China’s restrictions on cross-border transfer of personal information: an update on regulatory policy and practical implications

Jet Zhisong Deng

Dentons, Beijing

zhisong.deng@dentons.cn

Ken Jianmin Dai

Dentons, Shanghai

jianmin.dai@dentons.cn

Cross-border transfer of personal information (PI export) is a daily occurrence and business necessity for many companies operating in China, especially for multinational companies and domestic companies using management software provided by foreign operators with servers located abroad. With the continuous release of the supporting rules of the Personal Information Protection Law (PIPL) in terms of restrictions on PI export in China, PI export compliance is attracting increasing attention.

This article will first outline the development of China’s restrictions on PI export, then introduce in detail PI export mechanisms provided by the PIPL, including the Compulsory Notification Mechanism (Security Assessment) and two self-management mechanisms (Standard Contract and Certification), which are based on the updated regulatory policies. It will also explain the practical implications of the restrictions.

Development of China’s restrictions on PI export

Restrictive regulations on PI export in China have existed for over a decade. The relevant developments can be roughly divided into three stages.

Pre-June 2017

Before the promulgation of the Cybersecurity Law, China’s restrictions on PI export were scattered among various industry regulations such as the Notice of the People’s Bank of China for Banking Financial Institutes to Get the Personal Financial Information Protection Work Well Done (2011)（《中国人民银行关于银行业金融机构做好个人金融信息保护工作的通知 (2011)》in Chinese).

June 2017 to November 2021

The Cybersecurity Law came into effect on 1 June 2017. It stipulates that critical information infrastructure operators (CIIOs), a restrictive group of companies in key sectors proactively identified by the Chinese authorities, should pass the security assessment organised by the Cyberspace Administration of China (CAC), that is, China’s central internet regulator, before exporting PI. This is the first time that legislation has imposed restrictions on PI export, although its scope of application is limited to some critical companies.

Post-November 2021

The PIPL came into effect on 1 November 2021. As the fundamental law in the field of PI protection, PIPL provides restrictions, although to varying degrees, on PI export activities of all the companies within China. Since its implementation, none of the PI can be exported freely, unless it is through one of three mechanisms: (1) Security Assessment; (2) Standard Contract; or (3) Certification. The definitions of these mechanisms is explained below.

To support the implementation of the mechanisms respectively, the CAC and the National Information Security Standardisation Technical Committee (TC260) released a series of rules, which are listed in Table 1.

Table 1: the three PI export mechanism rules

To date, only the Security Assessment mechanism has been practically implemented. The SCC has not yet been finalised and the certification agencies have yet to be determined. Below are detailed outlines of these mechanisms based on the updated policies.

Overview of the three PI export mechanisms provided by the PIPL

According to the Guideline, PI export refers to the provision of PI collected and generated from mainland China to countries and regions outside of mainland China, including Hong Kong, Macao and Taiwan. In addition to electronic and physical transfer of PI, granting access, retrieval, download to or of such data for overseas recipients also constitutes PI export.

PIPL has provided three mechanisms for companies within China to export PI. These are Security Assessment, Standard Contract and Certification, each defined as follows:

• Security Assessment – passing the security assessment organised by the CAC.
• Standard Contract – concluding a standard contract as formulated by the CAC with the overseas recipient.
• Certification – obtaining certification for PI protection from an accredited agency according to CAC provisions.

The main differences between the Security Assessment and the other two mechanisms is that the Security Assessment, through which the PI export activities should be notified and approved by the authority, is mandatory for CIIOs PI handlers handling amounts of PI approaching the quantities specified by the CAC. The other two mechanisms, which do not need approval from the authority, are only optional for PI handlers that do not meet the security assessment notification criteria, as shown in Figure 1. Consequently, the Security Assessment and the other two mechanisms will be introduced separately below.

Figure 1

It should be noted that, regardless of which mechanism is chosen, pursuant to PIPL, an additional PI protection impact assessment (PIPIA) must be conducted in advance to assess the following criteria, and the PIPIA report shall be stored for at least three years. The criteria are:

• whether the purpose and method of handling personal information are lawful, legitimate, and necessary;
• impact on personal rights and interests and security risks; and
• whether the protection measures taken are lawful, effective and commensurate with the degree of risks.

