Transfer of personal information outside of China what now and what next

Introduction

One of the key issues for data processors in mainland China under the Personal Information Protection Law ("PIPL"), since the PIPL came into effect on 1 Nov 2021, has been how to transfer personal information outside of China.

The PIPL sets out that personal information can only be transferred outside of China if:

• data subjects' consent had been obtained;
• a personal information protection impact assessment (“PIA“) had been conducted; and
• the transfer is in accordance with (or has obtained) one of the following: 

     (i) a data transfer agreement adopting the PRC standard contractual clauses (“SCCs”);

     (ii) personal information protection certification from a designated certification agent (“Certification“); or

     (iii) passing the Cyberspace Administration of China's security assessment (“Security Assessment“).

Up to the last month or so, there had been limited information about the SCCs, Certification or the Security Assessment. Like many other developments in the technology world – when it rains, it pours.  Over June to July this year, the Cyberspace Administration of China ("CAC"):

• published draft SCCs for public consultation; 
• finalised the rules applicable to Certifications; and
• updated details for the Security Assessment. 

This update takes a closer look at these developments. 

At a wider level – whether an organisation uses SCCs, Certification and/or Security Assessment to validate their overseas transfers will differ on a per-organisation basis, depending on various factors including their data processing activities, volume and type of data, and their activities in China. A couple of points to note for international (ex-China) contacts:

• This is in stark contrast to many other jurisdictions, where SCCs are the typical basis for ensuring the legitimacy of overseas personal data transfers. 
• We expect that data processors will be required to engage with the CAC in some form, for any of the SCCs, Certification or Security Assessment – again, this is in stark contrast to global practices where overseas personal data transfers can potentially be completed without significant regulator engagement. 

Given the Certification rules have been finalised (albeit with significant details requiring further clarification), this is practically the first available mechanism for companies to rely on. 

Any data processor in China will need to determine what approach works best for them, and adopt that approach, by 1 March 2023. Both the Certification and SCC routes include significant requirements for both onshore and offshore data processors, including with respect to consent from relevant data subjects. It is possible that for intra-group data transfers, it is possible that the certification option might provide more flexibility given that the master document could be certified as a "master rulebook" to cover multiple contracts (which do not require individual filings). However, there remains significant details that require further clarity, and so there will be some practical difficulties associated with each of the SCCs, Certification and Security Assessment that are currently unknown.

Draft SCC

Background

On 30 June 2022, the CAC published the draft Provisions on Standard Contract for Cross-border Transfer of Personal Information for public consultation (ending 29 July 2022). 

These Provisions set out requirements for data processors to legitimately complete cross-border transfers of personal information based on the SCCs(which is attached to these Provisions). 

As general comments: 

• Importantly – these SCCs do not distinguish between controller-to-controller and controller-to-processor transfers, but prescribes a uniform set of clauses for both scenarios.
• For multinational companies that have adopted the EU standard contractual clauses under the General Data Protection Regulation (“GDPR“) (whether on an external or intra-group basis), we would recommend preparing an addendum adopting the PRC SCCs to cover transfer of personal information from China. 

Who can use the SCCs?

A company can rely on the SCCs if it:

• is an operator of non-critical information infrastructure;
• processes personal information of fewer than 1,000,000 data subjects; and
• since January 1 of the previous year, has not provided more than:

     (i) 100,000 data subject's personal information overseas; and

     (ii) 10,000 data subject's sensitive personal information overseas.

If a company does not satisfy any of the above criteria, it will have to rely on the Certification or Security Assessment to lawfully export personal information from China.

How to use the SCCs?

In order to adopt the SCCs, a company is required to do the following:

• Undertake a PIA. The PIA will need to consider: 

     (i) the lawfulness, legitimacy and necessity of the purpose, scope and method of the processing by the data exporter and the overseas recipient;

     (ii) the amount, scope, categories and sensitivity of the exported personal information, and the risks that may be caused to the data subjects' rights and interests by the export;

     (iii) what the overseas recipient will undertake to do, and whether there are appropriate administrative and technical measures in place to adequately protect the security of the exported personal information;

     (iv) the risks of unauthorised use or disclosure of the exported personal information, and how data subjects' rights will be protected (including what measures can be used by the data subjects to do so);

     (v) the impact of the recipient's jurisdiction's data protection laws and regulations on the SCC; and

     (vi) any other matters that may affect the personal information export's security. 

