China – At-a-glance summary of the new data transfer regime
China’s Personal Information Protection Law (“PIPL”) has been in force for a little over one year. In that time, China has been busily firming up the cross-border data transfer regime under the PIPL and its other major data laws – i.e. the Cybersecurity Law and the Data Security Law.
In this article, we look at the latest developments and outline the key implications for organisations doing business in, or having associations with, China.
Three main options
With the launch of the PIPL, organisations have three main mechanisms to legitimise transfers of personal information from mainland China to overseas:
- Passing a government-led security assessment.
- Concluding a standard contract with the overseas recipient.
- Obtaining a personal information protection certification issued by a specialised institution.
Businesses may also be able to transfer data by fulfilling other conditions provided in laws or administrative regulations or by the Cyberspace Administration of China (“CAC”). However, details of these alternatives are yet to be made available.
Beyond personal information, certain regulated entities (e.g. critical information infrastructure operators (“CIIO”)) and certain regulated data (e.g. important data, core data or other types of data subject to industrial restrictions) are also subject to stringent cross-border transfer restrictions under China’s trifecta of data laws.
In more detail
Details of the three options are set out in the summary table below with full details in the attached table here.
| Security assessment | Standard contract | Certification | |
| Implementation timeline | September 2022 | TBC | November 2022 |
| Scope of application | Mandatorily applies to transfers of: (a) “important data”; (b) large volumes of personal data; and (c) other transfers specified by the CAC | Cross-border transfers of personal information that are not subject to a mandatory security assessment | Cross-border transfers of personal information that are not subject to a mandatory security assessment |
| Key requirements |
Data handler must: - conduct an internal data export risk assessment; and - submit an application for a CAC-led security assessment |
Personal information handler must: - conduct a personal information protection impact assessment (“PIPIA”); and - enter into a standard contract with the offshore recipient |
Personal information handler and the offshore recipient must: - enter into a legally binding agreement; - appoint personal information protection officers and bodies; - specify transfer rules; and - safeguard individuals
|
| Approval/filing requirements | An application must be submitted to the CAC | A filing must be made to the CAC | Certification application requires approval by a certification institution |
| Term of validity | Two years | N/A | Three years |
How to choose an appropriate transfer mechanism
Security assessment: not a real choice – If your envisaged data transfers are subject to one of the triggering conditions set out in Data Export Security Assessment Measures (“Assessment Measures”) (see here), you do not actually have a choice. A security assessment will mandatorily apply to your data export activities.
In practice, this mechanism tends to be most relevant to an organisation that has received a notification from its industry regulator that it has been identified as a CIIO, or to an organisation that is processing “important data” or processes or exports a large amount of personal information so as to surpass one of the quantitative thresholds. While the numbers are high, given the size of the Chinese population, business-to-consumer (or “B2C”) business can easily be in-scope.
One of the difficulties in determining whether a security assessment is mandatory is that the nature of “important data” currently remains both vague and broad. This typically leads to uncertainty among legal and compliance teams as to whether the data processed by their organisation should or would be identified as a type of “important data”.
The security assessment process is burdensome and can take months, including up to 45 days (or even longer) after acceptance of an application. Businesses that are likely to trigger a security assessment should carefully review their data flows, determine their positions and plan well in advance when new projects and other business initiatives involve a cross-border data transfer.
The deadline for applications relating to data exports that have continued since 1 September 2022 is fast approaching on 1 March of this year.
Standard contract: business friendly? Standard contracts are expected to be the most business-friendly and commonly used method for personal information exports from China. Multinational organisations that are already complying with the EU’s GDPR and exporting personal information from the EU using that regime’s “SCCs” will likely welcome the proposed alignment of these terms with those of the draft standard contract released by the CAC.
That said, some additional obligations imposed under the draft standard contract on an offshore recipient (such as submission to the PRC regulators’ oversight) may make some offshore recipients hesitant. We understand the CAC is carefully working through feedback from the market, so it remains to be seen how the draft standard contract will be reformulated on its next iteration which we predict for the first half of 2023.
Certification mechanism: a balanced approach? The certification mechanism seems to provide the most balanced approach among the three transfer methods under the PIPL in terms of efficiency and cost. Businesses may wish to closely monitor the development of this mechanism, especially for multinational organisations that have a considerable China presence but do not trigger the mandatory security Assessment Measures.
Although the Chinese authorities pushed the general certification regime forward at the end of 2022, it may take some time for this regime to be fully operational. The release of a new national standard and the designation of certification institutions are not complete and may not be a priority for the CAC as it focuses on the pending deadline for initial security assessments.
What else to consider?
Choosing an applicable mechanism is only part of the solution. The PIPL applies additional requirements for personal information exports, such as the obligation to obtain consent from data subjects (where applicable) and to provide detailed information in advance of exports (to a level that few businesses seem able or comfortable to comply with).
In addition, organisations must also consider industry-specific obligations. For example, cross-border transfers of client identification and transaction information collected during a financial institution’s AML/CTF processes are prohibited under some financial industry rules.
Similarly, a set of trial measures that took effect in the industry and information technology sectors from 1 January 2023 require “important data” and “core data” collected and generated by domestic providers to be stored within China and exported only following completion of a security assessment such as that outlined above.
Conclusions
The Chinese authorities are pushing implementation of these transfer regimes forward, and the regulatory sanctions for cyber and data non-compliance are increasing. Businesses in the Chinese market that have not completed comprehensive data protection reviews and determined which data transfer mechanisms they will rely on, should immediately make this a new year’s resolution.
