China’s 3 Data Cross-border Transfer Mechanisms In a Nutshell
The following article is from 中伦视界 Author 陈际红 等
///
This article provides practical guidance for the application of three newly released cross-border transfer mechanisms.
By:Jihong Chen, Jiawei Wu,
Jiabin Sun
Legislative background
The Chinese data protection regime mainly consisting of the Cybersecurity Law of the People's Republic of China (“中华人民共和国网络安全法”,“CSL”), the Data Security Law of the People's Republic of China (“中华人民共和国数据安全法”,“DSL”) and the Personal Information Protection Law of the People's Republic of China (“中华人民共和国个人信息保护法”,“PIPL”) sets out comprehensive data protection rules, data cross-border transfer supervision among which has always been the regulatory focus.
Along with the release of the Practice Guideline for Cybersecurity Standards- Specification for Security Certification of Cross- Border Transfers of Personal Information (“网络安全标准实践指南—个人信息跨境处理活动安全认证规范”, “Specification”) by the TC260[1] on 24 June, 2022, the Provisions on Standard Contracts for Cross-border Transfers of Personal Information (Draft) (“个人信息出境标准合同规定(征求意见稿)”, “Provisions”) by the Cyberspace Administration of China (“CAC”) on 30 June, 2022 and the Measures for the Security Assessment of Data Cross-border Transfer (“数据出境安全评估办法”, “Measures”) by the CAC on 7 July, 2022, the implementing rules for data cross-border transfer mechanisms, i.e., the CAC Security Assessment, the Chinese Standard Contract (“CN SCCs”) as well as the Certification, have been mostly settled.
I. Key points
Among the three cross-border transfer mechanisms set out under the Chinese data protection regime:
The CAC Security Assessment is mandatorily required once the triggering conditions stipulated by the laws are met.
The Certification is by nature a voluntary mechanism recommended by the State which mainly applies to cross-border transfers of personal information (“PI”)[2] within multinational companies or subsidiaries or affiliates of the same business entity with relatively stable management or business relationships. The Certification can be deemed as a relatively long-term mechanism, that is, once certified, companies can resort to such a mechanism for continuous cross-border transferring within the certified scope unless any material change.
The CN SCCs, due to its flexibility and wide range of application scenarios for various processing activities, is deemed as the most commonly-used mechanism for regular data cross-border transfers.
The key points of each mechanism are illustrated respectively as below.
1. CAC Security Assessment[3]
Triggering conditions.
Cross-border transfer of Important Data[4] by data processors;
Cross-border transfer of PI by Critical Information Infrastructure Operators (“CIIOs”)[5] or by data processors processing PI over 1 million individuals;
Cross-border transfer of PI of 100,000 individuals or sensitive PI of 10,000 individuals accumulatively since January 1 of the previous year; or
Other circumstances prescribed by the CAC. (Art.4, the Measures)
Filing obligations
Self-assessment prior to applying for the Assessment; (Art.5, the Measures)
Submission of the following materials: 1) declaration form; 2) self- assessment report; 3) legal documents to be concluded by the data processor and the overseas recipient; and 4) any other materials necessary for the Assessment. (Art.6, the Measures)
Continuous monitoring and re-filing if any changes affecting data cross-border transfer security, etc. as stipulated by the laws. (Art.14, the Measures)
Assessment and process. Assessment criteria with particular focuses on third country legislation, potential risks during cross-border transfer and onward transfer, data subject rights, binding instruments concluded between the data processor and the overseas recipient, etc. (Art. 8, the Measures) The validity lasts for 2 years unless any re-application is required. Please refer to Chart 1 for detailed process of the Assessment.
*The Assessment would normally take 5 (Materials Check) +7(Acceptance decision) +45(Assessment)=57 working days.
Chart 1. Process-CAC Security Assessment
2. CN SCCs[6]
Applicable scope. PI processors shall meet all of the followings: Not CIIOs; processing PI of less than 1 million individuals; and not reaching PI of 100,000 individuals or sensitive PI of 10,000 individuals accumulatively for cross-border transfers since January 1 of the previous year. (Art.4, the Provisions)
Nature. The contractual instrument has a binding and enforceable nature in accordance with Chinese laws and should also be binding and enforceable by data subjects as third-party beneficiaries.
Aim. Substantial protection, to ensure PI processing activities by the overseas recipients meet the standards for PI protection as prescribed by the PIPL.
Filing requirements. PI processors shall, within ten working days after the effective date of the standard contract, file with the cyberspace administration at the provincial level: the standard contract concluded; PIA report. (Art.7, the Provisions)
Key contents of the CN SCCs. The CN SCCs contains key sections including contact details of the parties, description of the processing, obligations of the parties particularly with respect to potential risks during cross-border transfer and onward transfer, third country legislation, data subject rights, redress, liabilities, etc. (Art.6, the Provisions)
Comparison with EU SCCs. The CN SCCs:
Do not distinguish processing relationships (e.g., C-C, C-P) in the text;
Specify that the SCCs shall be concluded between a PI Processor[7] (substantially equivalent to “controller” under the GDPR) and the overseas recipient.
