Personal information ("PI") export is a daily occurrence and business necessity for many companies operated in China, especially for multinational companies and domestic companies using management software provided by foreign operators with servers located abroad. With the continuous strengthening of China's regulation, PI export compliance has become an issue that cannot be ignored by companies engaged in such activities.
Recently, after around 8 months of the implementation of Personal Information Protection Law ("PIPL"), Cyberspace Administration of China ("CAC"), the central internet regulator in China, released the long-awaited Security Assessment Measures for Data Export (《数据出境安全评估办法》in Chinese, "Measures") and the Draft Provisions on Standard Contracts for the Expert of PI (《个人信息出境标准合同规定（征求意见稿）》in Chinese, "Draft Provisions") . Since the Measures will take effect on September 1, 2022, and the Draft Provisions may be finalized and released soon, it can be said that the implementing rules for the two more important and widely used mechanisms among the three PI export mechanisms provided by the PIPL have taken shape so far.
In this context, this article will first outline the development of China's restrictions on PI export, then detailly introduce PI export mechanisms provided by the PIPL, including the compulsory notification mechanism and the self-management mechanisms, mainly based on the two new implementing rules, and put forward practical tips accordingly at the end.
I. Development of China's Restrictions on PI Export
As early as more than a decade ago, there had been restrictive regulations on PI export in China. The relevant development can be roughly divided into three stages.
1. Before June 2017
Before the promulgation of the Cybersecurity Law, China's restrictions on PI export were scattered in various industry regulations such as Notice of the People's Bank of China for Banking Financial Institutes to Get the Personal Financial Information Protection Work Well Done (2011)（《中国人民银行关于银行业金融机构做好个人金融信息保护工作的通知 (2011)》in Chinese）and Population Health Information Management Measures (Trial Implementation)（2014）（《人口健康信息管理办法（试行）（2014）》in Chinese）.
2. June 2017 – November 2021
On June 1, 2017, the Cybersecurity Law came into effect. It provides that Critical Information Infrastructure Operators ("CIIOs"), a restrictive group of companies in key sectors proactively identified by Chinese authorities, should pass the security assessment organized by CAC, before exporting PI. This is the first time that the legislation has imposed restrictions on PI export, although its application scope is limited to some critical companies.
3. After November 2021
On November 1, 2021, the PIPL took effect. As the fundamental law in the field of PI protection in China, PIPL provides restrictions, although with varying degrees, on PI export activities of all the companies within China. Since then, None of the PI can be freely exported unless through one of the three mechanisms namely: (1) Security Assessment, or (2) Standard Contract, or (3) Protection Certification (the definitions will be explained below).
To support the implementation of the three mechanisms respectively, CAC released the Measures on July 7, 2022, and the Draft Provisions with the draft standard contract template as its annex on June 30, 2022, while the National Information Security Standardization Technical Committee ("TC260") released the Cyber Security Standard Practical Guidance–Security Certification Specification on Cross-border Transfer of PI (《网络安全标准实践指南——个人信息跨境处理活动安全认证规范》in Chinese , "Guidance") on June 24, 2022.
In terms of these supporting rules' legal validity, the Measures on Security Assessment mechanism will take effect on September 1, 2022, while the Draft Provisions on Standard Contact is not final and will be revised later, and the Guidance on Protection Certification is merely guidance with no binding force. Below will be the detailed introductions to the three PI export mechanisms provided by the PIPL based on these supporting rules.
II. Overview of the Three PI Export Mechanisms Provided by the PIPL
As introduced before, PIPL has provided three mechanisms for companies within China to export PI namely Security Assessment, Standard Contract and Protection Certification. The definitions are as follows:
- Security Assessment refers to passing the security assessment organized by the CAC.
- Standard Contract refers to concluding a standard contract as formulated by the CAC with the overseas recipient.
- Protection Certification refers to obtaining certification for PI protection from an accredited institute according to provisions by the CAC.
The main differences between the Security Assessment and the other two mechanisms is that, Security Assessment, through which the PI export activities should be notified with and be approved by the authority, is mandatory for CIIOs PI handlers (similar to data controllers under GDPR) handling PI reaching quantities provided by the CAC, while the other two mechanisms, with no need to get approval from the authority, are only optional for handlers that do not meet the security assessment notification criteria, as shown below. Therefore, the Security Assessment and the other two mechanisms will be introduced separately below.
