China's Cross-Border Data Transfer Rules Explained
Published 21 July 2023
Sarah Xuan
As the scale of the global digital economy continues to grow, the role of data as an important factor of production in economic development, industrial production and various aspects of life has become increasingly prominent, and both the security of data flow and processing activities have received great attention. At present, countries around the world have intensively introduced relevant laws and regulations for cross-border data flow, which provide important safeguards to protect personal information, curb the cross-border security risks of enterprise data and promote the healthy development of digital economy. China has also actively improved the system of laws and regulations on data security protection and cross-border data flow in recent years, and the legislative coverage has been gradually expanded to form a more complete legal system for data security protection, personal information protection and cross-border data. The Cybersecurity Law, Data Security Law, and Personal Information Protection Law, have all made relevant provisions on cross-border data flow, and built a basic management system to promote the free, orderly and efficient data flow under secure conditions. The Measures for the Security Assessment of Outbound Data Transfer released in July 2022 put forward comprehensive and systematic requirements and provided specific legal solutions on the security review and assessment of outbound personal information and important data from China.
For the cross-border data transfer of personal information, there are three main paths according to Article 38 of the Personal Information Protection Law: 1) Pass the security assessment organized by the cyberspace administration department (refer to the related provision under the Measures for the Security Assessment of Outbound Data Transfer and Guidelines for Application of Data Exit Security Evaluation (1st Edition) released in August 2022;2) Pass the personal information protection certification (refer to the relevant regulations and requirements under the Implementation of Personal Information Protection Certification released in November 2022), GB/T 35273-2020 Information security technology-Personal information (PI) security Specification and TC260-PG-20222A Technical Specification for Certification of Personal Information Cross-Border Processing Activities);3) A contract is entered into with the overseas recipient in accordance with the standard contract established by the cyberspace administration department, agreeing on the rights and obligations of both parties. This method is generally applicable to smaller-scale personal information transmission.
The above three paths basically cover the management of all types of the cross-border data transfer of personal information, including: 1) personal information processor transmits and stores personal information collected and generated in its domestic operation to overseas, for example, a foreign insurance company transmits or stores personal information related to customers involved in its Chinese business to its foreign headquarters; 2) personal information collected and generated by personal information processor is stored in the territory, and the overseas institutions, organizations or individuals can inquire, retrieve, down again, export, for example, a partner or HR staff of a foreign company inquiring and retrieving the personal information related to the employees of its Chinese office; 3) other cross-border data transfer of personal information acts as stipulated by the cyberspace administration department.
For the implementation of cross-border data transfer of personal information through the path of entering into standard contracts with overseas recipients, in February 2023, the Cyberspace Administration of China (“CAC”) released the Measures on the Outbound Standard Contract for Personal Information (“Standard Contract Measures”) and the Outbound Standard Contract for Personal Information (“Standard Contract”) and has come into effect on 1 June 2023. In addition, to guide and assist personal information processors in the standardized and orderly filing of Outbound Standard Contract for Personal Information, the CAC issued the Guide for the Filing of Outbound Standard Contract for Personal Information (1st Edition) (“Filing Guide”) on 30 May 2023. The Filing Guide explains the specific requirements for the filing method, filing process, and filing materials for personal information outbound standard contracts.
In this article, we will explain the Measures on the Outbound Standard Contract for Personal Information and the Guide for the Filing of Outbound Standard Contract for Personal Information (1st Edition) through four aspects: before signing the standard contract, the process of signing the standard contract and after signing the standard contract, related issues in practice and examples of application scenarios.
1. Before signing a standard contract
1) Clarify whether the cross-border data transfer of personal information is applicable to the approach of entering into standard contract with overseas recipient
According to the provisions of the Standard Contract Measures, if any of the following circumstances are met, the personal information processor is required to implement the cross-border data transfer of personal information through the security assessment organized by the cyberspace administration department, and cannot adopt the approach of entering into standard contract, these circumstances include:a) the personal information processor is a critical information infrastructure operator;b) processing the personal information of one million individuals;c) cumulatively transferred abroad the personal information of 100,000 individuals since January 1 of the previous year;d) cumulatively transferred abroad the sensitive personal information of 10,000 individuals since January 1 of the previous year;e) other situations that require security assessment as stipulated by the CAC.
Whether a personal information processor can use the method of entering into a standard contract to realize the cross-border data transfer of personal information, it depends on the nature of the enterprise itself, the quantity and type of the cross-border data transfer of personal information, etc. In addition, Article 4 of the Standard Contract Measures clearly stipulates that personal information processors may not use quantity splitting and other means to reduce the amount of outbound personal information, thereby circumventing the security assessment.
