News

China: updates on international data transfers

security assessment requirements taking effect on 1 September

Image
Image

Recent weeks have seen a flurry of activity in China’s regulation of international data transfers. Three principal data laws, the Cyber Security Law (“CSL”), the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”) regulate different aspects of the collection, use and transfer of data in China. One of the key areas of concern, for multi-national businesses in particular, is the treatment of international transfers from China. Since the introduction of the CSL, there have been ongoing concerns that personal data (and non-personal data considered “important”) would be localized to China, or at least subject to challenging regulatory restrictions that make international transfers difficult or practically impossible to implement. These concerns failed to fully materialize in the wake of the implementation of the CSL in June 2017, but the introduction of the DSL and PIPL in September and November 2021, respectively, has rekindled these concerns.

Much has been riding on the implementing measures to be introduced under these laws, and in the span of two weeks, we have seen the publication of the following:

  • On 24 June 2022, China’s National Information Security Standardization Technical Committee (“TC260”) released the final version of Guidance on Network Security Standardized Practice – Technical Specification for Certification of Personal Information Cross-Border Processing Activities ("Certification Specification");
  • On 30 June 2022, the Cyberspace Administration of China (“CAC”) published draft Regulations on Personal Information Export Standard Contract Clauses ("Draft SCCs Regulations"), together with the Standard Contractual Clauses ("Draft SCCs") for public comment through 29 July 2022; and
  • On 7 July 2022, the CAC finalized its Measures for Security Assessment of Outbound Data Transfers (“Security Assessment Measures”), which will come into force on 1 September 2022, with rectification measures required to be undertaken by 1 March 2023.

Overview of International Data Transfer Regulation in China

The interaction of these new measures is complex, necessitating a step back to the overall context of the CSL, DSL and PIPL (see our previous briefing, here). 

The CSL, which took effect in June 2017, mandated localization of personal data and “important data” (data that raises national security or strategic sensitives to the Chinese government, such as unpublished government data, geographic data or data concerning sensitive/strategic industries), but only for organizations designated as “operators of critical information infrastructure” (“OCII”), which, in very broad terms, means large-scale state-owned and private sector systems and networks of critical importance to China.

The PIPL, which took effect 1 November 2021, confirmed that OCII are required to localize personal data in mainland China, save where a security assessment has been completed by the CAC in cases where international transfer is necessary. The PIPL also provides that personal information processors (the equivalent of “data controllers” under GDPR, referred to here as “PI Processors”) handling personal data exceeding as yet unpublished thresholds are also required to localize their personal data.

In the case of all transfers of personal data, the PIPL requires:

  1. data subjects’ “separate consent” to the transfer, which appears to mean an "unbundled”, revocable consent, with sufficient notification; and
  2. the satisfaction of one of the following compliance measures:
    1. completion of a security assessment by the CAC;
    2. obtaining a certification by a third party professional institution; or
    3. entering into standard contractual clauses with the offshore data recipient; or
    4. meeting any other requirements specified by the laws, regulations or the CAC.

The combined effect of the PIPL’s international transfer controls is a “consent plus” model for international transfers requiring consent plus another measure to be taken in order to proceed with compliant international transfers.[1] 

The recently published measures clarify the specific instances in which each of the compliance measures under section 2 above applies:

  • Security Assessments apply to:
    1. transferring important data abroad;
    2. international transfers of personal information undertaken by OCII;
    3. international transfers undertaken by PI Processors handling the personal information of more than one million individuals;
    4. PI Processors who since 1 January of the preceding year have cumulatively transferred abroad the personal information of more than 100,000 individuals or the sensitive personal information of more than 10,000 individuals; and
    5. other circumstances required by the CAC.
  • Third Party Certification may only be used in the case of:
    1. international transfers carried out within the subsidiaries or affiliated companies of the same economic or business entity; and
    2. offshore collection/processing by organizations subject to PIPL’s extraterritorial reach.
  • The SCCs may only be used (based on the Draft SCCs Regulations) where the following conditions are cumulatively met in respect of the PI Processor making the transfer:
    1. the PI Processor is not OCII;
    2. the PI Processor processes the personal information of fewer than 1 million individuals;
    3. the PI Processor has not exported personal information of more than 100,000 individuals since 1 January of the preceding year; and
    4. the PI Processor has not exported sensitive personal information of more than 10,000 individuals since 1 January of the preceding year.

