Cross-Border Transfer of Personal Information from China
In this Chambers Expert Focus video, JunHe’s Marissa Xiao Dong introduces the various requirements companies must now comply with when transferring personal information from China abroad.
Marissa Xiao Dong
The requirements for cross-border transfer of personal information from China have been finalised and are now being implemented in practice.
“There are four common scenarios that require cross-border transfer of personal information.”
China’s new cross-border data transfer requirements apply to a variety of different scenarios, including:
- when an overseas entity directly collects personal information from individuals in China and processes such data out of China; or
- when an entity registered in China:
- transmits personal information collected and generated from its operation in the PRC to an overseas individual or entity;
- uses overseas systems to store and process such data generated from China; or
- allows access to data from overseas.
“Chinese law provides three pathways for the export of data.”
The cross-border transfer must follow one of three pathways – the first of which is government security assessment. If an entity does not meet the threshold for government security assessment, it can either:
- enter into a standard contract with the overseas recipient; or
- obtain certification from a qualified third-party institution.
These pathways have different conditions, procedures and requirements for application, which are touched upon by Marissa in the video.
“In China, there are additional key requirements that companies must comply with in order to transfer personal information abroad.”
The transferor must comply with a number of other requirements for the export, such as:
- having a genuine need to provide personal information overseas;
- making full disclosure of the export scenario to data subjects;
- ensuring that separate consent from data subjects has been obtained;
- carrying out a Personal Information Protection Impact Assessment (PIPIA); and
- signing a binding legal document with the overseas recipient.
Companies will typically take a couple of months to complete any of the three pathways and should follow some key steps – such as data-mapping, determining which pathway applies, carrying out self-assessment, identifying compliance gaps and taking rectification actions – before completing government security assessment, standard contractual clauses (SCC) filing, or certification.
“Compliance needs to be assured through a robust internal compliance mechanism.”
Once the three pathways have been completed, companies must also ensure ongoing compliance. Marissa discusses several ways of doing so, including:
- monitoring key aspects of the cross-border transfer activities to determine whether a re-declaration or re-filing/re-certification is necessary; and
- monitoring the legal environment of the overseas recipient and taking action where any changes in such would significantly alter the situation when self-assessment is made.
Timing-wise, the SCC regulation will be effective as of 1 June 2023, and December 1 is the deadline for companies to complete the SCC route. This is discussed in more detail in the video.
JunHe LLP