III. Compulsory Notification Mechanism: Security Assessment
Security Assessment is a graduated mechanism based on the nature of the PI handler and the quantity of PI involved. Compared with the draft, the final version of the Measures is more enforceable, with more details specified. This part will introduce the rules for Security Assessment under the newly issued Measures, but we still awaits to see future interactions of these rules in practice.
- Who are Caught by the Security Assessment?
Not all PI handlers are obliged to conduct Security Assessment before providing overseas PI collected and generated in the course of operations within the territory of mainland China. Under the Measures, four types of PI handlers shall apply for Security Assessment：
- PI handlers that are CIIOs;
- PI handlers that have processed PI of more than 1 million individuals;
- PI handlers that have exported PI of more than 100,000 individuals accumulatively since January 1 of the preceding year; and
- PI handlers that have exported sensitive PI of more than 10,000 individuals accumulatively since January 1 of the preceding year.
It should be noticed that the Measures adopts a dynamic criterion. PI handlers that fell below the abovementioned thresholds should therefore constantly monitor the volume of PI they export, particularly in the latter part of the year (e.g., Q4) as this determines whether they are likely to be caught within the threshold listed above. The result of the Security Assessment is valid for two years.
- Who are the Assessment Authorities?
According to the Measures, the application for Security Assessment shall be submitted to local cyberspace administration at the provincial level for formal review, who will then submit for substantive assessment organized by the CAC.
CAC will organize relevant departments of the State Council, provincial cyberspace administrations and/or specific institutions to conduct the security assessment.
- What Should be Prepared Before the Application?
Self-assessment of the risks of PI export shall be conducted prior to the application of Security Assessment. A report of self-assessment is required when applying for security assessment, major contents of which shall include:
- the legality, legitimacy, and necessity of the purpose, scope, and method of data export and of the processing activities of overseas recipient;
- the amount, scope, type and sensitivity of the data to be exported, the risks that the data export may pose to national security, public interest, and the legitimate rights and interests of individuals or organizations;
- whether the responsibilities and obligations undertaken by the overseas recipient, as well as its management and technical measures and capacity to fulfill the responsibility and obligations can ensure the security of the data to be exported;
- the risks of data being tampered with, destroyed, leaked, lost, transferred, or illegally obtained or used during or after data export, and whether the channels for individuals to exercise the rights and interests of PI are available, etc.;
- whether the data export related contract or other documents with legal force (collectively, "legal document") to be concluded with the overseas recipient fully specifies data security protection responsibilities and obligations; and
- other matters that may affect the security of data export.
The matters to be assessed in Security Assessment by the CAC overlap with the matters of self-assessment to a large extent. Thus, PI handlers should take self-assessment seriously since it would be a good chance to self-check the company's data compliance in advance. The PI handlers should conduct timely rectifications regarding the non-compliance issues to avoid the failure to pass the Security Assessment.
- What is the Procedure of Security Assessment?
- Application and Acceptance
The PI handlers shall apply for Security Assessment to provincial-level cyberspace administration first. The materials required for the application are as follows:
- a written application;
- the report of self-assessment on the risks of data export;
- the legal document to be concluded between the data handler and the overseas recipient; and
- other materials required for the Security Assessment.
After the formal review by the provincial-level cyberspace administration, the materials will be submitted to the CAC in 5 working days. CAC will conduct a substantive review to decide the acceptance of the application and notify the applicant in written in 7 working days.
After the acceptance, CAC will conduct Security Assessment together with other authorities and institutions. In addition to aspects listed in self-assessment part, the authorities will also assess the impact of data security protection policies and regulations and cybersecurity environment of the country or region where the overseas recipients are located on the safety of the data transferred across the border, as well as compliance with Chinese laws, administrative regulations and departmental rules.
The assessment shall be completed in 45 working days since the notification of acceptance is made, but if the case is complicated or the supplement/correction is needed, the period could be extended with a notice to the applicant about the expected days to extension. After the assessment completed, the CAC will send a written notification to the PI handler regarding the Security Assessment result.
It should be noticed that the Measures does not limit the extension period considering the uncertain workloads. We still need to see the future practice of the CAC to know the actual time they need to complete the whole process.
