Already an IBA member? Sign in for a better website experience
The IBA’s response to the war in Ukraine
Jet Zhisong Deng
Ken Jianmin Dai
Cross-border transfer of personal information (PI export) is a daily occurrence and business necessity for many companies operating in China, especially for multinational companies and domestic companies using management software provided by foreign operators with servers located abroad. With the continuous release of the supporting rules of the Personal Information Protection Law (PIPL) in terms of restrictions on PI export in China, PI export compliance is attracting increasing attention.
This article will first outline the development of China’s restrictions on PI export, then introduce in detail PI export mechanisms provided by the PIPL, including the Compulsory Notification Mechanism (Security Assessment) and two self-management mechanisms (Standard Contract and Certification), which are based on the updated regulatory policies. It will also explain the practical implications of the restrictions.
Restrictive regulations on PI export in China have existed for over a decade. The relevant developments can be roughly divided into three stages.
Before the promulgation of the Cybersecurity Law, China’s restrictions on PI export were scattered among various industry regulations such as the Notice of the People’s Bank of China for Banking Financial Institutes to Get the Personal Financial Information Protection Work Well Done (2011)（《中国人民银行关于银行业金融机构做好个人金融信息保护工作的通知 (2011)》in Chinese).
The Cybersecurity Law came into effect on 1 June 2017. It stipulates that critical information infrastructure operators (CIIOs), a restrictive group of companies in key sectors proactively identified by the Chinese authorities, should pass the security assessment organised by the Cyberspace Administration of China (CAC), that is, China’s central internet regulator, before exporting PI. This is the first time that legislation has imposed restrictions on PI export, although its scope of application is limited to some critical companies.
The PIPL came into effect on 1 November 2021. As the fundamental law in the field of PI protection, PIPL provides restrictions, although to varying degrees, on PI export activities of all the companies within China. Since its implementation, none of the PI can be exported freely, unless it is through one of three mechanisms: (1) Security Assessment; (2) Standard Contract; or (3) Certification. The definitions of these mechanisms is explained below.
To support the implementation of the mechanisms respectively, the CAC and the National Information Security Standardisation Technical Committee (TC260) released a series of rules, which are listed in Table 1.
Name of implementing rules
Security Assessment Measures for Data Export (《数据出境安全评估办法》in Chinese, ‘Measures’)
1 September 2022
Notification Guideline for Security Assessment of Outbound Data Transfer (first edition) (《数据出境安全评估申报指南（第一版）》in Chinese, ‘Guideline’)
1 September 2022
Draft Provisions on Standard Contracts for the Expert of PI (《个人信息出境标准合同规定（征求意见稿）》in Chinese, ‘Draft Provision’) with the Draft Standard Contract for Cross-border Transfer of Personal Information (‘Draft SCC’) as its annex
released on 30 June 2022 (not yet finalised)
Implementing Rules for the Certification of Personal Information Protection (《个人信息保护认证实施规则》in Chinese, ‘Certification Rules’)
4 November 2022
Cyber Security Standard Practical Guidance–Security Certification Specifications on Cross-border Transfer of PI V2.0 (《网络安全标准实践指南—个人信息跨境处理活动安全认证规范V2.0》in Chinese, ‘Certification Specifications’)
16 December 2022
Table 1: the three PI export mechanism rules
To date, only the Security Assessment mechanism has been practically implemented. The SCC has not yet been finalised and the certification agencies have yet to be determined. Below are detailed outlines of these mechanisms based on the updated policies.
According to the Guideline, PI export refers to the provision of PI collected and generated from mainland China to countries and regions outside of mainland China, including Hong Kong, Macao and Taiwan. In addition to electronic and physical transfer of PI, granting access, retrieval, download to or of such data for overseas recipients also constitutes PI export.
PIPL has provided three mechanisms for companies within China to export PI. These are Security Assessment, Standard Contract and Certification, each defined as follows:
The main differences between the Security Assessment and the other two mechanisms is that the Security Assessment, through which the PI export activities should be notified and approved by the authority, is mandatory for CIIOs PI handlers handling amounts of PI approaching the quantities specified by the CAC. The other two mechanisms, which do not need approval from the authority, are only optional for PI handlers that do not meet the security assessment notification criteria, as shown in Figure 1. Consequently, the Security Assessment and the other two mechanisms will be introduced separately below.