2) Comprehensively sorting and organizing the situation of outbound personal information
Before entering into a contract, the processor of personal information shall sort out the cross-border data transfer of personal information, such as the category of the subject of the personal information, the purpose, scope, method and scale of the export of the personal information, the type of personal information, the overseas recipient, the method of transmission, the period of retention after transfer, the place of retention, whether the overseas recipient is subcontracting or conducting retransmission activities, and other related matters, so as to assess in advance to ensure it is legal and appropriate to use the standard contract method for the cross-border data transfer of personal information.
3) Personal information processors shall conduct a personal information protection impact assessment (“PIPIA”)
According to the requirements of Standard Contract Measures, personal information processors should complete a PIPIA before entering a standard contract, and the PIPIA is also one of the necessary materials for filing. In addition, the Standard Contract Measures requires that the PIPIA should be completed within three months prior to the date of filing and that no significant changes have occurred up to the date of filing.
Personal information protection impact assessment link is the important and difficulty of the entire contract filing process, in general, personal information processors mainly refer to the guidelines and standards in the Information Security Technology: Security Impact Assessment Guide of Personal Information and Information Security Technology-Personal Information Security Specification , to carry out impact assessments of personal information protection in terms of whether the purpose of personal information processing, processing methods, etc. are legal, legitimate and necessary, whether the protection measures taken for the rights and interests of individuals, security risks, are legal, effective and appropriate to the degree of risk.
In addition, the Standard Contract Measures also makes relevant provisions for impact assessment of personal information protection. In addition to assessing the legality, legitimacy and necessity of the purpose, scope and manner of personal information processing, the personal information processor and the overseas recipient should also focus on the following:a) The scale, scope, type, and sensitivity of the cross-border data transfer of personal information, and the risks that may be posed to the rights and interests of personal information by the cross-border data transfer of personal information;b) The obligations that the foreign recipient undertakes to undertake, as well as the management and technical measures to fulfill its obligations, and the ability to safeguard the security of the cross-border data transfer of personal information;c) The risk of personal information being tampered with, destroyed, leaked, lost, illegally used, etc. after leaving China, and whether the channels for safeguarding the rights and interests of personal information are open, etc;d) The impact of policies and regulations on the protection of personal information in the country or region of the foreign recipient on the performance of the standard contract;e) Other matters that may affect the safety of personal information.
Further, Annexure 5 of the Filing Guide is template report of PIPIA. The template requires the report to include the following main sections: a) a brief description of the assessment work; b) the overall situation of the outbound activities, including the basic situation of the personal information processor, the situation of the business and information system involved in the personal information outbound, the situation of the personal information to be outbound, the personal information protection capacity of the personal information processor, the situation of the overseas recipient, and other situations that the personal information processor considers necessary to explain; c) the activities of the proposed outbound the impact assessment; d) the conclusion of the impact assessment of the outbound activities. The personal information processor shall use the template report of PIPIA to complete the assessment in conjunction with the requirements of the Standard Contract Measures for PIPIA.
2. Signing of the standard contract
The main contents of the Standard Contract include the definition and basic elements of the contract, the obligations of the personal information processor and the overseas recipient, the impact of the policies and regulations on the protection of personal information in the overseas recipient’s country or region on the performance of the contract, the rights of the subject of personal information and related remedies, as well as the cancellation of the contract, liability for breach of contract, dispute resolution and other matters, and the design of two appendices, such as the description of the exit of personal information, and other provisions agreed by both parties. Two appendices are designed, such as the description of the cross-border data transfer of personal information and other terms agreed by the parties. In addition, the following highlights of the Standard Contract are worth noting:
1) Non-conflict nature of the contract
The Standard Contract Measures stipulates that a standard contract shall be signed strictly in accordance with the Standard Contract Clauses, and that a personal information processor may agree with the overseas recipient on other terms, which do not conflict with the standard contract clauses.
2) Third-party beneficiary mechanism and the rights of the subject of personal information
The Standard Contract Measures gives the subject of personal information the status of “third party beneficiary”, highlighting the protection of the subject of personal information and personal information. The specific rights of the subject of personal information include:a) the processor of personal information grants the subject of personal information the right to become a “third party beneficiary” by fulfilling the obligation to inform under Article 2(d) of the standard contract template;b) the processor of personal information and/or the overseas recipient shall agree in the standard contract template on the relevant terms of the obligations of both parties to the personal information subject (e.g. Article 3) and the rights of the personal information subject (Article 5);c) article 6(3) of the standard contract template specifies the path by which the subject of personal information can enforce his or her rights as a “third-party beneficiary” through litigation or by filing a complaint with the supervisory authority;d) any party who violates the rights enjoyed by the subject of personal information due to a breach of a standard contract shall be liable to the subject of personal information for civil legal liability. If both parties are jointly and severally liable under the law, the subject of personal information shall have the right to request that either or both parties be held liable.
