Cross-border transfer of personal information (hereinafter referred to as "PI"2 and the cross-border transfer of PI as "PI export") is a daily occurrence and business necessity for many companies operated in China, especially for multinational companies and domestic companies using ERP software provided by foreign operators with servers located abroad. With the continuous release of supporting rules of the Personal Information Protection Law ("PIPL") in terms of restrictions on PI export in China, PI export compliance is attracting increasing attention.
This series consists of four articles. The first article will introduce the development and framework of China's restrictions on PI export, and the next three articles will respectively introduce the three PI export mechanisms provided by the PIPL in detail, namely the compulsory notification mechanism (Security Assessment) and two self-management mechanisms (Standard Contract & Certification).
The is the first of the four articles and will review the developments and framework of China's restrictions of cross-border transfer of personal information.
I. Development of China's Restrictions on PI Export
As early as more than a decade ago, there have been restrictive regulations on restricting PI export in China. The relevant development can be roughly divided into three stages.
Before June 2017
Before the promulgation of the Cybersecurity Law, China's restrictions on PI export were scattered in various industry regulations such as the Notice of the People's Bank of China for Banking Financial Institutes to Perfect the Personal Financial Information Protection Work (2011).(《中国人民银行关于银行业金融机构做好个人金融信息保护工作的通知 (2011)》in Chinese)
June 2017 - November 2021
On June 1, 2017, the Cybersecurity Law came into effect. It provides that Critical Information Infrastructure Operators ("CIIOs"), a limited group of companies in key sectors proactively identified by Chinese authorities, should pass the security assessment organized by the Cyberspace Administration of China ("CAC"), the central internet regulator in China, before exporting PI. This is the first time that the legislation has imposed restrictions on PI export, although its application scope is limited to some critical companies.
After November 2021
On November 1, 2021, the PIPL took effect. As the fundamental law in the field of PI protection in China, the PIPL provides restrictions, although with varying degrees, on PI export activities of all the companies within China. Since then, none of the PI can be freely exported unless through one of the three mechanisms, namely: (1) Security Assessment, or (2) Standard Contract, or (3) Certification (the definitions will be explained below).
To support the implementation of the three mechanisms respectively, the CAC as well as the National Information Security Standardization Technical Committee ("TC260") released a series of rules listed in the table below.
|
Mechanisms |
Name of Implementing Rules |
Issuing Authority |
Effective Data |
|
|
1 |
Security Assessment |
Security Assessment Measures for Data Export (《数据出境安全评估办法》in Chinese, "Security Assessment Measures") |
CAC |
Sep 1, 2022 |
|
Notification Guideline for Security Assessment of Data Export (First Edition) (《数据出境安全评估申报指南(第一版)》in Chinese, "Security Assessment Guideline") |
Sep 1, 2022 |
|||
|
2 |
Standard Contract |
Measures for Standard Contract of Cross-border Transfer of Personal Information (《个人信息出境标准合同办法》in Chinese, "SCC Measures") with the Standard Contract for Cross-border Transfer of Personal Information ("SCC") as its annex |
CAC |
June 1, 2023 (released on Feb 24, 2023) |
|
3 |
Certification |
Implementing Rules for the Certification of Personal Information Protection (《个人信息保护认证实施规则》in Chinese, "Certification Rules") |
CAC |
Nov 4, 2022 |
|
Cyber Security Standard Practical Guidance–Security Certification Specifications on Cross-border Transfer of Personal Information V2.0 (《网络安全标准实践指南—个人信息跨境处理活动安全认证规范V2.0》in Chinese, "Certification Specifications") |
TC260 |
Dec 16,2022 |
||
|
Information Security Technology-Certification Requirements for Cross-border Transmission of Personal Information (Draft for Comments)(《信息安全技术 个人信息跨境传输认证要求(征求意见稿)》in Chinese, "Certification Requirements (Draft)") |
TC260 |
Mar 16,2023 |
So far, the Security Assessment has been practically implemented for more than 6 months, the official Chinese SCC has finally come out recently and will come into force on June 1, 2023, and the Certification mechanism may be practically implemented on a large scale soon.
II. Overview of the Three PI Export Mechanisms Provided by the PIPL
According to the Security Assessment Guideline, PI export refers to the provision of PI collected and generated from mainland China to countries and regions outside the mainland China (including Hong Kong, Macao and Taiwan). In addition to electronic and physical transfer of PI, granting access, retrieval, download to or of such data for overseas recipients also constitutes PI export.
The PIPL has provided three mechanisms for companies within China to export PI, namely Security Assessment, Standard Contract and Certification. The definitions are as follows:
- Security Assessment refers to passing the security assessment organized by the CAC;
- Standard Contract refers to concluding a standard contract as formulated by the CAC with the overseas recipient;
- Certification refers to obtaining certification for PI protection from an accredited agency according to provisions by the CAC.
The main differences between the Security Assessment and the other two mechanisms is that, Security Assessment, through which the PI export activities should be notified with and be approved by the authority, is mandatory for CIIOs and PI handlers3 handling PI the amount of which reaches the thresholds provided by the CAC, while the other two mechanisms, with no need to get approval from the authority, are only optional for PI handlers that do not meet the Security Assessment notification criteria, as shown below.
It should be noted that, regardless of which mechanism is chosen, pursuant to the PIPL, an additional PI protection impact assessment ("PIPIA") must be conducted in advance to assess the following aspects, and the PIPIA report shall be stored for at least 3 years.
- whether the purpose and method of handling PI are lawful, legitimate, and necessary;
- impact on personal rights and interests and security risks; and
- whether the protection measures taken are lawful, effective and commensurate with the degree of risks.
III. Practical Implications
Considering that China is strengthening its regulation over PI export by setting heavy fines (up to 5% of companies' annual turnover) and enhancing law enforcement (such as Didi Case4), companies in China with PI export activities shall consult professional local lawyers and conduct self-assessment as required by the PIPL as soon as possible to evaluate whether their PI export activities have triggered compulsory notification obligation, and adopt notification or Certification or Standard Contract approach accordingly.
Moreover, since the PI protection system in China is a newly established and distinguished regime, of which the detailed compliance requirements are quite different from those of other jurisdictions including EU, it's time for companies in China, especially MNCs, to establish tailored compliance systems from the PIPL compliance perspective.
Footnotes
1 Jet Deng is Dentons' senior partner bases in Beijing office, and Ken Dai is Dentons' partner bases in Shanghai office. They can be reached via zhisong.deng@dentons.cn and jianmin.dai@dentons.cn respectively.
2 Under the PIPL, PI is defined as any kind of information, electronically or otherwise recorded, related to an identified or identifiable natural person within PRC, excluding anonymized information that cannot be used to identify a specific natural person and is not reversible after anonymization.
3 Under PIPL, PI handlers refers to organizations and individuals that, in personal information processing activities, autonomously determine processing purposes, similar to data controllers under GDPR.
4 On July 21, 2022, Chinese ride-hailing giant DiDi Chuxing was imposed an ¥8 billion RMB ($1.2 billion USD) fine by CAC for its violation of the Cybersecurity Law, the Data Security Law, and the PIPL. The details of this case can be found here: https://digichina.stanford.edu/work/translation-chinese-authorities-announce-2b-fine-in-didi-case-describe-despicable-data-abuses/.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
