Many law firms. A strong network.
 

Data Protection Law China EN: Measures for Personal Information Outbound Compliance (China)

With the globalization of the digital economy, personal data and information are becoming an increasingly important resource and playing a more prominent role in the global economy. The cross-border flow of personal data includes employee management in multinational corporations, cross-border e-commerce, information tracking and cloud storage in multinational technology companies, personal travel, and tourism. In addition to its economic value, personal data is closely related to the personality rights and interests of natural persons. Against this background, how to protect personal information and regulate the cross-border flow of personal information data has become a key concern.

This article further illustrates the measures and requirements of personal information (hereinafter referred to as “PI”) outbound transfer in China based on the relevant laws and regulations.

I. Main Compliance Routes for PI Outbound Transfer

Pursuant to Article 38 of the Personal Information Protection Law of the People's Republic of China, there’re three compliance paths for the PI outbound transfer as follows:

1. Security Assessment of PI Outbound Transfer

Firstly, there’s a need for the PI processor to estimate the type and quantity of the data transferred outbound, if the situation is in line with that stipulated in Article 4[1] of the Measures for the Security Assessment of Outbound Data Transfer (hereinafter referred to as “MSA”, a security assessment of PI to be transferred shall be conducted, the steps are as follows:

  • Conduct a risk self-assessment, which includes the purpose, the scope and the lawfulness of the data transfer and the processing of that data by offshore recipients; 
  • Submit the materials for application (including the above self-assessment as well as the agreements entered between the data processor the offshore recipients) to the competent authority for review.

The National Cyberspace Administration, which is in charge of reviewing the application materials, shall complete the security assessment of the data transfer within 45 days since the date of issuing the written acceptance notice to the data processor, the security assessment will be valid for 2 years, calculated from the date of the assessment results. If the data continues to be transferred outbound after the expiry of the period, the data processor shall reapply for the assessment 60 working days before the expiry of the validity period.

2. Standard Contract for the PI Outbound Transfer

If the situation of PI outbound transfer does not comply with the circumstances set forth in Article 4 of MSA, the PI processor may choose to carry out the PI outbound transfer compliance by signing a standard contract or conducting PI protection certification; if the PI processor chooses the former, circumstances set forth in Article 4 [2] of the Measures for the Standard Contract for the Outbound Transfer of Personal Information (hereinafter referred to as “MSC”) shall be satisfied.

The specific steps are as follows:

  • The PI processor enter the standard contract with the offshore recipient with reference to the template, as well as conducting the data protection impact assessment (hereinafter referred to as “DPIA”);
  • Then the PI processor should submit the materials for filing (including the DPIA and the standard contract) to the competent authority within 10 working days since the contract becomes effective.

It should be noted that the MSC has come into effect since 1 June 2023 and sets a six-month grace period. PI processor who chooses to sign the standard contract is required to complete the filing procedures before the end of the grace period (by 30 November 2023).

3. Certification of PI Protection

Except the above, Certification of PI Protection can also serve as a measure for PI outbound transfer compliance, while it’s relatively less applied in practice.

II. New Regulation on Compliance for Data Transferred Outbound

With the improvement of the data compliance system, PI processor should keep an eye on the update of the requirements for compliance in a timely manner in order to fulfil the corresponding obligations. Please kindly take note that the draft on Regulation and Facilitation of Cross-Border Flows of Data has been published on 28 September 2023, which modifies the existing compliance requirements for PI outbound transfer; if the draft comes into effect in the future, the obligations for PI outbound transfer compliance will be largely mitigated.

Firstly, the draft specifies some circumstances in which compliance for data transferred outbound is not required, such as data outbound from international trade, academic cooperation, multinational manufacturing, and marketing activities that do not contain PI or important data; where PI is collected outside the country but processed domestic and then transferred outbound, etc. which are left blank in the current laws and regulations.

Moreover, the draft revises the requirements for compliance based on the amount of PI transferred outbound of PI processors in one year, other than the cumulative total number, which alleviates the compliance burden for enterprises that process a large amount of PI overall, but less in a given year, please refer to the table as follows for details:

However, there are still some issues not clarified in the draft, such as: when should the period listed in the above table commence to date? Besides, whether the PI expected to be transferred outbound within one year should also be differentiated between sensitive and non-sensitive information is also not elaborated. It’s presumed that the aforementioned issues may be tackled if relevant laws and regulations are published subsequently, we will keep an eye on the changes and keep you updated.

[1] Article 4 To provide data abroad under any of the following circumstances, a data processor shall apply to the national cyberspace administration for the security assessment of the outbound data transfer through the local provincial cyberspace administration:(1) The data processor provides important data abroad. (2) The critical information infrastructure operator or the data processor that has processed the personal information of over one million people provides personal information abroad. (3) The data processor that has provided the personal information of over 100,000 people or the sensitive personal information of over 10,000 people cumulatively since January 1 of the previous year provides personal information abroad. (4) Any other circumstance where an application for the security assessment of outbound data transfer is required by the national cyberspace administration.