- What Happens After Security Assessment?
If a PI handler has any objection to the assessment results, it can apply to the CAC for re-assessment within 15 working days upon receiving the assessment results, and the re-assessment results will be the final decision. However, no time limit for the re-assessment is set in the Measures.
- Expiration and Re-application
The assessment results will only be valid for 2 years from the assessment results issued.
If it is necessary to continue the original data export activities after the expiration of the validity period, the PI handler shall apply the assessment again at least 60 working days before the expiration. Otherwise, the PI export activities shall be ceased.
The PI handlers should also pay attention to the internal and external changes which might influence the validity of the assessment results. According to the Measures, even if during the period of validity, if there is a substantive change in PI export, the PI handler shall re-apply for the Security Assessment. Such substantive changes include:
- changes of the purpose, method, scope and type of the outbound data transfer, or the purpose and method of data processing by the overseas recipient, that affect the data security;
- extending the period of storage of PI abroad; and
- changes in the data security protection policies or regulations or the cybersecurity environment of the country or region where the overseas recipient is located, any other force majeure event, or any change in the actual control of the PI handler or the overseas recipient, or any change in the legal documents between the PI handler and the overseas recipient, which may affect the outbound data security.
The CAC will give a written notice to the PI handler if the CAC finds the PI handler's activities no longer meet the requirements of the security management of data export.
IV. Self-Management Mechanisms: Standard Contract + Protection Certification
According to the PIPL, the Standard Contract and Protection Certification are optional for companies within China to export PI only if the mandatory Security Assessment introduced before is not triggered. Considering the popularity of the Standard Contract, as well as the uncertainty of Protection Certification, below will focus on Standard Contract while only provide a brief overview of Protection Certification.
1. Standard Contract
Among the three mechanisms, the Standard Contract is the most welcome and widely adopted approach by companies in China because of its simplicity, considering the uncertainly in passing the government-led Security Assessment and the difficulty and cost to be certified by the accredited institute.
The framework for the Standard Contract provided by the Draft Provisions mainly includes five parts: (1) pre-step: conducting PI protection impact assessment ("PIPIA", which is similar to DPIA under the GDPR); (2) main contents of standard contract; (3) filing requirement; (4) validity of standard contract; and (5) legal liability.
- Pre-Step: Conducting PIPIA
Despite PIPIA being a prerequisite for all PI export regardless which mechanism is chosen as stipulated by Article 55 and 56 of the PIPL, the Draft Provisions specifies the following factors to be assessed in the PIPIA:
- the legality, legitimacy and necessity of the purpose, scope and method of the PI processing by the PI handler and the overseas recipient;
- the quantity, scope, category, and sensitivity of the PI to be exported, and the risks that PI export may bring to the PI related rights and interests;
- the responsibilities and obligations that the overseas recipient commits to undertake, and whether its management and technical measures and capabilities for fulfilling the responsibilities and obligations can ensure the security of the PI to be exported;
- the risks of leakage, damage, tampering and abuse, etc. after the cross-border transfer, and whether the channels for individuals to maintain their PI related rights and interests are smooth;
- the impact of the PI protection policies and regulations of the country or region where the overseas recipient is located on the performance of the standard contract; and
- other matters that may affect the security of PI going abroad.
Most of these assessment factors are substantially similar to the self-assessment requirements under the Measures except the factor (5), in which case companies exporting PI may need to obtain local counsel's opinion on whether local laws will restrict the overseas recipient from performing the standard contract.
- Main Contents of Standard Contract
The draft Standard Contract mainly includes the following contents:
- the basic information of the PI handler and the overseas recipient, such as name and contact;
- the purpose, scope, type, sensitivity, quantity, method, retention period, storage location, etc. of the PI exported;
- the responsibilities and obligations of the PI handler and the overseas recipient to protect PI, as well as the technical and management measures taken to prevent security risks that may arise from the export of PI;
- the impact of the PI protection policies and regulations of the country or region where the overseas recipient is located on compliance with the terms of the standard contract;
- the rights of PI subjects, and the ways and means to protect such rights;
- other terms such as remedy, termination, liability and dispute resolution.
