumstances, changes in the actual control of the data handler or the offshore recipient, changes in Legal Documents between the data handler and the offshore recipient, etc. affecting the security of data exported; or

    • the occurrence of other circumstances affecting the security of data exported.

  3. Technical Specifications for Certification of Personal Information Cross-border Processing Activities

  4. On 24 June 2022, the National Information Security Standardisation Technical Committee (NISSTC) released the official version of the Certification Specification. The Certification Specification states who may apply for the certification described under the Certification Specification, and what the certification institutions will consider when deciding whether to grant the certification, in particular what requirements the parties involved in the PI exportation must meet. But what institution would be qualified to conduct the certification, and how the application should be submitted remain unclear.

    Below are some key take-aways of the Certification Specification.

      (1) What types of PI processing activities are eligible to apply for certification?

      The following two types of PI processing activities may apply for the certification:

      • intra-group cross-border transfer of PI (Intra Group Transfer); and

      • the PI processing activities described under Article 3 paragraph 2 of the PIPL: in other words, PI processing activities occurring outside China for the purpose of providing products/services to natural persons in China or analysing and evaluating the behaviour of natural persons in China (Extra-territorial Processing).

      (2) Who may apply for the certification?

      For Intra Group Transfer, the Chinese entity of the multi-national corporation or group may apply for the certification and assume the legal responsibility for cross-border PI processing activities.

      For Extra-territorial Processing, the specialised agencies set up in the territory of China by the extra-territorial data handler of the Extra-territorial Processing or the domestic representative appointed by the same, can apply for the certification and assume the legal responsibility for the processing of PI. 

      (3) What particular requirements must the applicant meet to apply for certification for cross-border PI processing activities?

      The requirements include the following:

      • The data handler applying for the certification must be compliant with the national standard GB/T 35273 (i.e. the Information Security Technology-Personal Information Security Specification).

      • The data handler and the offshore PI recipient must enter into binding legal documents to make sure the data subjects’ rights are fully protected. Notably, in such binding legal documents, the offshore recipient must undertake to accept the supervision of the certification institution and the governance of the relevant laws and regulations in China in relation to PI protection.

      • The data handler and the offshore PI recipient must appoint a person in charge of PI protection. Such a person should be equipped with the relevant knowledge and relevant working experience, and must be one of the decision-making members in the entity. The data handler and the offshore PI recipient must also set up a relevant department to fulfil the requirements for protection of PI security.

      • The data handler and the offshore recipient must follow unified cross-border PI processing provisions, which will include the basics about the cross-border processing (i.e. the quantity, scope, types and sensitivity of the PI involved); the purpose, method and scope of the cross-border processing; the retention period of offshore storge and handling method upon the expiration of the retention period; the regions or countries involved for transit of the cross-border processing; the resources needed and the measures taken to protect the data subjects’ rights and interests; and the provisions on compensation and handling measures in case of a PI security incident.

      • The data handler must carry out the data protection impact assessment.

      • The data handler and the offshore recipient must also comply with the detailed requirements for protection of data subjects’ rights and interest of their PI, including to provide a copy of the part of the contract with the offshore recipient involving the rights and interests of data subjects’ PI.

      (4) Extra-territorial Processing = cross-border PI transfer?

      Since the Certification Specification also provides that the Extra-territorial Processing under Article 3 paragraph 2 of the PIPL may also apply for certification, the concern that Extra-territorial Processing is also deemed as cross-border PI transfer was broadly discussed after the draft version of the Certification Specification was released.

      The text of Articles 38 and 39 of the PIPL indicates that cross-border PI transfer occurs when the data handler transfers PI out of China. For Extra-territorial Processing, usually it is not the data handler that transfers the PI out of China, but the data subjects who voluntarily submit PI to offshore data handlers. The idea that Extra-territorial Processing is a cross-border PI transfer seems to deviate from the text of Articles 38 and 39 of the PIPL.

      Compared to the draft version of the Certification Specification, a few changes worth noting in the official version have shed light on this matter.

      In the draft version, the summary provides that the Certification Specification is to implement the certification mechanism under Article 38 of the PIPL, while in the official version, “Article 38” is deleted, which is a specific provision regulating cross-border PI transfers under the PIPL.

      In addition, the official version adds that data handlers applying for the certification should be, as a base condition, compliant with the national standard GB/T 35273 (which deals with the overall data processing of a data handler other than its specific act of PI exportation) and goes on to require that to the extent the data handler carries out any cross-border PI processing activities, it must also meet the requirements under the Certification Specification.

      Lastly, the phrase “each party/relevant parties involved in the cross-border processing” in the draft version, which refers to the obligee subject to the particular requirements of the Certification Specification as indicted in the above paragraph, has been replaced by “the data handler and the offshore PI recipient” in the whole document of the official version.

