PUBLICATIONS

Foreign Entities’ Compliance for Receiving PRC Personal Data

As a foreign entity which receives personal information from China, whether it has operations or establishments within the country or not, navigating China’s complex regulatory environment on data protection and privacy can be challenging. This article aims to provide such foreign entities with some basic guidance on complying with the general rules in respect of cross-border transfer of data.

Deciphering the Concept of Foreign Recipients

Before we dive into the details of regulatory requirements, as the first step, it is important to clarify the definition of “foreign recipient” under the relevant Chinese laws. This will help a foreign entity determine whether it qualifies as a “foreign recipient” in the cross-border data transfer activities it is involved in.

However, China’s Personal Information Protection Law (“PIPL”) in fact does not explicitly define “foreign recipient”. Hence, we have to rely on Article 38 thereunder, the closest in PIPL we get as a definition, that stipulates: “a personal information handler that, out of business or other needs, has to transfer personal information outside of the Chinese territory should comply with the prescribed procedures hereunder […]. ”

Based on Article 38, we could define “foreign recipient” as an entity/person that is located outside of the Chinese territory that receives the personal information from a personal information handler within China out of business or other needs. Although the wording seems straightforward, there are still certain subtle aspects that foreign recipients are advised to pay attention to when breaking down this definition: 

1) Personal information

According to the definition in PIPL, the term “personal information” refers to various types of information recorded electronically or by other means that relates to any identified or identifiable natural persons, excluding information that has been anonymized.

2) Personal information handler 

According to the definition in PIPL, “personal information handler” refers to any entity or person who independently decides for what purposes and with what methods any personal information should be processed. 

3) Transferring outside of the Chinese territory

It could refer to several scenarios:

  • physically moving the personal information records across any Chinese border;
  • transferring personal information from an information system hosted on a server whose data room is located in China to another server whose data room is located outside of China; or
  • allowing entities and persons who are located outside of China to access the personal information stored within China.

The Chinese territory excludes Hong Kong SAR, Macau SAR, and Taiwan Province for this purpose as these three regions in fact have their own regulatory regime and jurisdiction.

Along this line, a cross-border transfer occurs when a personal information handler exports personal information to a recipient outside of the Chinese territory. Therefore, a typical scenario would be B2B transfer, where one business transfers the personal information it has collected to another business located abroad. The recipient may then store, analyze, or otherwise process the received personal information. 

In the case of C2B transfer, where an individual in China directly transfers their personal information to an entity outside the Chinese territory, be it for college programs, memberships, booking services, or cross-border payments, we argue that, by definition, the receiving entity could technically be termed a “foreign personal information handler” instead of a “foreign recipient”, as the former refers to an entity outside China that processes data from individuals within China in order to provide services to or analyze specific behavior traits of such individuals. No matter the designation, however, the personal information is still considered as being “transferred across the border” under this scenario.

For the purpose of this article, when we analyze the compliance requirements for a “foreign recipient”, we will also try to cover these for a “foreign personal information handler” as well since essentially, regardless of its definition under PIPL, the latter also entails foreign entities receiving personal information from China. Hence in a broader sense, it is also a foreign recipient.

Cross-border Transfer Procedures

When cross-border transfer is to happen, there are several procedures an entity has to go through before it may transfer the personal information across the Chinese border. As the laws and regulations in China attach great importance to the role of “personal information handlers”, the obligation of compliance lies largely with the handlers. 

A personal information handler is required to go through one of the three prescribed procedures in Article 38 of PIPL, which are:

  1. completing a security assessment administered by the Cyberspace Administration of China (“CAC”);
  2. filing a Standard Contract (a template published by CAC) that it has signed with its overseas recipient(s) and the Personal Information Protection Impact Assessment (“PIA”) report with CAC; or
  3. obtaining certification by qualified institutions.

Discussions have been focused on these three procedures and how they should be carried out ever since 2021 when PIPL first came into effect. Subsequent regulations and guidance issued with respect to the above mechanisms for cross-border transfer of personal information have been evolving and debated among government authorities, industry participants, and legal professionals until the latest Rules on Regulating and Promoting Cross-border Data Transfer (《规范和促进数据跨境流动规定》) (the “Promoting Rules”) came into force.  