The Standardization Administration of China issued the Guidance for Personal Information Security Impact Assessment (effective on 1 June 2021) – this document can be used as a reference point for conducting a PIA.

• Enter into a SCC with the overseas recipient.
• Within 10 business days from the effect date of the SCC, file the signed SCC and the PIA report with the relevant provincial office of the CAC. We expect that such filing would not be an "approval" process; however, CAC may review and order "rectification" of unsatisfactory SCCs, which may in turn disrupt the proposed data transfer.  

If the proposed cross border data transfer materially changes in the following ways, a new filing must be submitted with the CAC and the SCC must be renewed:  

• changes in the purpose, scope, type, sensitivity, quantity, provision manner, retention period, storage location of the personal information transferred and the purpose and manner of processing by the overseas recipient, or extension of the retention period of the personal information transferred;
• changes in the personal information protection policies and regulations of the country or region where the overseas recipient is located which may affect the rights and interests of the data subjects; or
• any other circumstances that might affect the rights and interests of the data subjects.

What is in the SCC?

The SCC is in Chinese only, and comprises 9 clauses and 2 appendices.

• Clause 1 - Definitions.
• Clause 2 - Obligations of the data exporter.
• Clause 3 - Obligations of the overseas recipient.
• Clause 4 - Impact of local policies, laws and regulations on compliance with the standard contract.
• Clause 5 - Data subjects’ rights.
• Clause 6 - Remedies for individuals.
• Clause 7 - Termination.
• Clause 8 - Liability for breach of contract.
• Clause 9 - Miscellaneous.
• Appendix 1 - Description of the personal information export.
• Appendix 2 – Supplemental clauses agreed by the parties. 

Under the SCC, the data exporter is required to:

• ensure that the exported data are limited to the minimum scope necessary for achieving the processing purpose;
• notify data subjects of relevant matters and obtain their consent;
• make copies of relevant legal provisions and technical standards available to the data recipient;
• make reasonable efforts to ensure the recipient’s compliance with the contract;
• respond to inquiries from regulators, unless the parties agree that the recipient shall respond to such inquiries;
• conduct PIAs; and
• make copies of the standard contract available to data subjects (which may be redacted to the extent necessary for protection of trade secrets or other confidential information).

The overseas recipient is required to:

• implement effective technical and administrative measures to protect the security of personal information;
• take remedial measures, and notify Chinese regulators and affected individuals when a data breach occurs;
• only transfer personal information to third parties outside of China based on business needs after:
• notifying data subjects of relevant matters relating to the onward transfer and obtaining their consent; and
• entering into a written agreement with any third parties that will have access to the exported personal information, and make such agreements available to data subjects upon request.
• provide the data exporter with all necessary information to demonstrate its compliance with the contract and permit the data exporter to audit its processing activities; and
• accept supervision and administration of Chinese regulators.

The SCCs cover the following:

• the basic information of both the data processer and overseas recipient, including but not limited to name, address, contact name and contact information;
• the purpose, scope, type, sensitivity, quantity, provision manner, retention period, storage location of the personal information to be transferred;
• the responsibilities and obligations of the data processer and overseas recipient with respect to the protection of personal information, as well as the technical and management measures to be taken to prevent potential security risks arising from the cross-border transfer of personal information;
• the impact of local policies and regulations on the protection of personal information where the overseas recipient is located may have on the compliance with the SCCs;
• the rights of data subjects, and the ways and means of safeguarding the rights of data subjects; and
• remedies, termination of contract, liabilities for breach of contract, dispute resolution, etc.

Note that in practice, we expect that any provision that substantially deviate from the SCCs (e.g. discharging any party's obligations) would be unacceptable. 

What happens upon non-compliance?

If a company: 

• has not filed the appropriate documents in accordance with the above requirements;
• fails to comply with the relevant data transfer agreement, resulting in infringing data subjects' rights; or
• performs any other acts adversely affecting the rights and interests of data subjects,

the CAC will order the data processor to rectify the non-compliance within a prescribed period of time, failing which the data processor may be ordered to cease transferring personal information overseas and relevant penalties may be issued. The CAC may, amongst other actions, order the data processor to terminate the cross-border transfer of personal information, in which case the data processor will be required to immediately cease such activities upon receipt of notice. 