[1] Article 4 To provide personal information to an overseas recipient through the conclusion of the standard contract, a personal information processor shall meet all of the following circumstances:   (1) It is not a critical information infrastructure operator; (2) It has processed the personal information of less than one million individuals; (3) It has cumulatively provided the personal information of less than 100,000 individuals to overseas recipients since January 1 of the previous year; and (4) It has cumulatively provided the sensitive personal information of less than 10,000 individuals since January 1 of the previous year. Where any law, administrative regulation, or the national cyberspace administration provides otherwise, such provisions shall prevail.

Article published on
31 October 2023

Xiang Tang
Landing Law Offices
Juris Master, Attorney at Law, Partner

Keywords in this article
Share this article

IT law, International law, Information Technology Law, Information Technology
10.07.2023

EN: AI Application in Legal Practice? China Releases Its Guidance

The Supreme People's Court of China released the “Opinions on Application of AI in Chinese Legal Practice” (hereinafter referred to as the “Opinions”) at the end of the Year 2022. We would like to draw your attention to the following summary on this Opinion.

Read article

Consent to cookies and to the collection and disclosure of your user data to third parties

We place technically necessary cookies on our website, which ensure the basic functions of the website and are indispensable. We do not require consent for these cookies, so these cookies will be set even if you select "reject all" below. We use technically necessary cookies to provide our services and to store settings made by the user (such as the preferred language). In case of your consent, we also use other performance-enhancing cookies (statistics and usage measurement as well as external services). We use the cookies exclusively to be able to adapt and further develop our website according to your wishes. In the process, your personal data (IP address, user behavior, etc.) is processed and stored in order to achieve the above purposes. An identification of your person is not to be feared due to the pseudonymization of the data. You can find an explanation of the various cookies and data protection procedures under "make individual settings" or in our data protection information. By pressing one of the buttons below, you consent to the use of the cookies selected in each case and, at the same time, to the processing of your personal data for the purposes described above. The granting of consent is voluntary.

Details can be found in our privacy policy   Here you can find our imprint

Settings
Essential services and cookies

Technically necessary cookies (essential cookies) enable basic functions and are indispensable for the proper functioning of the homepage. They can be set without consent and therefore cannot be deselected.

DIRO Multisite Cookie

The DIRO Multisite cookie is used to store the settings you have made yourself on this website (e.g. the preferred language) as well as the content of external providers that you have approved. In doing so, under the DIRO_C_FINGERPRINT processing operation, the IDs of the services requiring consent that were present when you last accessed the page, as well as their configuration settings and assignment to categories in the privacy popup (as an encrypted string) are collected and stored. The sole purpose of this data processing is to store the settings made. The storage takes place for one year.

Statistics and usage measurement

Statistics cookies are used by the website operator to understand how users interact with the website by collecting and reporting information anonymously.

Usage measurement with Matomo

We use the website analysis tool Matomo to analyze user behavior and the reach of our website. This sets the cookie "_pk_id". By using Matomo, 2 bytes of your IP address, the website accessed, the referrer website (website from which you reached the website accessed here), the subpages accessed from the website accessed, the time spent on the website and the frequency with which the website is accessed are determined and stored. This serves the sole purpose of obtaining anonymized statistical data on how you use the website. The storage period is 6 months in the case of the cookie pk_ref and 30 minutes in the case of the cookie _pk_ses.

External services

We also offer external services on our website. Here, content from video platforms, social media platforms or other external services is initially blocked by default. If cookies from external media are accepted, access to this content no longer requires individual manual consent.

Video playback with Vimeo

We use the external service Vimeo on our website. This is a video portal of the US company Vimeo.com, Inc., 330 West 34th Street, 5th Floor, New York, New York 10001, USA. By embedding Vimeo videos, cookies are set that collect and then store your IP address, browser type, operating system, click behavior and dwell time, among other things, when you access the video. The storage takes place on servers in the USA, which do not have any data protection laws. For more details, please refer to the information available at https://vimeo.com/privacy.

Geographical maps from OpenStreetMaps

By integrating OpenStreetMaps on our website, we set the cookie "_osm_location". In doing so, your IP address is transmitted to the third-party server of OpenStreetMaps, whereby it learns that you have visited our site. The purpose of this integration is to display addresses on a map that is integrated into the website. The storage period is 1 year.

Appointments with Calenso

We use the external service Calenso on our website. In the course of this, your e-mail address, other contact information, appointment content and data, as well as any additional data you provide in this context are collected and stored. This serves the sole purpose of making appointments and group appointments bookable online. For this purpose, Calenso provides a web application for booking appointments. The data is processed on servers in Switzerland. You provide your data for the duration of the contract with Calenso. For more details on the processing of data by Calenso, please refer to the information available at https://calenso.com/datenschutz.

Details can be found in our privacy policy   Here you can find our imprint