3) Six-month rectification period
According to Article 13 of the Standard Contract Measures, the cross-border data transfer of personal information activities that have been carried out before the implementation of the Standard Contract Measures, which do not comply with the provisions of the Measures, the personal information processor shall complete the rectification within six months (i.e. November 30, 2023) from the date of implementation of the Standard Contract Measures (i.e. 1 June 2023).
3. After the standard contract is signed
According to the Filing Guide, the personal information processor shall submit a filing to the cyberspace administration department within 10 working days from the date the standard contract is signed and takes effect.
1) Required Materials for Standard Contract Filing
The Filing Guide specifies the standard contract filing materials include the following documents:a) copy of the unified social credit code document;b) copy of the identity document of the legal representative;c) copy of the identity document of the person in charge;d) power of attorney for the operator;e) the letter of commitment;f) the standard contract;g) PIPIA.
Annexure 1 of the Filing Guide provides corresponding templates for the above materials (d)-(g), and personal information processors need to prepare these materials based on the templates.
2) Submission of Standard Contract Filing
After the preparation of the corresponding materials, according to the provisions of the Filing Guide, the personal information processor shall, within 10 working days from the effective date of the standard contract, file with the provincial cyberspace administration department by delivering written materials and accompanying materials in electronic form. The entire filing process includes material submission, material inspection and feedback on the filing results, supplement or re-filing, and other links.
In addition, according to the Beijing Municipal Personal Information Outbound Standard Contract Filing Guide (“Beijing Filing Guide”) issued by the Beijing cyberspace administration department on 2 June 2023, at present, the Beijing cyberspace administration department requires that the personal information processor in accordance with the prescribed order listed in Filing Guide to organize the electronic version of the materials, and then submitted to the electronic email address (sjcj@bjwxb.beijing.gov.cn) dedicated to receive filing materials, the paper version of the materials can be submitted only after the electronic version is checked and approved. Referring to the experience of data outbound security assessment, the local cyberspace administration department may have special filing channels and material submission requirements, and it is necessary to follow the filing requirements by local cyberspace administration departments.
3) Review and Results of the Standard Contract Filing
According to the Filing Guide, after receiving the materials, the local cyberspace administration department will complete the review within 15 working days and notify the personal information processor of the filing result. The filing result is divided into two cases: passing and failing. If the filing is passed, the local cyberspace administration department will issue the record number to the personal information processor; if the record is failed, the personal information processor will receive a notice of unsuccessful filing and the reasons for it, and if the personal information processor is required to supplement and improve the materials, the personal information processor shall supplement and improve the materials and submit again within 10 working days, that is to say, after the filing failed, the time to supplement the materials is only 10 working days from the date of receiving the notice of unsuccessful filing.
4) Supplementary or re-filing of the record
After the completion of the filing of the Standard Contract, if one of the following circumstances occurs, the enterprise shall re-conduct the PIPIA, supplement or re-conclude the Standard Contract, and file it with the local cyberspace administration department:a) Changes in the purpose, scope, type, sensitivity, manner, and location of storage of the cross-border data transfer of personal information or the use or manner of processing personal information by the overseas recipient, or the extension of the period of the cross-border data transfer of personal information;b) Changes in personal information protection policies and regulations in the country or region of the overseas recipient that may affect the rights and interests of personal information;c) Other circumstances that may affect the rights and interests of personal information.
In addition, the personal information processor concludes a supplement or re-enter the standard contract within the validity period of the standard contract, should supplement the filing or re-file the record. The time limit of the review for the supplement or re-filing of the material by the local cyberspace administration department is 15 working days.
4. Relevant issues in practice
1) Can affiliated companies under the same group make group filing for the cross-border data transfer of personal information?
Whether affiliated companies under the same group can make group filing for the cross-border data transfer of personal information, such as the group’s parent company in China on behalf of other affiliates for joint filing, which is currently not covered by the Filing Guide and the Standard Contract Measures.