Any organization or individual may file a complaint or report any non-compliance to the CAC. 

Other points to consider under the SCC

What about data anonymisation? 

Data processors must undertake that, among other things, they have notified key elements concerning the cross border transfer (e.g. details of the personal information being transferred, purpose, identity of the offshore data recipient, storage period and location once the data is transferred outside PRC) to, and obtained separate consent from PRC data subjects, and they have used reasonable endeavour to apply technical measures for the protection of personal information (including encryption, anonymisation and de-identification). 

However, the SCCs do not specify that data subjects' consent would not be required if the latter protection measures have been applied – noting that "anonymisation" is listed as a technical protection measure, which is contradictory to the definition of "personal information" under PIPL which excludes anonymised information. Whilst this requires further clarification from CAC, our expectation is that no consent from PRC data subjects would be required if anonymisation is applied when personal information is transferred cross border. It is however not clear whether the same analysis would apply to the transfer of any de-identified personal information, which means that if an onshore data processor transfers de-identified personal information to an offshore recipient (who is unable to identify the data subjects without further information from the onshore data processor), it may still be required to obtain consent from the data subjects.   

Onward transfer of personal data

The SCCs also restrict onward transfers of personal information by the foreign data recipient. Any onward transfer would not be permitted unless (a) there is actual business to support such transfer; (b) the data subjects have been notified about, and consented to, such onward transfer; (c) written contract has been entered into for such onward transfer under no less protective standards than those under PRC data privacy regulations, and the third party data recipient assumes joint liability to the data subjects; and (d) a copy of such contract is provided to the onshore data processor.  

Liability and governing law

The onshore data processor and offshore data recipient are jointly liable for all losses to PRC data subjects, which may include monetary and non-monetary damages (e.g. reputational damages). The rules also expressly enable PRC data subjects to claim directly against the onshore data processor in respect of the offshore data recipient's breaches, even though the onshore data processor may then claim against the offshore data recipient for the compensation paid out to the PRC data subjects.  

The SCCs are governed by PRC law. The parties may choose PRC arbitration or PRC court hearing for dispute resolution.

Certification

Introduction

On 24 June 2022, the Secretariat of the National Information Security Standardisation Technical Committee (TC260) issued the Technical Specification for Certification of Cross-Border Transfers of Personal Information (the "Specification"), two months after it first issued its draft.  The Specification will apply to Certifications.

Certification can be used in two situations for ensuring international transfer compliance: 

• Intra-group data transfers, in which a China-based businesses transfers personal information to an offshore affiliate. This is modelled on the Binding Corporate Rules mechanism under GDPR.
• Offshore processing by organizations subject to the extra-territorial scope of PIPL (per Article 3 of PIPL) – i.e. overseas entities providing products or services to natural persons located within China; or analysing or assessing the behaviour of natural persons located within China. 

Note that Certification is not appropriate for cross-border personal information transfers between unrelated entities, which will need to rely on the SCC or Security Assessment. 

An area of uncertainty regarding paragraph (b) above is that it is not clear at present how that will be applied, given the Certification was intended to apply to cross-border data transfer activities, but paragraph (b) also covers the direct collection of personal information from data subjects in China. In the context of cross border provision of products and services (including financial services), data subjects usually directly provide their personal information to offshore entities. This means the data flow does not go through any onshore entity so as to constitute a "transfer" from an onshore entity to an offshore entity. Accordingly, to require these offshore service providers to establish/designate an onshore entity to fulfil this certification requirement (even on a voluntary basis) appears to be a significant extension of what was previously required, especially if offshore entities would not be required to do so under the SCCs or otherwise expressly required by CAC. We await further guidance on whether this is an intended extension of the PIPL, and whether overseas data controllers will be required to "voluntarily" apply for certification (which in turn will need to further compliance costs). In the meantime, international companies that receive personal information from their PRC onshore affiliates should either consider exploring the certification option or the adopting the SCCs.  

The Specification does not have PRC regulation status, and so it is recommended practice rather than mandatory regulation. Having said that, it is likely to have persuasive effect at a practical level, and present  market consensus appears to be that a successful Certification pursuant to the Specification will satisfy the certification requirement under Article 38 of PIPL for cross-border transfer.  

