Data Protection Law China Measures for Personal Information Outbound Compliance (China)
With the globalization of the digital economy, personal data and information are becoming an increasingly important resource and playing a more prominent role in the global economy. The cross-border flow of personal data includes employee management in multinational corporations, cross-border e-commerce, information tracking and cloud storage in multinational technology companies, personal travel, and tourism. In addition to its economic value, personal data is closely related to the personality rights and interests of natural persons. Against this background, how to protect personal information and regulate the cross-border flow of personal information data has become a key concern.
This article further illustrates the measures and requirements of personal information (hereinafter referred to as “PI”) outbound transfer in China based on the relevant laws and regulations.
I. Main Compliance Routes for PI Outbound Transfer
Pursuant to Article 38 of the Personal Information Protection Law of the People's Republic of China, there’re three compliance paths for the PI outbound transfer as follows:
1. Security Assessment of PI Outbound Transfer
Firstly, there’s a need for the PI processor to estimate the type and quantity of the data transferred outbound, if the situation is in line with that stipulated in Article 4[1] of the Measures for the Security Assessment of Outbound Data Transfer (hereinafter referred to as “MSA”, a security assessment of PI to be transferred shall be conducted, the steps are as follows:
- Conduct a risk self-assessment, which includes the purpose, the scope and the lawfulness of the data transfer and the processing of that data by offshore recipients;
- Submit the materials for application (including the above self-assessment as well as the agreements entered between the data processor the offshore recipients) to the competent authority for review.
The National Cyberspace Administration, which is in charge of reviewing the application materials, shall complete the security assessment of the data transfer within 45 days since the date of issuing the written acceptance notice to the data processor, the security assessment will be valid for 2 years, calculated from the date of the assessment results. If the data continues to be transferred outbound after the expiry of the period, the data processor shall reapply for the assessment 60 working days before the expiry of the validity period.
2. Standard Contract for the PI Outbound Transfer
If the situation of PI outbound transfer does not comply with the circumstances set forth in Article 4 of MSA, the PI processor may choose to carry out the PI outbound transfer compliance by signing a standard contract or conducting PI protection certification; if the PI processor chooses the former, circumstances set forth in Article 4 [2] of the Measures for the Standard Contract for the Outbound Transfer of Personal Information (hereinafter referred to as “MSC”) shall be satisfied.
The specific steps are as follows:
- The PI processor enter the standard contract with the offshore recipient with reference to the template, as well as conducting the data protection impact assessment (hereinafter referred to as “DPIA”);
- Then the PI processor should submit the materials for filing (including the DPIA and the standard contract) to the competent authority within 10 working days since the contract becomes effective.
It should be noted that the MSC has come into effect since 1 June 2023 and sets a six-month grace period. PI processor who chooses to sign the standard contract is required to complete the filing procedures before the end of the grace period (by 30 November 2023).
3. Certification of PI Protection
Except the above, Certification of PI Protection can also serve as a measure for PI outbound transfer compliance, while it’s relatively less applied in practice.
II. New Regulation on Compliance for Data Transferred Outbound
With the improvement of the data compliance system, PI processor should keep an eye on the update of the requirements for compliance in a timely manner in order to fulfil the corresponding obligations. Please kindly take note that the draft on Regulation and Facilitation of Cross-Border Flows of Data has been published on 28 September 2023, which modifies the existing compliance requirements for PI outbound transfer; if the draft comes into effect in the future, the obligations for PI outbound transfer compliance will be largely mitigated.
Firstly, the draft specifies some circumstances in which compliance for data transferred outbound is not required, such as data outbound from international trade, academic cooperation, multinational manufacturing, and marketing activities that do not contain PI or important data; where PI is collected outside the country but processed domestic and then transferred outbound, etc. which are left blank in the current laws and regulations.
Moreover, the draft revises the requirements for compliance based on the amount of PI transferred outbound of PI processors in one year, other than the cumulative total number, which alleviates the compliance burden for enterprises that process a large amount of PI overall, but less in a given year, please refer to the table as follows for details:
However, there are still some issues not clarified in the draft, such as: when should the period listed in the above table commence to date? Besides, whether the PI expected to be transferred outbound within one year should also be differentiated between sensitive and non-sensitive information is also not elaborated. It’s presumed that the aforementioned issues may be tackled if relevant laws and regulations are published subsequently, we will keep an eye on the changes and keep you updated.
[1] Article 4 To provide data abroad under any of the following circumstances, a data processor shall apply to the national cyberspace administration for the security assessment of the outbound data transfer through the local provincial cyberspace administration:(1) The data processor provides important data abroad. (2) The critical information infrastructure operator or the data processor that has processed the personal information of over one million people provides personal information abroad. (3) The data processor that has provided the personal information of over 100,000 people or the sensitive personal information of over 10,000 people cumulatively since January 1 of the previous year provides personal information abroad. (4) Any other circumstance where an application for the security assessment of outbound data transfer is required by the national cyberspace administration.
[1] Article 4 To provide personal information to an overseas recipient through the conclusion of the standard contract, a personal information processor shall meet all of the following circumstances: (1) It is not a critical information infrastructure operator; (2) It has processed the personal information of less than one million individuals; (3) It has cumulatively provided the personal information of less than 100,000 individuals to overseas recipients since January 1 of the previous year; and (4) It has cumulatively provided the sensitive personal information of less than 10,000 individuals since January 1 of the previous year. Where any law, administrative regulation, or the national cyberspace administration provides otherwise, such provisions shall prevail.