Compulsory notification mechanism: Security Assessment

Who is required to undergo the Security Assessment?

For PI export, the Security Assessment is only mandatory for the PI handler who has:

• been identified as a CIIO;
• processed PI[2] of more than a million individuals;
• exported PI of more than 100,000 individuals accumulatively since 1 January of the preceding year; and
• exported sensitive PI[3] of more than 10,000 individuals accumulatively since 1 January of the preceding year.

According to the Measures, we understand that the PI handler forms the basis of calculations to determine whether certain thresholds are satisfied. Therefore, entities acting as PI handlers within the company group shall calculate their volume of processed PI separately.

Furthermore, as the Measures adopt a dynamic criterion, PI handlers falling below the abovementioned thresholds shall constantly monitor the volume of PI they export, particularly in the final part of the year, as this determines whether they are likely to fall within the thresholds listed above.

What materials are required for the Security Assessment?

According to the Measures and Guideline, the following materials are required:

• a completed application form based on the template provided by the Guideline;
• cross-border data transfer self-assessment report draft based on the template provided by the Guideline;
• legal documents to be concluded between the PI handler and the overseas recipient containing the mandatory contents from six aspects provided by the Measures; and
• other materials required for the Security Assessment are mentioned in the Guideline, such as the identity documents of the PI handler and case handler.

What is the security assessment procedure?

The Security Assessment shall be applied to the CAC through the local CA at the provincial level. As illustrated in Figure 2, a security assessment normally takes 57 working days. However, if the PI handler has any objection to the assessment result, they can apply to the CAC for re-assessment within 15 working days of receipt of the assessment result, and the re-assessment result shall be the final decision.

Which authority reviews security assessment applications?

Although the materials shall be submitted to the provincial cyberspace administration authority for review, it is the national cyberspace administration authority, that is, the CAC, which organises the relevant departments of the State Council, the cyberspace administration concerned at the provincial level and specialised agencies to carry out the substantive review.

How long does a security assessment take?

In general, a completed security assessment should take no more than 57 working days. This excludes the time spent on self-assessment which usually takes three-to-six months depending on various circumstances. Nevertheless, if the situation is complicated or supplementary or corrected materials are required, the assessment timeframe may be extended.

What factors affect the result of the Security Assessment?

As the Security Assessment is focused on the assessment of the risks to national security, public interest, or the legitimate rights and interests of individuals or organisations that may be caused by the activity of the PI export, the following factors will affect the result of the Security Assessment:

• the legality, legitimacy and necessity of the purpose, scope and method of the PI export;
• the impact of the data security protection policies and regulations and the cybersecurity environment of the country or region where the overseas recipient is located on the security of data to be provided abroad, and whether the data protection level of the overseas recipient meets the requirements of the laws and administrative regulations of the People’s Republic of China and mandatory national standards;
• the size, scope, types and sensitivity of the PI to be provided abroad, and the risks that the PI may be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the PI is provided abroad;
• whether data security and personal information rights and interests can be fully and effectively guaranteed;
• whether the legal documents to be concluded by the PI handler and the overseas recipient have fully agreed on the responsibilities and obligations of data security protection;
• compliance with Chinese laws, administrative regulations and departmental rules; and
• other matters that the CAC considers necessary to assess.

How long is the Security Assessment valid?

The cross-border data transfer Security Assessment is valid for two years, calculated from the date of issue of the assessment result.

When is re-application triggered?

The following circumstances will trigger the re-application:

• the two-year validity period has expired;
• activities of cross-border transfer has changed (eg, the purpose, method, scope and type of PI provided overseas, and the purpose and method of PI processing by overseas recipients have changed, affecting the security of cross-border data transferred, or the overseas storage period of PI has changed);
• the security of the PI provided abroad is affected due to changes in the data security protection policies or regulations or the cybersecurity environment of the country or region where the overseas recipient is located, any other force majeure event, or any change in the actual control of the PI handler or the overseas recipient, or any change in the legal documents between the PI handler and the overseas recipient; or
• any other circumstance affecting the security of the PI provided abroad arises.

