China to start implementing restrictions on cross-border transfers of personal information

In short

The situation: China has issued new regulations and guidelines to clarify the procedural requirements companies must meet for cross-border transfer of personal information under the Personal Information Protection Law (“PIPL”).

The problems: Regulations and directives set out different requirements for different types of personal information handlers (“PI Handlers”), which mainly depend on the amount and characteristics of the personal data transferred.

Look forward: Companies operating in China should assess their transfer practices, identify the procedural requirements applicable to these practices, and immediately begin developing strategies to meet these requirements.

China recently released several new regulations and guidelines to clarify procedural requirements for complying with PIPL provisions governing the cross-border transfer of personal information (“PI”).

The PIPL provides that before transferring PIs out of China, PI Handlers must meet one of the following procedural requirements:

  • Pass a security assessment (“Assessment”);
  • Undergo a personal information protection certification (“Certification”);
  • Conclude Standard Contractual Agreements (“SCC”) with the foreign recipient; Where
  • Meet other conditions provided by laws, regulations or by competent authorities.

Recently, PRC authorities released new regulations and draft regulations clarifying how PI Handlers can meet assessment, certification, and SCC requirements, including:

  • Measures on State Security Assessment of Cross-Border Data Transfer (the “Assessment Measures”), issued July 7, 2022 and effective September 1, 2022
  • Proposed CSC Regulations for the Export of IP (the “Proposed CSC Regulations”) and Examples of CSCs, published June 30, 2022; and
  • Practical Guide to Cybersecurity Standards — Technical Guidelines on Certification for Cross-Border Processing of IP (the “Practical Guide”), published and effective June 24, 2022.

Security assessment

Under the Assessment Metrics, an assessment is mandatory if an IP manager: (i) intends to transfer material data (i.e. data that may have an impact on national security or the public interest of China); (ii) is an operator of critical information infrastructures and processes the IPs of more than one million people; or (iii) since January 1 of the previous year (i.e. the relevant period will be between 12 and 24 months), cumulatively transferred out of China the IP of 100,000 people or the sensitive IP of 10,000 people.

Getting an appraisal can be a long process. The Cyberspace Administration of China (“CAC”) will usually complete the assessment within 45 working days of official acceptance, but has the option to extend it without limitation in complex cases. There is a six-month grace period after the effective date of September 1, 2022 for companies to come into compliance and apply for a security assessment. This includes companies that transferred data before the effective date of the assessment measures whose data transfers meet the mandatory requirements. Businesses should therefore immediately assess whether their cross-border transfers will require an assessment.

Certification requirement

If an assessment is not required, the PI Handler can choose between two simpler procedures to comply with the cross-border transfer provisions of the PIPL – certification or the use of SCCs – both of which are subject to some level of control governmental.

The PIPL provides that PI Handlers who wish to transfer PI using the certification requirement must obtain such certification from a specialized institution recognized by the CAC prior to the transfer. According to the Practical Guide, the Certification applies to: (i) cross-border processing of data between multinational companies or subsidiaries or affiliates of the same business entity; and (ii) the IP processing activities described in Article 3.2 of the PIPL, i.e. the processing of IP of natural persons outside the country for the purposes of analysis and evaluation of the behavior of natural persons in the country. In addition, the Practice Guide provides that, to obtain certification, PI Handlers and foreign recipients must enter legally binding and enforceable documentation to ensure that the rights and interests of PI subjects are fully protected.

The Practical Guide provides what should generally be included in such legal documentation and does not provide specific details, thus leaving IP managers and foreign recipients the discretion to define the rights and obligations of each party for the cross-border transfer. of IPs.

Use of standard contractual clauses

Although the draft SCC regulations and examples of SCCs have not been finalized, companies should consider whether they wish to use SCCs. According to the Draft SCC Regulations, IP managers who enter into SCCs must file the signed SCCs with the competent authorities of the PRC (filing may take place after the transfer of IP), after which their implementation of the SCCs will be monitored. . This may include responding to requests from authorities and cooperating with inspections by authorities on the performance of obligations under the CCAPs. Additional obligations under the SCCs include the obligation to notify the PI Handler and PRC authorities of a data breach, and to keep records of PI processing activities for at least three years. Parties to SCCs should also accept Chinese law as the law governing the SCCs and agree to bring all claims arising from the SCCs in a court of competent jurisdiction in the PRC.

In extreme cases, the PRC authorities may suspend the transfer of PI if the PI Handler does not comply with the terms of the SCCs. In addition, while PI Handlers and foreign recipients can supplement SCCs, the draft SCC Rules provide that parties may not conclude any clause contrary to SCCs.

Differences and similarities with EU GDPR SCCs

Unlike the Standard Contractual Clauses for Cross-Border Transfer of IP under the General Data Protection Regulation (“GDPR Standard Contractual Clauses”), which follow a modular approach and are designed to provide safeguards for transfers of IP to third countries (outside the European Economic Area) in four different transfer scenarios (controller to controller, controller to processor, processor to processor and processor to controller), the obligations set forth in the CCAPs apply equally to all forms of transfer between PI Handlers in China and corresponding overseas recipients. There are, however, some similarities between the SCCs and the standard contractual clauses of the GDPR, such as: (i) providing for third party beneficiary rights of IP subjects; (ii) provide a guarantee that the parties have carried out an assessment of the impact of the transfer; (iii) protect the Processing of IP by taking effective technical and managerial measures to ensure the security of IP; (iv) enable audits by the PI Handler; and (v) accept joint and several liability for claims brought by IP Subjects.

Three takeaways

  1. Map and review planned and past cross-border data transfers against the requirements of the assessment metrics, certification guidelines, and proposed SCC regulations to understand any gaps in compliance with data transfer requirements.
  2. Identify the appropriate cross-border data transfer mechanism taking into account the mode of activity, the type and volume of IP involved as well as the destination countries.
  3. Begin immediate implementation of the selected data transfer mechanism and ensure a consistent approach to the extent possible (e.g. description of data transfers under SCCs) in light of overall data protection and data security compliance, and document implementation for accountability purposes.