Significant changes have been witnessed in the cross-border data transfer mechanisms in China, particularly following the enactment of both the Data Security Law and the Personal Information Protection Law (“PIPL”) in 2021. The purpose of this article is to present an overview of the legal framework governing the cross-border transfer of data in China.
Article 38 of the PIPL outlines the existing mechanisms for transferring data out of China, which include the following:
- security assessment administered by Cyberspace Administration of China (“CAC”);
- China standard contractual clauses (“SCCs”); and
- certification by qualified institutions.
Security Assessment
A company is required to undergo a security assessment if it:
- transfers “important data” out of China, which refers to data that, if tampered with, sabotaged, leaked, or illegally obtained or used, could jeopardize national security, economic operations, social stability, or public health and safety;
- transfers personal information out of China held by any Critical Information Infrastructure (“CII”) operators, and CII operators are typically designated by the relevant authorities;
- processes personal information of more than one million individuals; or
- has transferred, since January 1 of the previous year, personal information out of China that involves either:
- personal information of over 100,000 individuals; or
- sensitive personal information of more than 10,000 individuals.
Detailed procedures and requirements for the security assessment can be found in the Measures for Security Assessment of Cross-border Data Transfer (《数据出境安全评估办法》), along with other supplementary documents that offer guidance on the assessment process. The regulation provides a six-month grace period to March 1, 2023, giving data processors additional time to ensure compliance with the security assessment requirement.
The general procedure and timeline for a security assessment are as follows:
- Data handler’s self-assessment. A data handler subject to the assessment needs to first conduct a data export security self-assessment and prepare a self-assessment report.
- Preparation and submission of application materials. The data handler must submit the application to the competent provincial-level CAC office of where the data handler is located within three months of completing the self-assessment and ensure that there is no material change to the date of the application.
- CAC’s completeness check. The provincial-level CAC office will check the completeness of application materials within five working days of the date of receipt of the materials, and:
- if application materials are complete, the application set will be submitted to the CAC; or
- if application materials are incomplete, the data handler will be notified of the return of the application set.
- Decision on whether to accept the application. The CAC will determine whether to accept the application and notify the data handler of its decision in writing within seven working days from the date of receiving the application materials from the provincial-level CAC office.
- CAC security assessment. Following acceptance of the application, the CAC will organize relevant departments of the State Council, provincial-level CAC offices, and specialized institutions to conduct security assessments. The CAC must complete the security assessment within 45 working days from the date of accepting the application, but may extend the time period for complex cases, after notifying the applicants of the extended period.
- If the data handler is required to supplement or correct the application materials, it shall promptly supplement or correct them as required. The security assessment will be terminated if the application materials are not supplemented or corrected without justifiable reasons.
- Notification of assessment results. The data handler will be notified of the result of the assessment in writing, which will be valid for two years from the date of the issuance of the result.
- CAC’s re-assessment. If a data handler is not satisfied with the assessment result, it can apply to the CAC for re-assessments within 15 working days of receiving the assessment result, and the CAC’s re-assessment result is final and not subject to any further administrative or judicial review.
In practice, the number of companies that have filed security assessments in anticipation of the deadline of March 1, 2023 is low, and the number of reported approvals is even lower. Notwithstanding the CAC’s current processing backlog, it remains unclear whether the CAC will extend the grace period for security assessment filings.
SCCs
The Measures on the Standard Contract for Cross-Border Transfer of Personal Information (《个人信息出境标准合同办法》) was officially promulgated by the CAC on February 24, 2023. According to these measures, companies are required to conduct a Personal Information Assessment (“PIA”) and enter into the standard contract with foreign recipients for any transfer of personal information involving less than 100,000 individuals (and the transfer of sensitive personal information involving less than 10,000 individuals), without a lower threshold. Consequently, in general, any company engaging in the transfer of personal information abroad may be subject to this requirement and must complete the filing of the PIA and standard contract with the CAC (“CAC Filing”) before December 1, 2023.
As per the Question & Answer (Q&A) document published by the CAC, market players are obligated to strictly adhere to the clauses of the SCCs when transferring personal information out of China. Furthermore, any additional terms agreed upon by the contracting parties should not contradict the SCCs.
Similar to the security assessment, it has been observed that only a small number of companies have completed the CAC Filing for the SCCs in practice. Having said so, it is worth noting that many companies have initiated the process of conducting the PIA and preparing for the CAC Filing.
Certification by Qualified Institutions
On June 24, 2022, the National Information Security Standardization Technical Committee (“TC260”) published the Practical Guide to Cybersecurity Standards – Specifications on Security Certification for Cross-Border Personal Information Processing Activities (“Certification Specifications”). Furthermore, in December 2022, TC260 published the Certification Specifications V2.0.
The Certification Specifications functions as best industry practice and provides the basis for qualified institutions to carry out certifications for cross-border personal information processing activities. It also serves as a reference for personal information processors to regulate their cross-border personal information processing activities.
The Certification Specifications V2.0 provides that certification applies to all personal information cross-border processing activities (Article 1), to encourage the protection of personal information outbound transmission through security certification by all applicable personal information processors on a voluntary basis.
However, the identification of certification institutions and the details of the certification procedure have yet to be specified.
New Developments
In September 2023, the CAC published the Rules on Regulating and Promoting Cross-border Data Transfer (Draft for Comment) (《规范和促进数据跨境流动规定(征求意见稿)》) (“Draft Rules”) to solicit public comments until October 15, 2023. It appears that the Draft Rules intends to relax the current strict control over cross-border data transfer.
Security assessment, SCCs and certification by qualified institutions shall no longer be required in the following situations:
- when it is necessary to transfer abroad the personal information of employees in order to carry out human resources management in accordance with the labor regulations and rules adopted by the employer and the labor contracts signed in accordance with law; or
- when personal information is to be transferred out of China within one year (in forecast), and the transfer will involve less than 10,000 individuals.
In the event that personal information transferred out of China within one year (in forecast) will involve more than 10,000 but less than 1 million individuals, the personal information processor will only need to complete the filing of the SCCs and PIA with CAC, or the certification by qualified institutions, while security assessment will not be required.
According to the Draft Rules, if there is any conflict between the Draft Rules and other regulations on security assessment or standard contract, the Draft Rules shall prevail, which means the Draft Rules will supersede certain provisions of the Security Assessment Measures for Outbound Data Transfer (《数据出境安全评估办法》) adopted in September 2022 and the Measures on Standard Contract for Cross-border Transfer of Personal Information (《个人信息出境标准合同办法》) adopted in June 2023.
Concluding Remarks
Given the above, the status of the three major pillars of outbound transfer mechanism is summarized as follows:
- Security assessment: This avenue allows companies to file application with the CAC, but very few companies have completed this;
- SCCs: This avenue allows companies to file application with the CAC, but only a few companies have completed this. Many companies are still working on this while the deadline is approaching; and
- Certification by qualified institutions: It is not practicable yet, because the Certification Specifications fails to provide information about which professional agencies are qualified to confer the certification, nor how to apply for a certification.
The Draft Rules introduces several exemptions that could potentially affect businesses that are currently subject to existing data export mechanisms. If adopted and implemented in their current form, these provisions are expected to have a significant impact on many international organizations and companies in terms of requirements on their ongoing data export, both operationally and strategically. Given that the Draft Rules has not yet come into effect, it is advisable to keep an eye on the final effective version.