The Promoting Rules is a milestone in Chinese legislation on cross-border transfer of personal information, as it relaxes the threshold for compliance measures and provides several scenarios in which personal information handlers could be exempted from the three procedures for cross-border transfer set forth in Article 38. Such exemption may apply to, for example: 

  1. export of personal information (not sensitive) of no more than 100,000 individuals;
  2. export of employees’ personal information that is necessary for human resources management;
  3. export of personal information of an individual that is necessary for the purpose of concluding and performing a contract to which the individual is a party, such as cross-border shopping, payments, booking of hotels, etc.; or
  4. export of personal information out of urgent needs to protect personal or property safety and health.

This brings us back to the discussion with respect to the B2B and C2B transfer of information. It appears that a typical C2B transfer would most likely be exempted from the three cross-border procedures as it normally falls under scenario 3 above, while the B2B transfer may or may not meet the above requirements for exemption.

Regardless of whether it should be exempted from the three procedures in Article 38 above, as long as a personal information handler transfers personal information across any Chinese border, it will need to comply with some general obligations such as obtaining separate consent from the data subject(s) for such transfer, properly disclosing the details of processing to the data subject(s), adopting sufficient data protection measures, conducting PIAs, etc.

Foreign Recipients’ General Compliance Obligation

The above compliance requirements for personal information handlers may give you a general idea of what might be required from a foreign recipient which is in a supportive role in terms of cross-border transfer compliance. 

In the scenario of a B2B transfer, a foreign entity which receives personal information from a domestic personal information handler would normally be a partner or vendor of the personal information handler and hence are required to support the personal information handler in fulfilling its obligations, including:

  1. entering into a contract for the commissioned processing of personal information, which shall at least set out the purpose, term, methods of processing, the types of personal information, the personal information protective measures, and the rights and obligations of the parties;
  2. assisting the personal information handler in compliance with the three cross-border transfer procedures in ways such as entering into a Standard Contract for processing of personal information or providing support during PIAs where applicable;
  3. accepting the supervision of the personal information handler in terms of data processing;
  4. processing the personal information strictly in accordance with the agreements in the contract with the personal information handler; either deleting or returning any personal information when the contract is terminated, invalidated, rescinded, revoked, or otherwise ended;
  5. not engaging subcontractors without the approval from the personal information handler; and
  6. adopting necessary measures to ensure the safety of personal information, which should at least meet the standard of protection required for a domestic personal information handler.

For a foreign recipient who is the partner or vendor contracted by the personal information handler to provide goods or services, normally, it is important to have proper contracts and documents prepared to meet the obligations mentioned above. A foreign recipient aiming to provide top-tier services may choose to take an additional step to assist the personal information handler to prepare the sections in relation to the foreign recipient in a PIA report. Especially for those cross-border transfer activities not covered by exemption scenarios, personal information handlers will need to submit PIA reports to CAC for review. Nonetheless, please note that this approach is proactive and not mandatory under the laws and regulations.

In the scenario of a C2B transfer, for a foreign personal information handler that helps process the personal information of its individual customers in China for the performance of certain contracts to which the individual customers are a party, it could be exempted from Article 38’s three cross-border transfer mechanisms according to the Promoting Rules, but it still has general obligations as discussed above, such as obtaining separate consent from data subjects, making proper disclosure, adopting sufficient security measures, and conducting PIAs, among others.

Conclusion

Even though a foreign recipient may not have any operations or establishments in China, it may still be subject to legal liabilities under PIPL due to this law’s extraterrestrial reach. Furthermore, non-compliance may subject a foreign recipient’s Chinese clients or business partners to penalties as well. 

Hence, it is important that a foreign recipient take a more proactive stance towards compliance under China’s data and privacy framework, and pay particular attention to the requirements of cross-border transfer of personal information. As long as there is Chinese customers’ personal data involved, regardless of the scale of operation, it is advisable for a foreign recipient to review and streamline the personal information processing flow and seek advice from advisors with expertise in China on compliance requirements. 

Please note that the foregoing analyses do not apply to the personal information of critical information infrastructure operators (“CIIOs”), which refers to the operators of vital infrastructure for public communication and information services, energy, transportation, water utilities, finance, public services, electronic government services, and other important industries. We have also not covered the concept of important data, referring to the data of which the tampering, damage, leak, or illegal access or use may jeopardize national security, economic vitality, social stability, public health, and safety. CIIOs’ data and important data are subject to more stringent regulations in China with respect to cross-border transfer. Such issues should be addressed and evaluated separately, especially if a foreign recipient suspects that its operation may involve CIIO data or important data. In any case, comprehensive examination of these matters lies outside the purview of this article.