Self-management mechanisms: Standard Contract and Certification

According to the PIPL, the Standard Contract and Certification are only optional for companies in China to export PI if the mandatory Security Assessment previously introduced is not triggered. Unlike the Security Assessment, these two self-management mechanisms are in the process of being set up and are yet to be practically implemented.

Standard Contract

Among the three mechanisms, the Standard Contract is the most welcome and widely adopted approach by companies in China. Although the Draft SCC was released by CAC on 30 June 2022 to solicit comments, due to the great controversy this created, especially in terms of the heavy burden on overseas recipients, the text has yet to be finalised. The outline below is mainly based on the Draft SCC and Draft Provision.

1. How does the China’s Draft SCC differ from the EU’s SCC?

Major difference between the Chinese Draft SCC and the EU’s SCC include:

• Form – the Draft SCC is a complete contract where PI handlers are only allowed to add clauses in the appendixes, whereas the EU’s SCC are clauses that can be freely included in the wider contract. The similarity is that, neither in China nor in the EU is the PI handler allowed to add clauses which are in conflict with the SCC.
• Limitation on data volume – the Draft SCC is not applicable to many multinational companies, as it only allows those who process PI of less than one million individuals and have not exported PI of 100,000 individuals, or sensitive PI of 10,000 individuals since 1 January of the previous year to use this mechanism.
• Limitation on contracting parties – the PIPL merely imposes restrictions on PI handlers’ PI export, excluding PI processors’ PI export. Correspondingly, the Draft SCC has not specified the rules for the transfer from PI processors to overseas PI handlers/processors.
• Filing requirement – the Draft SCC requires archival filing obligations to the local CA at the provincial level, and the PIPIA report is required as an essential component of the filing materials.

2. What is the relationship between the SCC and the binding legal documents required in the Security Assessment or Certification?

For PI export, the SCC may be deemed as the binding legal documents required in the Security Assessment and Certification. However, other documents such as internal management documents circulated in the group company may also be identified as binding legal documents.

3. What the SCC contain?

The main contents to be included in the Draft SCC are:

• basic information of the PI handler and overseas recipient, such as name and contact;
• purpose, scope, type, sensitivity, quantity, method, retention period, storage location, etc of the PI exported;
• responsibilities and obligations of the PI handler and overseas recipient to protect PI, as well as the technical and management measures taken to prevent security risks which may arise from the export of PI;
• the impact of PI protection policies and regulations of the country or region where the overseas recipient is located on compliance with the terms of the Standard Contract;
• the rights of PI subjects, and the means of protecting such rights;
• other terms such as remedy, termination, liability and dispute resolution.

4. Should the SCC be archivally filed with the authority?

As prescribed in the Draft SCC, the PI handler shall, within ten working days of the effective date of the SCC, file the SCC and the PIPIA report with the local provincial-level CA.

5. When should the SCC be re-signed?

The SCC should be re-signed if one of the following circumstances occurs within the SCC’s period of validity:

• the purpose, scope, type, sensitivity, quantity, method, storage period and storage place of the PI transferred overseas, or the purpose and method of the overseas recipient to process PI have changed, or the storage period of PI overseas is extended;
• the rights and interests of PI may be affected by the changes in the policies and regulations on PI protection of the country or region in which the overseas recipient is located; or
• other circumstances which may affect the rights and interests of PI.

6. What are the legal consequences of violations?

Pursuant to the Draft Provision, where any of the following circumstances occur, the local provincial-level CA shall, in accordance with the PIPL: order rectification within a given time limit; suspend the cross-border transfer of PI; and impose penalties if the PI handler or the overseas recipient refuse to rectify or damage is caused to PI-related rights and interests. There are also possible criminal liabilities, if a crime is constituted as follows:

1. failing to perform the filing procedure or submitting false materials for filing;
2. failing to fulfil the responsibilities and obligations stipulated in the SCC, and infringing on the PI related rights and interests and causing damage; or
3. other circumstances occur affecting PI-related rights and interests.

Certification

Compared with Standard Contract, Certification has its own advantages such as covering multiple data processing scenarios within a group company. To date, with the release of Certification rules and specifications which clarify details on the Certification process for PI export, the framework of the Certification mechanism has almost been established. However, as the Certification agencies have not yet been determined, and the implementing rules yet to be formulated by these agencies, it will still be some time before this mechanism is practically implemented in China.