Three mechanisms for PI export:
obtain certification for PI protection from an accredited agency according to CAC provisions – optional for other handlers
conclude a standard contract as formulated by the CAC with the overseas recipient – optional for other handlers
pass the security assessment organised by the CAC – compulsory for the CIIOs and handlers handling personal information approaching the quantities specified by the CAC
It should be noted that, regardless of which mechanism is chosen, pursuant to PIPL, an additional PI protection impact assessment (PIPIA) must be conducted in advance to assess the following criteria, and the PIPIA report shall be stored for at least three years. The criteria are:
For PI export, the Security Assessment is only mandatory for the PI handler who has:
According to the Measures, we understand that the PI handler forms the basis of calculations to determine whether certain thresholds are satisfied. Therefore, entities acting as PI handlers within the company group shall calculate their volume of processed PI separately.
Furthermore, as the Measures adopt a dynamic criterion, PI handlers falling below the abovementioned thresholds shall constantly monitor the volume of PI they export, particularly in the final part of the year, as this determines whether they are likely to fall within the thresholds listed above.
According to the Measures and Guideline, the following materials are required:
The Security Assessment shall be applied to the CAC through the local CA at the provincial level. As illustrated in Figure 2, a security assessment normally takes 57 working days. However, if the PI handler has any objection to the assessment result, they can apply to the CAC for re-assessment within 15 working days of receipt of the assessment result, and the re-assessment result shall be the final decision.
Although the materials shall be submitted to the provincial cyberspace administration authority for review, it is the national cyberspace administration authority, that is, the CAC, which organises the relevant departments of the State Council, the cyberspace administration concerned at the provincial level and specialised agencies to carry out the substantive review.
In general, a completed security assessment should take no more than 57 working days. This excludes the time spent on self-assessment which usually takes three-to-six months depending on various circumstances. Nevertheless, if the situation is complicated or supplementary or corrected materials are required, the assessment timeframe may be extended.
As the Security Assessment is focused on the assessment of the risks to national security, public interest, or the legitimate rights and interests of individuals or organisations that may be caused by the activity of the PI export, the following factors will affect the result of the Security Assessment:
The cross-border data transfer Security Assessment is valid for two years, calculated from the date of issue of the assessment result.
The following circumstances will trigger the re-application:
According to the PIPL, the Standard Contract and Certification are only optional for companies in China to export PI if the mandatory Security Assessment previously introduced is not triggered. Unlike the Security Assessment, these two self-management mechanisms are in the process of being set up and are yet to be practically implemented.
Among the three mechanisms, the Standard Contract is the most welcome and widely adopted approach by companies in China. Although the Draft SCC was released by CAC on 30 June 2022 to solicit comments, due to the great controversy this created, especially in terms of the heavy burden on overseas recipients, the text has yet to be finalised. The outline below is mainly based on the Draft SCC and Draft Provision.
Major difference between the Chinese Draft SCC and the EU’s SCC include:
For PI export, the SCC may be deemed as the binding legal documents required in the Security Assessment and Certification. However, other documents such as internal management documents circulated in the group company may also be identified as binding legal documents.
The main contents to be included in the Draft SCC are:
As prescribed in the Draft SCC, the PI handler shall, within ten working days of the effective date of the SCC, file the SCC and the PIPIA report with the local provincial-level CA.
The SCC should be re-signed if one of the following circumstances occurs within the SCC’s period of validity:
Pursuant to the Draft Provision, where any of the following circumstances occur, the local provincial-level CA shall, in accordance with the PIPL: order rectification within a given time limit; suspend the cross-border transfer of PI; and impose penalties if the PI handler or the overseas recipient refuse to rectify or damage is caused to PI-related rights and interests. There are also possible criminal liabilities, if a crime is constituted as follows:
Compared with Standard Contract, Certification has its own advantages such as covering multiple data processing scenarios within a group company. To date, with the release of Certification rules and specifications which clarify details on the Certification process for PI export, the framework of the Certification mechanism has almost been established. However, as the Certification agencies have not yet been determined, and the implementing rules yet to be formulated by these agencies, it will still be some time before this mechanism is practically implemented in China.