The overall effect, then, is that Security Assessments and SCCs are graduated measures based on the nature of the PI Processor making the transfer and the volume of the personal information involved, whereas Third Party Certification is only available in respect of two specific types of transfers – intra-group transfers and offshore collection/processing.

As explained in more detail below in the sections describing each measure, some form of international transfer agreement will be required in all three scenarios.  The difference is that whereas the SCCs are set out in full in the Draft SCC Regulations, the Certification Specification and the Security Assessment Measures list out requirements for such agreements, without prescribing the specific clauses.

The Certification Specification

The Certification Specification is broadly consistent with the draft Guidance on Network Security Standardized Practice – Technical Specification for Certification of Personal Information Cross-Border Processing Activities ("Draft Specification") issued for public comments on 29 April, 2022 (please see our previous briefing, here).

  1. Scope of application and the applicant.

The Certification Specification confirms that Third Party Certification is only available in the following scenarios:

  • Scenario One: the exportation carried out within the subsidiaries or affiliated companies of the same economic or business entity; and
  • Scenario Two: the offshore collection/processing by organizations subject to PIPL’s extraterritorial reach (“Offshore PI Processor”).

The Certification Specification provides that the PI Processor’s local representative should arrange for certification on behalf of the offshore PI Processor receiving the personal information and take legal responsibility for doing so. The potential for direct legal liability raises concerns that few organizations may wish to serve as local representatives.

  1. Binding agreements between PI Processor and offshore recipient.

The Certification Specification requires PI Processors and offshore recipients to enter into legally binding agreements covering the transfer.    In such cases, in addition to including the categories of personal information being transferred, the purpose of processing, and the applicable protection measures, the offshore data recipient will be required to commit to applying a level of protection equivalent to PIPL, accept supervision of the certification body and accept the governance of PRC data protection rules.   

It is not yet clear who will sign data transfer agreements in the case of Scenario Two’s offshore collection/processing. One possible interpretation is that the agreement should be signed by the offshore recipient’s local representative.   

  1. DPO appointment.

The Certification Specification requires both the PI Processor and the offshore recipient to designate a data protection officer (“DPO”) and set up an internal organization for personal information protection. It is not clear whether the designation of a global or regional DPO in charge of data protection in China within a group of companies will be sufficient for these purposes or if a local appointment must be made. 

With regards to the qualification requirements for DPOs, the Certification Specification provides that DPOs should have professional knowledge and management experience and should be drawn from the organization’s senior executives.

  1. Processing rules for exportation.

In line with the Draft Specification, the Certification Specification requires the PI Processor and the offshore data recipient to agree and abide by rules covering the scope of exportation (e.g. the volume, range, type and sensitivity of the personal information), the method of exportation (e.g. purpose, method, and scope of transferred personal information), the retention period by the offshore recipient, the countries or regions of transit, the measures to protect data subject rights and rules for addressing personal information security incidents.

  1. Data protection impact assessments.

The PI Processor is required to carry out a data protection impact assessments ("DPIA") before proceeding with the data exportation. In addition to the general requirements for DPIA set out in the PIPL, the Certification Specification provides that DPIAs in respect of exportation should cover the potential impact of the foreign legal environment and network security environment on data subject rights.  

  1. Responsibilities of PI Processor and offshore recipients.

The Certification Specification retains the requirement that the onshore party should indemnify data subjects in respect of any losses arising from non-compliance. Further, in addition to the requirements set out in the Draft Specification, the Certification Specification provides that in the event of any data leakage, both the PI Processor and the offshore recipient must immediately take remedial measures and notify the relevant authorities as well as impacted individuals.