1. What are the bases of certification?

According to the Certification Rules and Specifications, PI handlers that carry out PI export activities shall meet the requirements provided by the Information Security Technologies - Personal Information Security Specifications (GB/T 35273)(《信息安全技术 个人信息安全规范》in Chinese, ‘Security Specifications’) and certification specifications when applying for PI protection certification.

The Security Specifications is a non-mandatory national standard jointly issued by the State Administration for Market Regulation and the Standardisation Administration of the PRC that came into effect on 1 October 2020. It sets out detailed provisions on the principles and security requirements for PI processing activities (eg, collection, storage, use, transmission, publishing, deletion).

The Certification Specifications is a non-mandatory guide issued by the TC260 that came into effect on 16 December 2022. It specifies the preconditions for enterprises to obtain certification from three aspects, including: following the basic principles for PI export; meeting the basic requirements for PI export which involve binding documents; organisational management; rules on the cross-border PI processing and PIPIA; and meeting the requirements for protecting the rights and interests of PI subjects.

2. What is the procedures of Certification?

The Certification Rules has provided the method of ‘technical verification and on-site examination and post-certification supervision’ for PI protection certification. The specific procedures are as follows:

• Entrustment – PI handlers shall submit certification entrustment materials as required by the certification agency. The agency would then determine the certification scheme, based on the certification entrustment materials including the type and quantity of personal information, the scope of personal information processing activities involved, the information of the technical verification agency, etc.

• Technical verification – the technical verification agency determined by the certification agency shall conduct its verification in accordance with the certification scheme and issue a technical verification report.
• On-site examination – the certification agency shall conduct an on-site examination and issue an on-site examination report.
• Certification decision – the certification agency shall make a certification decision and issue a certificate based on the certification entrustment materials, technical verification report, on-site examination report and other relevant materials. If the certification requirements are not completely met, the PI handler may be required to make rectifications.
• Post-certification supervision – the certification agency shall, within the validity period of certification, continuously supervise the PI handler that has obtained the certification, to ensure that the certified PI handler continues to comply with the certification requirements. Certification certificates will be suspended or even revoked in cases where the certification agency deems that the supervision criteria has not been met.

3. How long is the Certificate of Certification valid?

A certification certificate shall be valid for three years. When a certificate needs to be renewed on expiry, the PI handler must apply for certification entrustment with six months of the expiry date. Where, within the valid term of a certification certificate, the name or registered address of the certified PI handler or the certification requirements or scope etc have changed, the certified PI handler inform the certification agency. The agency would decide whether to approve the changes. The certification agency shall publicise the relevant information such as the issuance, change, suspension, deregistration and revocation of the certification certificate.

4. What is the mark of certification?

The certification mark for personal information protection that includes cross-border processing activities is as follows is pictured in Figure 3. ‘ABCD’ stands for the identification information of a certification agency.

Figure 3: the certification mark

Practical implications

To summarise, under the current laws in China, no PI can be freely exported unless it is done through one of the three mechanisms: (1) Security Assessment, (2) Standard Contract, or (3) Certification. The Security Assessment, through which the PI export activities should be notified with and be approved by the authority, is mandatory for CIIOs and companies handling PI approaching certain quantities. The other two mechanisms, do not need to obtain approval from the authority, and are merely optional for companies which do not meet the security assessment notification criteria.

Considering that China is tightening its regulations for PI export by imposing heavy fines (of up to five per cent of a companies’ annual turnover) and enhancing law enforcement (such as in the Didi Case),[4] the grace period for Security Assessment is about to expire, and the supporting rules for Standard Contract and Certification are continuously released, enterprises in China with PI export activities are advised to consult professional local lawyers and conduct self-assessment as required by PIPL as soon as possible to evaluate whether their PI export activities have triggered the compulsory notification requirement.

As China’s personal information protection system is a new, independent and unique regime, of which the detailed compliance requirements are quite different from those of other jurisdictions such as the EU, it would be timely for enterprises in China, especially multinational corporations, to establish specialised compliance systems from the PIPL compliance perspective.