April Newsletter - China Updates
This following update is significant as China has now issued final 'standard contractual clauses' which companies need to incorporate in their contracts with overseas recipients of personal information. Further companies need to submit personal information protection impact assessment along with standard contracts. The law comes into effect on June 1, 2023."
New changes in compliance regulations for the export of personal data
On February 24, 2023, the Cyberspace Administration of China (CAC) issued the Standard Contract Measures for the Overseas Export of Personal Information (the "Measures") and its annex, the Standard Contract for the Overseas Export of Personal Information (hereinafter referred to as the "Standard Contract"), will be officially implemented on June 1, 2023. This means that the three major mechanisms for cross-border transmission of personal information established in Chapter III of China's Personal Information Protection Law (hereinafter referred to as the "PIPL") have officially landed.
For the export of personal information and important data[1], the PIPL and the Measures for Security Assessment of Data Exported establish three cross-border data transmission mechanisms: "declaration of security assessment", "conclusion of standard contracts and filing", and "carrying out personal information protection certification"
l How to identify the statutory trigger scenario and select the best export mechanism is explained in the table below
Security assessment of data export |
Standard Contract for the Transfer of Personal Information Across the Country | Personal information protection certification | |
Normal being-seen scenarios |
Mandatory applies to statutory trigger scenarios |
Basic mechanisms Short-term temporary nature Cross-border business transactions or collaborations The outbound scene is direct and clear |
Frequent and long-term, strong business continuity Commonly used within multinational groups and associated entities Industrial ecological chain scenario |
| The validity period of the exit mechanism | Two years | According to agreement | Three years |
| Legitimate transfer time nodes | Pass a security assessment | Effective date after the standard contractual contract | Certified for personal information protection |
| Evaluation requirements | Risk self-assessments and self-assessment reports are required | A personal information protection impact assessment must be carried out and recorded | A personal information protection impact assessment is required in advance |
Suggestions to the company that will handle the personal information export from time to time
(we are hereby talking about the personal information processors providing personal information overseas through the conclusion of standard contracts who shall meet the circumstances:1)Non-critical information infrastructure operators;2) Where less than 1 million people have handled personal information; 3) Where less than 100,000 people have provided personal information overseas in aggregate since January 1 of the previous year; 4) Where less than 10,000 people have cumulatively provided sensitive personal information overseas since January 1 of the previous year.)
The official draft clarifies that the Measures will come into force on June 1, 2023, and that if the personal information export activities that have been carried out before and do not comply with the provisions of the Measures, rectification shall be completed within 6 months from the date of implementation. (Article 13 of the Measures). This filing procedure required by the Measures is an ex-post facto mechanism designed to bring cross-border personal information processing activities into the scope of regulators without affecting the normal business activities of the companies and to maintain transparency with regulators. For high-risk or illegal outbound activities, further regulatory measures such as interviews will be adopted, or administrative penalties will be imposed.
Based on this background and the full consideration of the compliance actions of enterprises handling the data export, it is advisable for enterprises to carry out the following actions for compliance as soon as possible:
1) Conduct personal information protection impact assessments;
2) Tidying up the data flow outwards i.e. how many overseas entities will directly receive data from China’s legal entity and what their measures for data privacy/security are being put in place when receiving data from China;
3) Scanning the IT systems to know how many domestic and overseas IT systems (e.g., Salesforce, HR net) will be involved in the process of transmission or retention of outbound data;
4) Scanning the soft policies to know if any external documents or internal policies and procedures for personal information security based on the requirements of the Personal Information Protection Law in China, such as:
a) privacy policy for employees, or Employee Handbook with chapters for personal information protection
b) privacy policy for contact persons from business partners (e.g., colleges, educational institutions)
c) Data Classification and Grading Procedure
d) Response Procedure for Data Subject Requests
e) Data Breach Emergency Plan
5) Actively promote the signing of the Standard Contract and Compare the existing text of the outbound contract (if any)
6) Carry out the filing of the Standard Contract and personal information protection impact assessment reports
In short, article 55 of the PIPL imposes an obligation on personal information processors to conduct a Personal Information Protection Impact Assessment (PIA) and record the processing before providing personal information overseas, but this obligation is relatively internal, and enterprises often do not pay enough attention to the "priority" of this compliance work. Article 7 of the Measures makes the personal information protection impact assessment report one of the materials that must be submitted when filing a standard contract, which actually means that the internet information department has a regulatory grasp for PIA in cross-border scenarios of personal information (hereinafter referred to as "cross-border PIA").