The SCCs

As noted above, based on the Draft SCCs Regulation, use of the SCCs would only be available in respect of smaller transfers of personal information where the PI Processor is not OCII, processes the personal information of less than 1 million individuals and the relevant transfer does not involve the personal information of more than 100,000 individuals or the sensitive personal data of more than 10,000 individuals since 1 January of the preceding year.

In the context of the large scale of China’s population and economy, these thresholds are very low, and would mean that the SCCs are likely to be of fairly limited use to large-scale multinationals. 

In this respect, the heavy-going requirements of the SCCs will seem disproportionate to many.

The SCCs have been drafted as a single set of clauses covering both “controller-controller” transfers and “controller-processor” transfers, with a number of clauses specifically pared back in the context of the latter.  For example, the SCCs concerning data breaches provide that the obligation to notify impacted data subjects will be assumed by the PI Processor rather than the “entrustment party” undertaking offshore processing on its behalf.

It would likely be an improvement to produce separate “controller-controller” and “controller-processor” versions of the clauses, so as to ease the burden on reviewing and complying with the terms, particular, as noted, given the small scale of transfers envisaged by the SCCs.

Some key features of the SCCs are as follows:

  1. Form and Content of SCCs, DPIA and filing of SCCs with the provincial CAC.

The SCCs are required to be adopted as per the Draft SCCs Regulation and must include basic information about the PI Processor and the offshore recipient, the purpose and scope of the transfer and information about the type, sensitivity, transfer method, storage period and storage location of the personal information.

Like the European Union’s standard contractual clauses under GDPR, the SCCs are intended to be enforceable by data subjects as well as the parties to the clauses.  The parties are required to notify data subjects of their rights to enforce the SCCs and provide them with a copy upon request.  The PI Processor bears the burden of proof in establishing that it has complied with its obligations under the SCCs.

The PI Processor is required to file executed SCCs with the provincial CAC within ten business days after the SCCs become effective, together with a report on the DPIA undertaken in respect of the transfer.   The Draft SCCs Regulations set out a scope of DPIA which is similar to that set out in the Security Assessment Measures (see below).

The parties are required to agree the SCCs under Chinese law, with enforcement through a choice of arbitration venues specified in the template, including the China International Economic and Trade Arbitration Commission (“CIETAC”) or by resolution at the Chinese People’s Court.

  1. Responsibilities of PI Processor and offshore recipients.

The SCCs require the PI Processor to collect and process the transferred personal information in accordance with applicable laws, take reasonable efforts to ensure that the offshore recipient is able to fulfil its obligations under the SCCs, conduct the DPIA and ensure the offshore recipient’s compliance with data security standards and other requirements.

The offshore recipient is required to process the personal information in accordance with the PI Processor’s instructions and comply with various obligations under the PIPL, including data minimization, minimal data retention and safeguarding measures and restrictions on onward transfers. The offshore recipient may only carry out the onward transfer where either it or the PI Processor obtain data subjects’ separate consent, it concludes an agreement with the onward recipient and it ensures that the level of data protection adopted by the recipient is not lower than standards under the PIPL.

Where the offshore recipient is an entrusted party (a “data processor” under GDPR, as opposed to a “data controller”), it shall delete or anonymize personal information and provide an audit report to the PI Processor after the end of the entrustment relationship.  An entrusted party must obtain the PI Processor’s consent to any sub-processing and ensures that any such delegation is within the scope of processing permitted under the SCC.

  1. Data subject rights and liability to data subjects.

As indicated, data subjects are given direct rights of enforcement under the SCCs.

The PIPL provides for a broad range of data subject rights exercisable against both the PI Processor and the offshore recipient, including rights of access and correction, the right to restrict processing and have their personal information deleted.

PI Processors and their offshore recipient are jointly and severally liable for compensate data subjects, but the SCCs do provide for a contribution indemnity which appears to be intended to apportion liability on the basis of fault.