Implementation of the Specification and Certification requirement is subject to further clarification, including: 

• who the designated Certification agents will be. Various organisations have been involved in the Specification's development - such as the China Cybersecurity Review Technology and Certification Centre and the China Electronics Standardisation Institute – so it is possible that such organisations may be designated certification agents.; 
• a Certification’s validity period; 
• the circumstances where a re-Certification is required; and 
• whether there is an appeal mechanism for review and supervision of decisions made by the designated Certification agents.

Parts of the Specification will require clarification, and given these uncertainties - at present it does not appear to be a recommended method for achieving compliance with the cross border data transfer provisions of the PIPL. 

Who will apply for Certification?

For intra-group transfers, the domestic party within the group may apply for certification and assume legal responsibility for such transfers. 

For off-shore processing, a local representative of the relevant overseas processor may apply for certification.  Note that the Specification states that the local representative will be liable for the overseas data processor's actions in the Certification process. 

What are the requirements for a successful Certification?

The following requirements are required to be met in order for a successful Certification to occur: 

• A binding agreement between the data processor and relevant overseas recipient, that protects data subjects’ legitimate rights and interests.
• Each party will appoint a Data Protection Officer (“DPO”), who complies with various requirements. 
• Each party will establish a personal information protection department responsible for personal information protection, including formulating, supervising and completing plans for such transfers.  
• Each party will comply with the rules regarding cross border processing of personal information.
• Each party will complete a PIA. 

CAC Security Assessment

On 7 July 2022, CAC published the Measures for Security Assessment of Cross-border Transfer of Data (“Measures”), which will take effect on 1 September 2022.  There is a six month grace period for compliance following such date. This follows the draft Measures that were released in October 2021. 

These Measures set out the procedures companies must undergo to get clearance to transfer data overseas. They are based on the PIPL, the Cybersecurity Law and the Data Security Law. Its aim is to “standardize the export of data from China” and “protect personal information, safeguard national security, and public interest”.  

Who has to apply for Security Assessment? 

A data processor must file for a CAC Security Assessment if: 

• important data will be transferred;
• personal information will be transferred by CIIOs or data processors processing personal information of over 1,000,000 data subjects in China;
• personal information will be transferred by data processors who have either (in aggregate) transferred (i) personal information of more than 100,000 data subjects; or (ii) sensitive personal information of more than 10,000 data subjects outside of China since 1 January of the previous year; or
• other circumstances specified by CAC. 

How should a Security Assessment be carried out? 

Under Article 5 of the Measures, data processors will be required to carry out a self-assessment before they can apply for a CAC Security Assessment. While the final Measures are to take effect effect on 1 September 2022, there will be a 6-month transition period by which full compliance of the Measures is expected.

Upon receiving the application, a provincial CAC must confirm whether the application materials are complete within 5 working days.  If the application package is complete, the application will be passed on from the provincial CAC to the central CAC, which will inform the applicant in writing within 7 working days of receipt on whether the application has been accepted.

After an application is officially accepted, the CAC is required to conclude the assessment and make a decision within 45 working days.  In situations of complicated cases or where additional application materials are required, such period can be extended, and the CAC will have to notify the applicant of the estimated time extension.  

If the applicant is not satisfied with the assessment result, it is entitled to apply to the central CAC for a re-evaluation within 15 working days from receipt of the assessment result, the results of which will be considered the final conclusion.

What materials are required for a Security Assessment?

Article 6 of the Measures requires data processing entities to submit the following materials when applying for the Security Assessment:

• the application form;
• the self-assessment report for cross-border data transfers;
• the agreement or other legally binding documents to be entered into between the data processing entity and the recipient outside of China; and
• other materials required for the Security Assessment.

The Measures set forth detailed requirements in relation to the matters to be considered in both the self-assessment and the formal assessment.  The Measures also stipulate the contents which must be included in the agreement to be entered into between the parties.  Although the application form is yet to be released, an applicant would likely need to demonstrate in the application materials its compliance with the substantial criteria for the Security Assessment in the Measures, including but not limited to the lawfulness, legitimacy and necessity of the purpose, scope, method and other aspects required to justify the cross-border data transfer.

How often do companies need to carry out a Security Assessment?

The Security Assessment result remains valid for 2 years.  In certain circumstances, such as where the cross-border data transfer purpose or control of the parties has changed, a data processing entity may then have to re-submit an application.

With thanks to Yeqi Fei (Junior Associate) and Parmeet Sandhu (Trainee Solicitor) for their contributions to this article.