      The above changes seem to suggest that Extra-territorial Processing is not a cross-border PI transfer though it is possible to apply for the certification stipulated under the Certification Specification because:

      • The official version distinguishes “data handler applying for the certification” and “data handler carrying out cross-border PI processing activities” by requiring only the latter to comply with the requirements stipulated under the Certification Specification. This we believe suggests that Certification Specification actually contemplates a certification at two levels, a “base level” for both types of eligible data processing activities (i.e. Intra Group Transfer and Extra-territory Processing) and a “plus level” for cross-border PI processing activities (i.e. Intra Group Transfer); and

      • For Extra-territorial Processing, usually the data handler is located outside China and collects/receives PI directly from the data subjects, but the requirements under the Certification Specification (i.e. the “plus level” requirements) do not fit such a scenario, being impracticable to comply with because these requirements typically presume two-party involvement: “the data handler and the offshore PI recipient”.

      • However, this does not render the Certification Specification wrong to explicitly provide for applicability on Extra-territorial Processing. Extra-territorial Processing may always apply for the “base level” certification as a demonstration of the adequacy of PI protection under Chinese law, and to the extent the same data handler carries out any Intra Group Transfer, it may also apply for the “plus level” certification.

      Considering the above, we consider that Extra-territorial Processing does not constitute a cross-border PI transfer. However, subject to the CAC’s further implementing rules on the certification, there is the possibility that Extra-territorial Processing may be regulated as cross-border PI, but that would deviate from the text of PIPL and be incompatible with the requirements/measures under the Certification Specification.

  5. Draft Provisions on the Standard Contractual Clauses
  6. On 30 June 2022, the CAC issued the Draft SCCs Provisions to solicit public comments. The template Standard Contractual Clauses (Draft SCCs) are attached to the Draft SCCs Provisions.

    On the one hand, the Draft SCCs Provisions mainly stipulate what type of PI exportation activities may choose the SCCs as the Channel Option to transfer PI out of China, the filing procedures of the SCCs and the submission of PI protection impact assessment (PIA), as well as liabilities and penalties. On the other hand, the Draft SCCs mainly contains obligations for the PI handler and the foreign recipient to represent and warrant that they have to comply with the PI-related laws and regulations, the consideration of the potential impact of foreign PI protection laws and the protection of PI for data subjects’ rights and interests.

    We have highlighted the key take-aways of the Draft SCCs Provisions and the Draft SCCs below:

      (1) Eligibility of PI handlers to choose the SCCs option for cross-border transfer of PI

      Article 3 of the Draft SCCs Provisions sets out that only PI handlers who fulfil all the following criteria are eligible to choose the SCCs option for their cross-border transfer of PI:

      • The data handler is not a CIIO;

      • The data handler processes PI of less than one million natural persons;

      • Since 1 January of the preceding year, the cumulative amount of PI exported by the data handler has not reached 100,000 natural persons’ PI; and

      • Since 1 January of the preceding year, the cumulative amount of sensitive PI exported by the data handler has not reached10,000 natural persons’ PI.

      Compared with the scope of PI exportation that must undergo the security assessment under the Security Assessment Measures, it is clear that PI exportation that is not subject to the security assessment requirement is eligible to choose to conclude the SCCs as its Channel Option to transfer PI out of China. In contrast, if one of the above criteria is not satisfied, a security assessment may be required pursuant to Article 4 of the Security Assessment Measures.

      (2) Filing procedures of SCCs and the PIA report

      Article 7 of the Draft SCCs Provisions specifies the filing procedures of the SCCs. As for the timing, a filing must be conducted within ten days after the SCCs take effect. The filing must be submitted to the Provincial CAC.

      Notably, the materials to be submitted for filing not only contain the SCCs but also the PIA report, which must cover the following aspects:

      • the lawfulness, legitimacy, and necessity of the purpose, scope, and method of the data handler and offshore recipient’s PI processing;

      • the scale, scope, type, and sensitivity of the PI exported, and the risks that the PI exported may bring to the individual’s PI rights and interests;

      • the offshore recipient's commitment to assume responsibility and obligations, as well as whether their management and technical measures and capacities to fulfil their responsibilities and obligations can ensure the security of the PI exported;

      • the risk of PI being leaked, destroyed, tampered with, or illegally used after the exportation, and whether the channels for safeguarding the rights and interests of PI are smooth; and

      • the impact of the PI protection policies and regulations of the country or region where the offshore recipient is located on the performance of the SCCs.

      (3) Contemplated clauses for transfer from the data handler

      Different from the four-module SCCs under the GDPR, which provide the clauses based on the roles of the transferors and the transferees in the transfer (i.e. controller-to-processor, controller-to-controller, processor-to-processor and processor-to-controller transfers), the Draft SCCs only contemplate the clauses for the transfer from the data handler (i.e. the transfer from the data handler to another data handler and the transfer from the data handler to the entrusted data processor).