In general, the Standard Contract has a large degree of similarity with the EU Standard Contract Clauses ("EU SCCs") in terms of substantive responsibilities and obligations, including without limitation, principles such as purpose limitation, transparency, minimization, security, storage limitation, etc.; documentation and audit; protection of data subjects' rights.
However, unlike the EU SCCs, which provides four modules based on the roles of data provider and recipient, the draft Standard Contract adopts a one-stop structure, limiting its application only to scenarios where a PI handler as the data provider exports the PI abroad. It remains to be seen whether the final version may include such scenarios where an "entrusted party" (which is akin to data processor under the GDPR) provides PI abroad to overseas recipient.
- Filing Requirement
As prescribed in the Draft Provisions, the PI handler (provider) should file with the local provincial-level cyberspace administration within 10 working days from the date the Standard Contract takes effect, submitting the Standard Contract signed and the PIPIA report.
Therefore, filing is not a prerequisite for the export of PI, as it could be carried out after the Standard Contract takes effect. Moreover, although the Draft Provisions provide that the failure to file constitutes a violation against the PIPL, the CAC may need to reconcile this requirement with the PIPL considering no such requirement exists in the PIPL.
- Validity of Standard Contract
The Draft Provisions does not provide a specific validity period for Standard Contract. However, PI handlers are required to sign a new Standard Contract and re-submit it where there are:
- changes to purpose, scope, type, sensitivity, quantity, method, retention period, storage location of exported PI, and the purposes and methods for which foreign recipients process data, or extend the period of overseas retention of PI;
- changes to the policies, laws or regulations on the protection of PI in the foreign recipient's jurisdiction that might impact rights and interests in PI; or
- other circumstances that may impact rights and interests in PI.
Based on the above provision, it seems that any change to the quantity of PI to be transferred overseas will trigger the re-submission obligation, but in practice, a lot of PI export is expected to occur on an ongoing basis such as using a cloud service with a server outside China rather than be a one-time transfer with an exact quantity of PI. Thus, it remains to be seen whether CAC will accept a filing with an inexact volume or range of PI in this scenario.
- Legal Liability
Pursuant to the Draft Provisions, where any of the following circumstances happens, the local provincial-level cyberspace administration shall, in accordance with the PIPL, give the order to rectify within a time limit; or order to suspend the cross-border transfer of PI and impose penalties if the PI handler or the overseas recipient refuses to rectify or a harm to PI related rights and interests is caused; or pursue the criminal liabilities, if a crime is constituted:
- failing to perform the filing procedure or submitting false materials for filing;
- failing to fulfill the responsibilities and obligations stipulated in the Standard Contract, and infringing upon the PI related rights and interests and causing damage; or
- other circumstances affecting the PI related rights and interests occur.
2. Protection Certification
As introduced before, Protection Certification refers to obtaining certification for PI protection from an accredited institute according to provisions by the CAC as provided by the PIPL. However, until now, CAC hasn't released any relevant provisions. Since neither the list of accredited institutes nor the procedure of obtaining such certification has been determined, it still take some time for this mechanism to be practically implemented in China.
Moreover, the Guidance released by TC260 is recommended rather than compulsory, and the Guidance provides that the Protection Certification can only be applied to very limited scenarios including (1) intra-group cross-border data transfer and (2) processing of PI by overseas entities caught by the extraterritorial reach of the PIPL.
V. Practical Tips
To sum up, under the current laws in China, none of the PI can be freely exported unless through one of the three mechanisms namely: (1) Security Assessment, (2) Standard Contract, or (3) Protection Certification. The Security Assessment, through which the PI export activities should be notified with and be approved by the authority, is mandatory for CIIOs and companies handling PI reaching certain quantities; while the other two mechanisms, with no need to get approval from the authority, are merely optional for companies that do not meet the security assessment notification criteria.
Considering that China is strengthening its regulation over PI export by setting heavy fines (up to 5% of companies' annual turnover) and enhancing law enforcement (such as Didi Case), and the implementing rule on Security Assessment will come into effect on September 1, 2022, while the draft rule on Standard Contract has been released and will finalize in the near future, it is recommended for enterprises in China with PI export activities to consult professional lawyers and conduct PI self-assessment as required by PIPL as soon as possible to evaluate whether its PI export activities have triggered compulsory security assessment notification obligation or can be simply conducted through PI export standard contracts, and establish PI export compliance system accordingly.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.