According to the Certification Rules and Specifications, PI handlers that carry out PI export activities shall meet the requirements provided by the Information Security Technologies - Personal Information Security Specifications (GB/T 35273)(《信息安全技术 个人信息安全规范》in Chinese, ‘Security Specifications’) and certification specifications when applying for PI protection certification.
The Security Specifications is a non-mandatory national standard jointly issued by the State Administration for Market Regulation and the Standardisation Administration of the PRC that came into effect on 1 October 2020. It sets out detailed provisions on the principles and security requirements for PI processing activities (eg, collection, storage, use, transmission, publishing, deletion).
The Certification Specifications is a non-mandatory guide issued by the TC260 that came into effect on 16 December 2022. It specifies the preconditions for enterprises to obtain certification from three aspects, including: following the basic principles for PI export; meeting the basic requirements for PI export which involve binding documents; organisational management; rules on the cross-border PI processing and PIPIA; and meeting the requirements for protecting the rights and interests of PI subjects.
The Certification Rules has provided the method of ‘technical verification and on-site examination and post-certification supervision’ for PI protection certification. The specific procedures are as follows:
A certification certificate shall be valid for three years. When a certificate needs to be renewed on expiry, the PI handler must apply for certification entrustment with six months of the expiry date. Where, within the valid term of a certification certificate, the name or registered address of the certified PI handler or the certification requirements or scope etc have changed, the certified PI handler inform the certification agency. The agency would decide whether to approve the changes. The certification agency shall publicise the relevant information such as the issuance, change, suspension, deregistration and revocation of the certification certificate.
The certification mark for personal information protection that includes cross-border processing activities is as follows is pictured in Figure 3. ‘ABCD’ stands for the identification information of a certification agency.
Figure 3: the certification mark
To summarise, under the current laws in China, no PI can be freely exported unless it is done through one of the three mechanisms: (1) Security Assessment, (2) Standard Contract, or (3) Certification. The Security Assessment, through which the PI export activities should be notified with and be approved by the authority, is mandatory for CIIOs and companies handling PI approaching certain quantities. The other two mechanisms, do not need to obtain approval from the authority, and are merely optional for companies which do not meet the security assessment notification criteria.
Considering that China is tightening its regulations for PI export by imposing heavy fines (of up to five per cent of a companies’ annual turnover) and enhancing law enforcement (such as in the Didi Case), the grace period for Security Assessment is about to expire, and the supporting rules for Standard Contract and Certification are continuously released, enterprises in China with PI export activities are advised to consult professional local lawyers and conduct self-assessment as required by PIPL as soon as possible to evaluate whether their PI export activities have triggered the compulsory notification requirement.
As China’s personal information protection system is a new, independent and unique regime, of which the detailed compliance requirements are quite different from those of other jurisdictions such as the EU, it would be timely for enterprises in China, especially multinational corporations, to establish specialised compliance systems from the PIPL compliance perspective.
 Under PIPL, ‘PI handlers’ refers to organisations and individuals that, in personal information processing activities, autonomously determine processing purposes, similar to data controllers under GDPR.
 Under PIPL, PI is defined as any kind of information, electronically or otherwise recorded, related to an identified or identifiable natural person within PRC, excluding anonymised information which cannot be used to identify a specific natural person and is not reversible after anonymisation.
 Under PIPL, sensitive PI is PI that if disclosed or illegally used, may cause harm to the security or dignity of natural persons, including information on biometric characteristics, religious beliefs, specific identity, medical health, financial accounts, individual location tracking, any PI of a minor under the age of 14, etc.
 On 21 July 2022, the Chinese ride-hailing giant DiDi Chuxing was handed an RMB8bn (approx. US$1.2bn) fine by CAC for its violation of the Cybersecurity Law, the Data Security Law, and the PIPL. Details of this case can be found at https://digichina.stanford.edu/work/translation-chinese-authorities-announce-2b-fine-in-didi-case-describe-despicable-data-abuses accessed 13 February 2023.