      (4) Noteworthy obligations under the Draft SCCs

      Clause 3 of the Draft SCCs provides the presentations, guarantee and undertaking of the offshore recipient, which include among others the following:

      • The offshore recipient will notify the data handler and report to the regulator of China in accordance with relevant laws and regulations of China in case of a breach of exported PI;

      • The offshore recipient will keep records of the PI processing activities for at least three years, and submit such records to the regulator of China directly or via the data handler in accordance with the requirements under relevant laws and regulations of China; and

      • The offshore recipient agrees to accept the supervision by the regulator in the process to supervise the implementation of the SCCs, including without limitation of responding to the enquiries of the regulator, cooperate with the inspection of the regulator, follow the measures or decisions made by the regulator and provide written proof certifying that it has taken necessary measures.

      Under the Draft SCCs, both the data handler and the offshore recipient undertake to provide data subjects with a copy of the SCCs upon their request, and if it is necessary to protect trade secrets or other confidential information, such a copy can be a redacted version but the relevant summary of the SCCs must be provided to help the data subjects to understand the contents of the SCCs.

Annex

Comparison of the three Channel Options

 

Options

 

Aspects

Security Assessment

Certification

SCCs

applicable scope

The following types of cross-border data transfer is required to apply for the security assessment and obtain the approval by the CAC before the transfer:

  • Exportation of important data;
  • Exportation of PI by CIIOs
  • Exportation of PI by data handlers that processes more than one million natural persons’ PI
  • Exportation of PI by data handlers that export accumulatively over 100,000 natural persons’ PI from 1 January of the preceding year;
  • Exportation of PI by data handlers that export accumulatively over 10,000 natural persons’ sensitive PI from 1 January of the preceding year.

The following types of cross-border transfer may apply for the certification:

  • Intra-group transfer of PI;
  • Extra-territorial Processing of PI under Article 3 paragraph of the PIPL (i.e. data handlers processing PI of natural persons in China for the purpose of providing services/products to the same or analysing/evaluating the behaviours of the same. As discussed above, we understand that the certification for such processing would be for the purpose of demonstrating the adequacy of PI protection, but not as cross-border transfer.)

The following types of cross-border transfer may apply for the certification:

  • Cross-border PI transfer that is not subject to the scope required for security assessment;
  • However, unlike the GDPR SCCs, which is structured for use of four different models based on the roles of the transfer and transferees (i.e. controller-to-processor, controller-to-controller, processor-to-processor and processor-to-controller), the Draft SCCs are structured only for the transfers from the data handler to another data handler, or the transfer from the data handler to the entrusted data processor. It remains unclear at the current stage how entrusted data processor may export PI under the SCCs.

Procedure for the application

  • Carry out self-risk assessment for the exportation;
  • Submit the self-risk assessment report, application form, and contracts with the offshore recipient to the Provincial CAC;
  • the Provincial CAC will check the completeness of the applications within five working days and once the documents are completed transfer the application to the CAC;
  • the CAC will decide whether to accept the application within seven working days;
  • the CAC will decide within 45 working days whether to the application pass the security assessment upon the acceptance of the application and if more documents are requested or the case is complicated, the timeline can be extended.

Not available under the current Certification Specification, but we understand the PIA and the data processing/ sharing agreements must be in place at the time of application.

  • Sign the SCCs with the offshore data recipient;
  • File the signed SCCs with local CAC at the provincial level within ten days after the signed SCCs take effect.

Content required for self-risk assessment or protection impact assessment

The self-risk assessment must focus on assessing the following:

  • the lawfulness, legitimacy, and necessity of the purpose, scope, and method of the exportation and the offshore recipient’s data processing;
  • the scale, scope, type, and sensitivity of the data exported, and the risks that the data exported may bring to national security, public interests, and the legitimate rights and interests of individuals or organisations;
  • the offshore recipient's commitment to assume responsibility and obligations, as well as the management and technical measures to fulfil their responsibilities and obligations, and the ability to ensure the security of the data exported;
  • the risk of data being tampered with, destroyed, leaked, lost, transferred or illegally obtained or illegally used during and after the exportation, and whether the channels for safeguarding the rights and interests of PI are smooth; and
  • Whether the Legal Document to be signed with the offshore recipient adequately allocates responsibilities and obligations for the data security protection.

The protection impact assessment must at least include the following:

  • Whether the exportation of PI complies with relevant laws and regulations;
  • The impact on rights and interests of the data subjects, in particular the impact brought by the legal environment and cyber security environment of the countries or regions where the data is exported to; and
  • Other matters necessary for protecting the data subjects’ rights and interest.

The protection impact assessment must focus on assessing the following:

  • the lawfulness, legitimacy, and necessity of the purpose, scope, and method of the data handler and offshore recipient’s PI processing;
  • the scale, scope, type, and sensitivity of the PI exported, and the risks that the PI exported may bring to the individual’s PI rights and interests;
  • the offshore recipient's commitment to assume responsibility and obligations, as well as the management and technical measures to fulfil their responsibilities and obligations, and the ability to ensure the security of the PI exported;
  • the risk of PI being leaked, destroyed, tampered with, or illegally used after the exportation, and whether the channels for safeguarding the rights and interests of PI are smooth; and
  • the impact of the PI protection policies and regulations of the country or region where the offshore recipient is located on the performance of the SCCs.