Globalization and the digital economy have accelerated the international flow of data. Transmitting personal data abroad from China can be tricky to navigate – especially for companies with heavy data traffic.
Many companies transfer the personal information of individuals for daily business operations such as cross-border business or tourism, overseas Cloud storage or IT technology support, globalised employee management within multinationals, cross-border e-commerce, and so forth.
Personal data is confidential information related to privacy, personal property, and personal security. Therefore, data leakage and illegal acquisition can damage personal privacy and reputation rights. For example, data leakage of bank accounts and passwords can lead to the loss of property. Illegally exploitation of personal data can put personal safety at risk.
Additionally, personal information is an important social resource and crucial to economic development and social progress. Personal information within specific fields is related to national security and social stability.
Therefore, it is increasingly necessary and important to regulate the transmission of personal data and safeguard individuals' rights and national security. In the below, we outline the legislation on transmitting personal data abroad from China.
Standard Contract Measures for Outbound Cross-Border Transfer of Personal Information
On February 24, 2023, the Cyberspace Administration of China issued the Standard Contract Measures for Outbound Cross-Border Transfer of Personal Information ("Standard Contract Measures"). This is the second specific provision issued by the State Internet Information Department and establishes a system for multiple outbound routes following Personal Information Protection under the Personal Information Protection Law of the People's Republic of China ("PIPL") and Measures for the Security Assessment of Outbound Data Transfers issued last year ("Security Assessment Measures").
Standard Contract Measures effectively complete the Security Assessment Measures – specifically in the applicable scope. Provisions in the Standard Contract Measures fully cover various personal information outbound scenarios.
When outbound data involves personal information, the Security Assessment Measures is applied in any of the following circumstances:
- Operators of key Information infrastructure;
- Processing personal information of 1 million people;
- Providing the personal information of 100000 people overseas since January 1 of last year;
- Providing the sensitive personal information of 10000 people overseas since January 1 of last year.
It is important to note that the Standard Contract Measures can still be applied outside of the listed circumstances.
Multi-level Security Management System
The Standard Contract Measures and Safety Assessment Measures form a tiered regulatory system. The Security Assessment Measures apply to outbound transfers involving a large amount of personal information and high risks. Whilst the Standard Contract Measures apply to outbound transfers involving a small amount of personal information and low risks. The Safety Assessment Measures provision stricter regulatory requirements such as a prior review. The Standard Contract Measures provision lower intensity regulatory requirements such as post-filing.
Legal and Practical Implications of the Standard Contract Measures
Identifying Non-critical Information Infrastructure Operators
Companies may question how "non-critical Information infrastructure operators" are determined. According to Article 10 of the Regulations on the Regulations on the Security Protection of Critical Information Infrastructure: "The protection department is responsible for organizing the identification of key Information infrastructure in the industry and field according to the identification rules, and timely notify the operators of the identification results, and notify the public security department of the State Council."
The protection department will send a notice to the enterprise and identify the enterprise as the operator of key Information infrastructure. The enterprise could be considered a non-key information infrastructure operator, if it has not been identified as a key Information infrastructure operator by the protection department, and has not received the related notice.
Processing Personal Information Less than 1 million People
Companies should correctly understand what is the condition of "handling the personal information of less than 1 million people". Based on the interpretation of the legislative intent and summary of practice, we believe that the condition is defined as follows:
- The measurement indicator of 1 million is 1 million personal information subjects. Not 1 million personal information items;
- The calculation range of 1 million is the number of personal information processed rather than the number of personal information exported;
- If the personal information of more than 1 million people is processed, even by one piece of personal information is exported, the company shall apply for a data export security assessment.
Measuring the Condition of Personal Information less than 100,000 Individuals & Sensitive Personal Information to Less than 10,000 Individuals Overseas Since January 1, 2022
From the perspective of textual interpretation, the condition can be understood as "from January 1, 2022, to February 27, 2023. This assumes that February 27, 2023 is the date of the enterprise evaluation and judgment. So, if the company provides personal information of less than 100,000 people or sensitive personal information of less than 10,000 people overseas, it meets this condition. The company can conduct personal information outbound activities by signing the "Standard Contract".
In practice, we suggest that companies should estimate the complete amount of cross-border personal information for two years. The estimate should be based on the actual situation of previous business operations.
Also, companies should estimate whether the obligation to declare data outbound security assessment is triggered before the following actions are conducted:
- fulfilling the obligation to declare data outbound security assessment; and
- signing the "Standard Contract" in accordance with legal provisions.
These two recommendations should continue and stabilise the development of business operations. It should also prevent companies from being required to terminate outbound data due to non-compliance.
When companies reach the magnitude of data outbound security assessment declaration, the related materials should be prepared in advance. This should ensure the smooth and orderly progress of business.
Conducting the Impact Assessment
Under Article 5 of the Standard Contract Measures stipulates the key assessment content to conduct the personal information protection impact assessment. Such assessment should be done in its transfer aboard.
It is important to note that Article 5 is the implementation. Further clarifications are made in Articles 55 and 56 of the PIPL.
In comparison to the PIPL, the personal information protection impact assessment includes more detailed content.
PIPL, Article 56
Under Article 56 of PIPL, the following content shall be included:
- Whether the purpose, method or any other aspect of the processing of personal information is lawful, legitimate and necessary;
- The impact on personal rights and interests and level of risk; and
- Whether any security protection measure taken is lawful, effective and commensurate with the level of risk.
Standard Contract Measure, Article 5
Article 5 of Standard Contract Measure further clarifies the details as follows:
Article 5: Before providing any personal information to an overseas recipient, a personal information processor shall conduct a personal information protection impact assessment focused on the following matters:
- The legality, legitimacy, and necessity of the purpose, scope, and method of the personal information processing by the personal information processor and the overseas recipient;
- The quantity, scope, type, and sensitivity of personal information to be transferred overseas, and the risk that the outbound cross-border transfer may pose to personal information rights and interests;
- The responsibilities and obligations that the overseas recipient undertakes to assume, and whether the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations are sufficient to ensure the security of personal information to be transferred;
- The risk of the personal information being tampered with, sabotaged, disclosed, lost, or illegally used after the it is transferred overseas. And whether there is a smooth channel for protecting the rights and interests in the personal information;
- The impact of personal information protection policies and regulations in the country or region where the overseas recipient is located on the performance of the Standard Contract; and
- Other matters that may affect the security of personal information to be transferred overseas.
Companies transmitting personal data abroad from China should have implemented internal measures. From the Cyber Security Law adopted on 1 June 2017, cyber and data security legislation has rapidly developed into a sophisticated and heavily regulated framework. Therefore, companies should maintain strict data governance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.