The Security Assessment Measures

The Security Assessment Measures will take effect 1 September 2022, providing high level principles for the CAC’s assessment of international transfers of personal information and important data.

  1. Security assessment procedure.

Organizations seeking to make transfers meeting the thresholds referred to above must apply for assessment by their local provincial CAC.  Prior to making application, the organization must conduct a self-assessment of the risks of the transfer, considering a range of matters, including the necessity of the transfer and the sensitivity of the data involved, the consequential risks and the suitability of the organizational and technical security measures that will be applied by the offshore recipient.

The Security Assessment Measures require transferors of the data to enter into a data transfer agreement similar in general scope to the SCCs, but without reference to a prescribed form of contract.

Organizations applying for security assessment must submit an application letter, the necessary self-assessment report, a copy of the data transfer agreement and other materials to be specified.

The Security Assessment Measures require the CAC to check the application for completeness within five working days of submission and notify the applicant within seven working days of receipt as to whether or not the application has been accepted.  The CAC is required to provide its decision on the security assessment in writing no later than forty-five working days after accepting the application, subject to any extension notified where the proposed transfer is complicated or supplementary materials or information are needed in order to complete the assessment.

  1. Criteria for security assessments.

The CAC is required to assess transfers in the context of their potential risks to national security, the public interest or the rights and interest of individuals or organizations, focusing on:

  • the legality, legitimacy and necessity of the transfer and its scope;
  • the risks posed by the data security protection policies, laws and network security environment of the destination for the data, including whether the level of data protection regulation in the destination jurisdiction meets the corresponding standards under Chinese law;
  • the scale, scope, types and sensitivity of data to be transferred and the risk that the data may be tampered with, destroyed, leaked or lost;
  • whether data security and personal information rights and interests can be guaranteed;
  • whether the contract between the data exporter and importer fully specify the necessary responsibilities and obligations;
  • compliance with Chinese laws, regulations and agency rules; and
  • other matters that the CAC considers necessary to assess.

Unsuccessful applicants may appeal to the State Cyberspace Administration for re-assessment no later than fifteen working days after receipt of an adverse assessment.  The State Cyberspace Administration’s determination will be final.

Security assessment results are valid for two years commencing from the date of issuance of the assessment results, provided that successful applicants must apply for review of the decision if the underlying circumstances of the transfer change or the security environment in the destination jurisdiction changes.

Critically, the obligation to complete a security assessment applies retrospectively to data transfers that have already been completed, with rectification to be completed no later than 1 March 2023.

Next Steps

The implementation of the Security Assessment Measures is an extremely important step in the implementation of the PIPL. Organizations meeting the thresholds for security assessment are required to commence applications for assessment from 1 September 2022. With remediation required within six months from that date (rather than the date of the CAC’s adverse finding), there will be significant pressure to file applications early so as to maximize the time available to remediate, should it be necessary. The assessment criteria under the Security Assessment Measures are very high level, and further guidance would be helpful to as to put applicants in a better position to improve their applications.

The CAC’s approach to implementing measures puts international transfers not meeting the thresholds under the Security Assessment Measures on a slower track, with the SCCs still in draft form. Also, considering the Certification Specification is not a binding law or regulation, it has not identified qualified certification institutions as well as process of the certification, and the qualifications and procedures for appointing local representatives by Offshore PI Processors remain unspecified, it is anticipated that the application of Third Party Certification for international transfer is still premature.

In light of the above, we believe it is urgent for multinational businesses to evaluate the application of the Security Assessment Measures and if they are subject to the Security Assessment Measures, they should consider taking preparation measures immediately in order to meet the applicable requirements within the short timeframe.

 

[1]           Additionally, other conditions for international personal information transfer under the PIPL  include (i) the transfer is necessary for business operation; (ii) completion of a data protection impact assessment (DPIA); and (iii) necessary measures should be taken to ensure the processing activities of the offshore recipient will meet the PIPL standards.

Authored by Mark Parsons, Sherry Gong, Tong Zhu.

Search

Register now to receive personalized content and more!