China’s Cross-Border Data Transfer Regime: Frequently Asked Questions
Carol Sun and Addison Ma of JunHe LLP address some of the most common questions concerning China’s data protection regime, particularly in the context of cross-border data transfers, and provide preliminary guidance to companies.
Addison Ma
Compared with other jurisdictions, are there any particular concerns about China’s cross-border data transfer regime?
Following the publication of the PRC Cybersecurity Law, the PRC Data Security Law (DSL), and the PRC Personal Information Protection Law (PIPL), the Chinese authorities established a comprehensive regulatory regime for cross-border data transfers in 2022.
China’s cross-border data transfer regime aims to protect personal information rights and interests while promoting secure cross-border data flows. The Chinese data protection requirements emphasise national security, as well as wider public interest principles, as they view data security and protection as an essential part of national security. Current regulatory statutes and regulatory cases related to cross-border data flows show that the assessment of data transfers outside of China or cybersecurity reviews under Chinese law is premised on national security.
Do companies operating outside of China need to consider China’s cross-border data transfer regulatory requirements?
China’s cross-border data transfer legal framework focuses on data handling activities within China. However, an extension of the PIPL has extraterritorial application and effect. The PIPL can apply to the handling of personal data of PRC residents outside of China:
- for purposes of providing services or products to them;
- to analyse or assess their behaviours; or
- in other circumstances prescribed by laws and administrative regulations.
For overseas companies, if services or products involving the Chinese market meet the above circumstances, corresponding requirements should be considered.
How to determine the cross-border data transfer mechanism under PRC law?
Under the current Chinese cross-border data transfer regime, there are three general mechanisms allowing companies to transfer data outside of China, namely:
- by passing the Cyberspace Administration of China (CAC)‘s outbound data transfer security assessment (the “CAC Assessment”);
- by obtaining a personal data protection certification issued by a CAC-accredited certification agency (“certification”); and
- by concluding a contract (in the standard contract template published by CAC) with a foreign data recipient (“China SCC”).
Notably, CAC Assessment is a mandatory requirement for the following types of data handlers when transferring data outside of China:
- critical infrastructure operators (CIIO);
- data handlers that handle personal information of more than 1 million people;
- data handlers that transfer important data (ie, data raising national security or other sensitive issues); and
- data handlers that transfer personal data past a certain threshold (ie, providing personal data of 100,000 people or sensitive personal data of 10,000 people in the past year)
Additionally, the DSL and PIPL require prior approval from competent Chinese authorities before providing any data or personal data in China to foreign judicial or law enforcement agencies.
In short, the choice of data export mechanism needs to consider not only the nature of the data-handling entity (eg, whether it is a CIIO) but also the amount of data to be exported out of the country, the nature of data (important data, personal data, etc), and the nature of the foreign receiving party, which is a complex methodology.
What are the legal documents required in the CAC Assessment or Certification process?
Data handlers must have certain legal documents relating to the foreign data recipient when filing a CAC Assessment or applying for a Certification. Compared with the China SCC, the legal documents for the other two mechanisms differ in format and content.
- Format – the format of the legal documents in the other two mechanisms is not limited to contracts (but this is the ideal), but can also be commitment letters or internal corporate policies.
- Content – similar to the EU “standard contractual clauses”, the Chinese SCC will be a template document issued by the CAC, and data handlers cannot make substantive adjustments to the terms. On the other hand, the legal documents for CAC Assessment or Certification do not need to follow an official template but generally need to address areas specified under the regulations or guidance, such as agreement on the purpose, manner, and scope of outbound data transfers; security protection measures, etc.
What is the self-assessment under the CAC Assessment? Is it possible to refer to the Data Transfer Impact Assessment (DTIA) criteria and process under the GDPR?
Self-assessment is a prerequisite requirement prior to filing the CAC Assessment. A self-assessment report to be concluded by the applicants should address the following aspects:
- legality, legitimacy and necessity of the data export;
- the risk that the data export may pose to national security, public interest and the rights of organisations or individuals;
- the data protection capabilities of the foreign data recipient;
- channels for data subjects to exercise their personal data-related rights; and
- legal documents clarifying data protection obligations and liabilities of the data exporter and recipient.
Considering that some multinationals may already have experience in conducting DTIA in other jurisdictions, referring to the DTIA process and criteria (eg, formation of assessment team and determination of assessment schedule) can help to facilitate procedural work to some extent and strike a good balance between meeting regulatory demands and commercial efficiency. However, care needs to be taken to adapt the assessment areas to Chinese law – eg, assessing the impact of data exports on national security and the public interest.
JunHe LLP
