A Quick Recap on China Data Transfers: the current regulations

As the law stands, organizations are required to obtain data subjects’ “separate consent” to transfers of personal data from mainland China and do one of the following:

(i) complete a security assessment by the CAC;

(ii) obtain a certification by a third party professional institution; or

(iii) enter into standard contractual clauses (“SCCs”) with the offshore data recipient and file these terms with a personal information privacy assessment impact (“PIPIA”) report

((i) to (iii) referred to as “Data Transfer Review” in this briefing).

Security assessments apply to data transfers undertaken by “operators of critical information infrastructure”, by organizations handling the personal information of more than one million individuals, by organizations that, since 1 January of the preceding year, have cumulatively transferred the personal information of more than 100,000 individuals or the sensitive personal information of more than 10,000 individuals and by organizations transferring “important data” (a concept explained in more detail below).  Organizations that do not meet any of these threshold qualifications or volumes are required to complete one of the other two Data Transfer Reviews in respect of personal data transfers: i.e., either obtain certification by a third party professional institution or enter into SCCs with offshore recipients.

It is fair to say that China’s cross-border data transfer regime has been challenging for businesses (foreign multi-nationals and Chinese organizations alike).  The security assessment procedure has been detailed and intensive and has resulted in applicants being asked to provide sensitive information about offshore data handling infrastructure.  Expectations that the SCC route to compliance would be easier (given the lower data volumes involved) were dashed when the guidelines for completing and filing the SCCs and PIPIA report were published, with the PIPIA requirements, on their face, being as demanding as the security assessment.

It seems likely that the Draft Provisions are a reaction to the difficulties reported by organizations seeking to comply with the Data Transfer Review.

Exemptions to Data Transfer Review for Personal Data

The Draft Provisions propose a number of exemptions to Data Transfer Review that could prove to be beneficial to businesses.  Transfers of the following would be exempt:

1. data relating to activities such as international trade, academic cooperation, cross-border manufacturing and marketing which does not contain personal data or important data;

2. personal data not collected within mainland China subsequently transferred offshore (most likely addressing situations in which China-based shared services operations and outsourcing arrangements process data originating from outside mainland China);

3. personal data collected under one of the exemptions to the consent requirement under the Personal Information Protection Law (“PIPL”), specifically:

   1. Contractual Necessity: where it is necessary to provide personal data overseas for the conclusion or performance of a contract to which the data subject is an interested party, such as cross-border e-commerce, cross-border remittances, air tickets, hotel reservations and visa processing;

   2. Human Resources Management: where it is necessary to transfer employees’ personal data overseas to carry out human resources management in accordance with labour rules, policies and contracts formulated in accordance with the law; or

   3. Vital Interests and Emergencies: where it is necessary to transfer personal data overseas in order to protect individuals’ life, health or security of property; and

4. organizations expecting to export the personal data of less than 10,000 individuals within a one year period.

The Draft Provisions provide a partial exemption for organizations that, within a one year period, expect to transfer personal data of more than 100,000 data subjects but less than 1 million.  In these cases, Data Transfer Review would be satisfied by the filing of executed SCCs with the provincial level CAC or third party certification, without the need to complete a security assessment.

Clarification in Relation to Important Data

China’s Cyber Security Law (“CSL”) and Data Security Law (“DSL”) established rules in respect of “important data”, a category of data which is generally separate to personal data.  At a high level, important data is data that, if leaked, could directly affect national security, economic security, social stability or public health and safety, such as unpublished government information, large scale population data, geographic data or data relating to natural resources.  Organizations seeking to transfer important data abroad are required to complete a security assessment.  The practical challenge has been that important data is not sufficiently defined to enable businesses to understand what types of data trigger the security assessment requirement.

The DSL provides for a framework for industry regulators to prepare catalogues of important data for their industries, bringing precision to the concept.  In a move that many organizations will welcome, the Draft Provisions state that unless industry regulators or other officials have published or notified industry participants of a classification of a particular type of data as important data, the security assessment procedure will not apply to cross-border transfers of that data.

Free Trade Zones’ Negative Data List

The Draft Provisions propose that Free Trade Zones (“FTZs”) can, with the approval of the provincial CAC, formulate their own “negative data lists” stipulating the types of data subject to the Data Transfer Review.  Data that is not on the negative list would be exempt from the Data Transfer Review, indicating that FTZs may have more relaxed rules for cross-border data transfers than will generally be the case. 

Implications for China Compliance Programs

The reforms proposed under the Draft Provisions will be welcomed by international businesses, particularly those which have been struggling with Data Transfer Review these past few months.

However, the drafting does raise questions as to the precise scope of the exemptions, including:

1. What will happen to security assessments and SCC filings already in progress?  Presumably these will simply be halted, but the Draft Provisions do not state when they would take effect and what the implications are for pending processes.

2. The CAC has not yet issued detailed guidance in key areas such as the scope of contractual necessity and the scope of data processing for lawful human resources management. The examples given in relation to the former are helpful, but greater clarity in these areas would be helpful.

3. For organizations falling within the scope of the 100,000 to 1 million expected data subject transfers per year, will the SCC filing include the PIPIA filing? If this is so, then clarification as to the CAC’s expectations as to PIPIA reports would be helpful, because the published template is based heavily on the security assessment report template, meaning that the relaxation of requirements may be more apparent than real.

It is also important to understand that data transferred from China will still be subject to compliance with the requirements under the PIPL, even if the cross-border transfer restrictions are relaxed.  In short, organizations still need to formulate privacy policies notifying data subjects of the cross-border transfer and obtain their separate consent if the data is collected based on consent; conduct a PIPIA related to the cross-border data transfer; and formulate internal policies such as data protection management policy and procedures, data subject rights policy, incident response policies and data retention policies.