Practical experience has shown that, since each local cyberspace administration department has its own different audit requirements for the filing, therefore, if several affiliated companies are located in different provinces and cities, these companies need to apply for the filing separately; at the same time, if several affiliated companies have combined to sign the same standard contract, combined to carry out PIPIA and issued a PIPIA report, different affiliated Companies can use the same standard contract and the same PIPIA report to submit the filing to different local cyberspace administration departments.
And with reference to the Beijing Filing Guide, if multiple Beijing-based parties are members of the same group, one of the group members is allowed to make group filing on behalf of other members. However, the Beijing Filing Guide applies only to personal information processors located in Beijing and does not clarify whether a group company headquartered in Beijing may submit a filing to the Beijing cyberspace administration department on behalf of its affiliates located in other cities.
2) Can multiple overseas recipients enter a standard contract with a personal information processor?
The Standard Contract is formatted to apply only to scenarios where there is a single overseas recipient. For cases where there are multiple overseas recipients, the CAC does not specify whether multiple overseas recipients can jointly sign a Standard Contract with the domestic information processor, or whether the domestic information processor must sign a Standard Contract with each overseas recipient separately. In principle, different overseas recipients need to enter separate standard contracts, and if they really need to be combined, they should first consult with the local cyberspace administration department.
3) Does an overseas recipient need to sign a standard contract to retransmit personal information to an oversea third party?
The Standard Contract Measures do not mandate the signing of a standard contract when an overseas recipient retransmits personal information to an overseas third party, but shall ensure that the overseas recipient has a written agreement with such overseas third party to ensure that the personal information processing activities of such third party meet the personal information protection standards of relevant Chinese laws and regulations, and to assume the legal responsibility for infringement of the personal information subject as a result of providing personal information to such overseas third party. In addition, the Standard Contract also stipulates that for the written agreement reached between the overseas recipient and such overseas third party, the overseas recipient shall provide a copy of such written agreement to the subject of personal information upon the request of the subject of personal information.
4) If personal information is obtained from publicly available databases, is the transfer of such personal information to an overseas recipient required to sign a standard contract and file recordal?
According to the reply from the Beijing cyberspace administrative department, although a publicly available database means that it can be accessed by visitors located abroad, obtaining personal information from publicly available databases is considered the collection and organization of personal information, and when such personal information is sent to overseas recipients, it will be considered as “cross-border data transfer of personal information” and therefore a standard contract singing and recordal are required.
As to how the relevant cyberspace administrative departments will regulate this kind of cross-border data transfer of personal information, we believe that the CAC may issue more implementation rules in the future to help us understand the regulatory rules and procedures.
Conclusion
The landing of the Standard Contract Measures means that the CAC has implemented a comprehensive management of all the cross-border data transfer of personal information, and the relevant entities involved in the cross-border data transfer of personal information, including enterprises in various industries, banks, medical institutions, insurance companies, consulting companies, law firms, etc., should follow the relevant laws and regulations, follow the appropriate steps or materials, and adopt the appropriate approach for the cross-border data transfer of personal information , i.e., through security assessment, personal information protection certification or signing a standard contract. The possibility of adopting the method of signing a standard contract depends on the nature of the enterprise itself, the amount of information to be transmitted, and the type of information to be transmitted, etc. In general, critical information infrastructure operators can only implement the cross-border data transfer of personal information by security assessment, while signing a standard contract is suitable for small and medium-sized enterprises with small data size and low data sensitivity.
Although compared to the way of security assessment, signing the standard contract path should be relatively simple in terms of the amount, scale and sensitivity of outbound personal information. However, from the content of the Filing Guide, it appears that the CAC has not substantially reduced the requirements for the latter in terms of data inventory, required material, and the PIPIA, as expected.
And the good news is that, according to a Notice issued by the Beijing cyberspace administration department on 25 June, the standard contract signed by Beijing Deyixin Data Co., Ltd. and Hong Kong Novartis Integrity Limited passed the filing review organized by the Beijing cyberspace administration department, with the filing number “202300001”, becoming the first approval for the standard contract filing, and the standard contract filing passed the review within only 15 working days after the Standard Contract Measures came into effect. The case illustrates that if the filing and review procedures are well prepared, the standard contract filing approach for the cross-border data transfer of personal information should be more efficient and convenient compared to the security assessment approach.
Regarding more key points that the local cyberspace administration departments are concerned about in the filing review and their specific requirements for filing materials, we may pay close attention to the subsequent guidelines, notices as well as the cases released by the CAC or local cyberspace administration departments. To help the personal information processors successfully pass the filing, the CAC or local cyberspace administration departments may continue to issue more rules, based on their practical review experience.