Transfer of personal information outside of China what now and what next
01 September 2022
01 September 2022
One of the key issues for data processors in mainland China under the Personal Information Protection Law ("PIPL"), since the PIPL came into effect on 1 Nov 2021, has been how to transfer personal information outside of China.
The PIPL sets out that personal information can only be transferred outside of China if:
(i) a data transfer agreement adopting the PRC standard contractual clauses (“SCCs”);
(ii) personal information protection certification from a designated certification agent (“Certification“); or
(iii) passing the Cyberspace Administration of China's security assessment (“Security Assessment“).
Up to the last month or so, there had been limited information about the SCCs, Certification or the Security Assessment. Like many other developments in the technology world – when it rains, it pours. Over June to July this year, the Cyberspace Administration of China ("CAC"):
This update takes a closer look at these developments.
At a wider level – whether an organisation uses SCCs, Certification and/or Security Assessment to validate their overseas transfers will differ on a per-organisation basis, depending on various factors including their data processing activities, volume and type of data, and their activities in China. A couple of points to note for international (ex-China) contacts:
Given the Certification rules have been finalised (albeit with significant details requiring further clarification), this is practically the first available mechanism for companies to rely on.
Any data processor in China will need to determine what approach works best for them, and adopt that approach, by 1 March 2023. Both the Certification and SCC routes include significant requirements for both onshore and offshore data processors, including with respect to consent from relevant data subjects. It is possible that for intra-group data transfers, it is possible that the certification option might provide more flexibility given that the master document could be certified as a "master rulebook" to cover multiple contracts (which do not require individual filings). However, there remains significant details that require further clarity, and so there will be some practical difficulties associated with each of the SCCs, Certification and Security Assessment that are currently unknown.
On 30 June 2022, the CAC published the draft Provisions on Standard Contract for Cross-border Transfer of Personal Information for public consultation (ending 29 July 2022).
These Provisions set out requirements for data processors to legitimately complete cross-border transfers of personal information based on the SCCs(which is attached to these Provisions).
As general comments:
A company can rely on the SCCs if it:
(i) 100,000 data subject's personal information overseas; and
(ii) 10,000 data subject's sensitive personal information overseas.
If a company does not satisfy any of the above criteria, it will have to rely on the Certification or Security Assessment to lawfully export personal information from China.
In order to adopt the SCCs, a company is required to do the following:
(i) the lawfulness, legitimacy and necessity of the purpose, scope and method of the processing by the data exporter and the overseas recipient;
(ii) the amount, scope, categories and sensitivity of the exported personal information, and the risks that may be caused to the data subjects' rights and interests by the export;
(iii) what the overseas recipient will undertake to do, and whether there are appropriate administrative and technical measures in place to adequately protect the security of the exported personal information;
(iv) the risks of unauthorised use or disclosure of the exported personal information, and how data subjects' rights will be protected (including what measures can be used by the data subjects to do so);
(v) the impact of the recipient's jurisdiction's data protection laws and regulations on the SCC; and
(vi) any other matters that may affect the personal information export's security.
The Standardization Administration of China issued the Guidance for Personal Information Security Impact Assessment (effective on 1 June 2021) – this document can be used as a reference point for conducting a PIA.
If the proposed cross border data transfer materially changes in the following ways, a new filing must be submitted with the CAC and the SCC must be renewed:
The SCC is in Chinese only, and comprises 9 clauses and 2 appendices.
Under the SCC, the data exporter is required to:
The overseas recipient is required to:
The SCCs cover the following:
Note that in practice, we expect that any provision that substantially deviate from the SCCs (e.g. discharging any party's obligations) would be unacceptable.
If a company:
the CAC will order the data processor to rectify the non-compliance within a prescribed period of time, failing which the data processor may be ordered to cease transferring personal information overseas and relevant penalties may be issued. The CAC may, amongst other actions, order the data processor to terminate the cross-border transfer of personal information, in which case the data processor will be required to immediately cease such activities upon receipt of notice.
Any organization or individual may file a complaint or report any non-compliance to the CAC.
What about data anonymisation?
Data processors must undertake that, among other things, they have notified key elements concerning the cross border transfer (e.g. details of the personal information being transferred, purpose, identity of the offshore data recipient, storage period and location once the data is transferred outside PRC) to, and obtained separate consent from PRC data subjects, and they have used reasonable endeavour to apply technical measures for the protection of personal information (including encryption, anonymisation and de-identification).
However, the SCCs do not specify that data subjects' consent would not be required if the latter protection measures have been applied – noting that "anonymisation" is listed as a technical protection measure, which is contradictory to the definition of "personal information" under PIPL which excludes anonymised information. Whilst this requires further clarification from CAC, our expectation is that no consent from PRC data subjects would be required if anonymisation is applied when personal information is transferred cross border. It is however not clear whether the same analysis would apply to the transfer of any de-identified personal information, which means that if an onshore data processor transfers de-identified personal information to an offshore recipient (who is unable to identify the data subjects without further information from the onshore data processor), it may still be required to obtain consent from the data subjects.
