By Art Dicker, Matthew Ding & Robin Tabbers

China has recently issued new implementing regulations for its trinity of data protection laws - the 2017 Cybersecurity Law ("CSL"), the 2021 Data Security Law ("DSL") and particularly the 2021 Personal Information Protection Law ("PIPL"). We were overdue for some clarifications from the Cybersecurity Administration of China ("CAC") as the DSL and PIPL already came out last year.

Here are the two new implementing regulations from CAC:

  • The Draft Provisions on Standard Contracts for Outbound Transfers of Personal Information, which is currently seeking comments from the public ("Draft Standard Contracts Provisions"); and
  • The Security Assessment Measures for Outbound Data Transfers, which will become effective as of 1 September 2022 ("Security Assessment Measures").

To put these into context, you may recall, that the PIPL formally sets out the following paths for a personal information processor to transfer personal information outside of China:

  1. entering into a contract with the overseas recipient adopting the standard contractual clauses ("SCCs") formulated by the CAC;
  2. passing a security assessment by the CAC ("Security Assessment"); or
  3. obtaining certification by a CAC designated agency for protection of personal information ("Certification").

This creates several different routes for companies that we will discuss in the following:

Route 1: Adopting China Standard Contractual Clauses (SCC)

An official Security Assessment or any Certification process would be considerably more complicated and time intensive, stretching the limited resources of many small and medium-sized companies here. These and even larger enterprises would much prefer to choose the (1) SCC route if they're at all eligible (see discussion below).

The catch is that, only a personal information processor meeting ALL of the following requirements can adopt the SCC approach:

  1. It is not a Critical Information Infrastructure ("CII") operator;
  2. It does not process more than 1,000,000 individuals' personal information;
  3. It has not provided the personal information of more than 100,000 individuals (in total) overseas since 1 January of the previous year (i.e. the last 1-2 years); and
  4. it has not provided sensitive personal information of more than 10,000 individuals (in total) overseas since January 1 of the previous year (i.e. the last 1-2 years).

The Draft Standard Contracts Provisions also set more detailed requirements on impact assessments on personal information protection ("PIA"), which is a prerequisite for cross-border transfers of personal information established by the PIPL.

A PIA must focus on:

  1. the legality, legitimacy and necessity of the purpose, scope and methods of processing by the personal information processor and overseas recipient;
  2. the quantity, scope, type and sensitivity of the personal information to be transferred to the overseas recipient, and the associated risk of such transfer;
  3. the ability of the overseas recipient to take security measures to fulfill data protection obligations (under the PIPL);
  4. the risk of any information breaches, destruction, falsification, misuse after transfer, as well as the available remedial measures for individuals; and
  5. the impact of local policies and regulations on the protection of personal information in the overseas jurisdictions.

According to the Draft Standard Contracts Provisions, any contract concluded by and between the personal information processor and the overseas recipient shall not conflict with the SCCs on matters related to the cross-border transfer of personal information, and the SCCs shall prevail in case of any conflict.

In other words, much like labor contracts quote directly from the language of the Labor Contract Law (even if that language leaves a lot open to interpretation), we expect to see data transfer agreements quoting directly from the SCCs.

SCC Coverage:

  1. basic information on the personal information processor and the overseas recipient;
  2. the purpose, scope, type, sensitivity, quantity, method, retention period, storage place, etc. of personal information to be transferred;
  3. the responsibilities and obligations of the personal information processor and overseas recipient to protect personal information, as well as the technical and management measures adopted to prevent the possible security risks arising from cross-border transfer of personal information;
  4. the impacts of the policies and regulations on personal information protection of the country or region where the overseas recipient is located on the compliance with the SCCs;
  5. the rights of the individuals, as well as the channels and methods for protection of the rights of the individuals; and
  6. remedy, liability for breach of contract and dispute resolution, etc.

Filing Requirements on Data Transfer Agreements:

  1. the data transfer agreement incorporating the SCCs and the PIA report should be filed with the CAC within 10 working days from the effective date of the agreement.
  2. a data transfer agreement shall be renewed and re-filed when any of the core terms and conditions stipulated therein changes, such as changes in the purpose, scope, methods of processing by the overseas recipient, changes in regulations of the country or region where the overseas recipient locates which may affect the rights and interests of the individuals, etc.

Route 2: Passing Security Assessment

The Security Assessment Measures are overlapping implementation rules for the CSL, DSL and the PIPL. It covers not only the cross-border transfers of personal information, but also "important data" referred to in those laws. The requirements are in sync with the Standard Contract Clause (SCC) requirements discussed above.

A data processor should adopt the Security Assessment approach in ANY of the following circumstances:

  1. where a data processor provides important data abroad;
  2. where a CII operator or a data processor processing the personal information of more than 1,000,000 individuals provides personal information abroad;
  3. where a data processor has provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals in total abroad since 1 January of the previous year; or
  4. other situations set out by CAC that require a filing under the security assessment regime.

Notably, item (3) above sets a more practical threshold than the Draft Security Assessment Measures released in October 2021, as this final version includes a definite starting point for calculating the total processing volume.

While CAC will obviously rely to a large extent on companies adequately tracking their data and self-policing, at a minimum, a robust system needs to be in place to track in case of any CAC audit (whether triggered by a whistleblower, user complaint, or otherwise) for companies which could come even remotely close to these thresholds. Showing a fancy, detailed policy without an implemented system to demonstrate is not going to be looked upon kindly by CAC.

The Security Assessment procedures:

  1. Before applying for the Security Assessment, the data processor should conduct a self-assessment on the risks of outbound data transfer, very much akin to the PIA as discussed above.
  2. The data processor must apply for the Security Assessment through the provincial level CAC and submit a declaration form, the self-assessment report, the data transfer agreement and other necessary materials.
  3. The Security Assessment primarily focuses on similar matters that are critical in a PIA (summarized above) or the self-assessment, with the priority on the assessment of the risks to national security, public interests, or the legitimate rights and interests of individuals or organizations that may be caused by the cross-border data transfers.
  4. The data processor should normally get the results from the CAC in around 60 working days calculating from the data of submission of the filings. Notably, the final Measures have removed the time limitation for completing assessment of more complicated cases.

As the results of a Security Assessment for cross-border data transfers are valid only for two years, the data processor must re-apply for a Security Assessment if the validity period expires or if other special circumstances (e.g., the purpose, method, scope or type of the outbound data transfer changes) occur. This again places additional burden on the data processor.

Route 3: Obtaining Certification

As we discussed in the beginning, there is still a third alternative for cross-border data transfers: Certification. While there are no regulations yet covering this approach, we have seen some national standards issued by relevant institutions, setting guidance for the implementation of the Certification, such as the Specification for Certification of Cross-border Personal Information Transfer (TC260-PG-20222A). However, according to this Specification, the Certification approach can only be adopted in company intra-group data transfers, or by overseas processors which are subject to the extra-territorial scope of PIPL (per Article 3 of PIPL).

Conclusion

With these new implementing regulations coming into effect, we are gradually getting a clearer picture on what should be done to bring data processing activities in line with legal requirements. But still, there are gaps to fill. For example, there is still a lot of room open for interpretation as to whether a data processor is a CII operator, or if the data collected or generated during its operation constitute important data.

Without specific, practical guidance from the law itself, it is still incredibly helpful to try to think about what purpose these regulations are trying to serve and where the regulators will naturally have their priorities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.