Onward transfer of personal data
The SCCs also restrict onward transfers of personal information by the foreign data recipient. Any onward transfer would not be permitted unless (a) there is actual business to support such transfer; (b) the data subjects have been notified about, and consented to, such onward transfer; (c) written contract has been entered into for such onward transfer under no less protective standards than those under PRC data privacy regulations, and the third party data recipient assumes joint liability to the data subjects; and (d) a copy of such contract is provided to the onshore data processor.
Liability and governing law
The onshore data processor and offshore data recipient are jointly liable for all losses to PRC data subjects, which may include monetary and non-monetary damages (e.g. reputational damages). The rules also expressly enable PRC data subjects to claim directly against the onshore data processor in respect of the offshore data recipient's breaches, even though the onshore data processor may then claim against the offshore data recipient for the compensation paid out to the PRC data subjects.
The SCCs are governed by PRC law. The parties may choose PRC arbitration or PRC court hearing for dispute resolution.
On 24 June 2022, the Secretariat of the National Information Security Standardisation Technical Committee (TC260) issued the Technical Specification for Certification of Cross-Border Transfers of Personal Information (the "Specification"), two months after it first issued its draft. The Specification will apply to Certifications.
Certification can be used in two situations for ensuring international transfer compliance:
Note that Certification is not appropriate for cross-border personal information transfers between unrelated entities, which will need to rely on the SCC or Security Assessment.
An area of uncertainty regarding paragraph (b) above is that it is not clear at present how that will be applied, given the Certification was intended to apply to cross-border data transfer activities, but paragraph (b) also covers the direct collection of personal information from data subjects in China. In the context of cross border provision of products and services (including financial services), data subjects usually directly provide their personal information to offshore entities. This means the data flow does not go through any onshore entity so as to constitute a "transfer" from an onshore entity to an offshore entity. Accordingly, to require these offshore service providers to establish/designate an onshore entity to fulfil this certification requirement (even on a voluntary basis) appears to be a significant extension of what was previously required, especially if offshore entities would not be required to do so under the SCCs or otherwise expressly required by CAC. We await further guidance on whether this is an intended extension of the PIPL, and whether overseas data controllers will be required to "voluntarily" apply for certification (which in turn will need to further compliance costs). In the meantime, international companies that receive personal information from their PRC onshore affiliates should either consider exploring the certification option or the adopting the SCCs.
The Specification does not have PRC regulation status, and so it is recommended practice rather than mandatory regulation. Having said that, it is likely to have persuasive effect at a practical level, and present market consensus appears to be that a successful Certification pursuant to the Specification will satisfy the certification requirement under Article 38 of PIPL for cross-border transfer.
Implementation of the Specification and Certification requirement is subject to further clarification, including:
Parts of the Specification will require clarification, and given these uncertainties - at present it does not appear to be a recommended method for achieving compliance with the cross border data transfer provisions of the PIPL.
For intra-group transfers, the domestic party within the group may apply for certification and assume legal responsibility for such transfers.
For off-shore processing, a local representative of the relevant overseas processor may apply for certification. Note that the Specification states that the local representative will be liable for the overseas data processor's actions in the Certification process.
The following requirements are required to be met in order for a successful Certification to occur:
On 7 July 2022, CAC published the Measures for Security Assessment of Cross-border Transfer of Data (“Measures”), which will take effect on 1 September 2022. There is a six month grace period for compliance following such date. This follows the draft Measures that were released in October 2021.
These Measures set out the procedures companies must undergo to get clearance to transfer data overseas. They are based on the PIPL, the Cybersecurity Law and the Data Security Law. Its aim is to “standardize the export of data from China” and “protect personal information, safeguard national security, and public interest”.
A data processor must file for a CAC Security Assessment if:
Under Article 5 of the Measures, data processors will be required to carry out a self-assessment before they can apply for a CAC Security Assessment. While the final Measures are to take effect effect on 1 September 2022, there will be a 6-month transition period by which full compliance of the Measures is expected.
Upon receiving the application, a provincial CAC must confirm whether the application materials are complete within 5 working days. If the application package is complete, the application will be passed on from the provincial CAC to the central CAC, which will inform the applicant in writing within 7 working days of receipt on whether the application has been accepted.
After an application is officially accepted, the CAC is required to conclude the assessment and make a decision within 45 working days. In situations of complicated cases or where additional application materials are required, such period can be extended, and the CAC will have to notify the applicant of the estimated time extension.
If the applicant is not satisfied with the assessment result, it is entitled to apply to the central CAC for a re-evaluation within 15 working days from receipt of the assessment result, the results of which will be considered the final conclusion.
Article 6 of the Measures requires data processing entities to submit the following materials when applying for the Security Assessment:
The Measures set forth detailed requirements in relation to the matters to be considered in both the self-assessment and the formal assessment. The Measures also stipulate the contents which must be included in the agreement to be entered into between the parties. Although the application form is yet to be released, an applicant would likely need to demonstrate in the application materials its compliance with the substantial criteria for the Security Assessment in the Measures, including but not limited to the lawfulness, legitimacy and necessity of the purpose, scope, method and other aspects required to justify the cross-border data transfer.
The Security Assessment result remains valid for 2 years. In certain circumstances, such as where the cross-border data transfer purpose or control of the parties has changed, a data processing entity may then have to re-submit an application.
With thanks to Yeqi Fei (Junior Associate) and Parmeet Sandhu (Trainee Solicitor) for their contributions to this article.