3. Certification[8]
Applicable scope
Intra-group cross-border transfer of PI among MNCs, subsidiaries or affiliates of the same business entity; or
Extra-territorial application of the PIPL pursuant to Art.3.2 of the Law. (Art.1, the Specification)
Certified entity
The Chinese entity of the MNCs, etc.; or
Specialized agencies or designated representatives established in China for entities subject to the PIPL pursuant to Art.3.2 of the Law (Art.2, the Specification)
Basic requirements
Legally binding agreements; organizational management (DPO or relevant organizations); rules for cross-border transfers (e.g., retention, disposal after expiration, onward transfers, liabilities, etc.); PIA; etc. (Art.4, the Specification)
Data subject rights
Substantial protection, including third-party beneficiary rights, claims against overseas recipients, complaints to authorities or legal proceedings before courts by data subjects, commitments of compliances of laws and response to competent authorities by PI processors and overseas recipients. (Art.5, the Specification)
II. How to choose your cross-border transfer mechanism?
The following flowchart provides guidance in a concise manner for companies to nail down the cross-border transfer mechanism suitable for various cases in basically three steps, that is, subject determination (whether constitute a CIIO), data identification (whether involve Important Data or PI) and the suitable mechanism.
Chart 2. Flowchart of data cross-border transfer mechanisms
III. FAQs
The frequently asked questions highlighted below further respond to the issues mostly concerned by companies, so as to effectively assist companies to understand the three cross-border transfer mechanisms.
What is “cross-border transfer”?
Data cross-border transfer refers to Important Data or PI collected and generated by a data processor during operation within the territory of China being transferred overseas or being accessed by overseas institutions, organizations or individuals. Key points of the notion include: 1) Data type: Important Data or PI collected and generated in domestic operations;2) Method: physical transfer and remote access; 3) “Overseas”: other countries/regions outside the Chinese mainland, including Hong Kong SAR, Macao SAR and Taiwan; 4) Parties: Data exporter discloses by transmission or otherwise makes the data, subject to this processing, available to data importer.
How to understand the “threshold”?
1 million- “data processors processing PI over 1 million individuals”: the overall volume of data processed by the data processor, including whole volume of data subjects such as customers, users, employees, etc. For corporate groups, it is understood to be calculated separately for various entities, except for scenarios of data mixing or fusion which is to be analyzed on a case-by-case basis.
100,000 & 10,000- “cross-border transfer of PI of 100,000 individuals or sensitive PI of 10,000 individuals accumulatively since January 1 of the previous year”: it is believed that if the same data processor provides PI to different recipients, the volume of data subjects involved should be calculated cumulatively.
About localization.
CIIOs with PI and Important Data collected and generated during its operation within the territory of the People's Republic of China are subject to localization requirements and shall pass the CAC Security Assessment when it is truly necessary to provide such data overseas for business purposes.
In accordance with Art. 4 of the Measures and Art. 40 of the PIPL, it is understood that PI processors meeting the numerical threshold of “1 million” are subject to the localization requirement and shall go pass the Assessment, though there remains uncertainty with respect to whether the cumulative threshold of PI of 100,000 individuals and sensitive PI of 10,000 individuals would fall within the localization requirement under the PIPL.
Processing of Important Data by data processors do not necessarily fall within the localization requirement, unless as otherwise stipulated by laws and regulations.
Relationship between binding legal documents and the SCCs.
The binding legal documents required under the CAC Security Assessment and the Certification, from legal nature, differ from the SCCs, as the SCCs is one of the cross-border transfer regulatory mechanism under the PIPL. Though in the context of data cross-border transfer, the SCCs may overlap with abovesaid legal documents on the value orientation and certain contents for protecting the rights and interests of data subjects, etc. It shall be noted that legal documents under the Assessment may entail Important Data protection which cannot be found in the text of the SCCs.
Whether the SCCs or the Certification?
The Certification is a relatively long-term mechanism for regular data transfers for scenarios especially of intra-group processing activities and can be considered as a relatively stable and continuous mechanism. The Certification mechanism to certain extent is similar to the binding corporate rules (“BCRs”) under the GDPR which shares similar requirements such as legally binding agreements, organizational management, rules for cross-border transfers, etc.
The SCCs, as opposed to the Certification, is a more flexible transfer tool, suitable for relatively short-term, temporary cross-border transfers or continuous transfers with various kinds of business partners based on relatively simple and clear processing purposes, etc.
IV. Compliance tips
Along with the release of the implementing rules of the three Chinese data cross-border transfer mechanisms, it is now the time for companies to determine the overall strategy for data cross-border transfers. For ongoing cross-border transfers, companies with ongoing data cross-border transfers which is truly necessary for business purposes at the moment shall conduct the risk self-assessment and if the CAC Security Assessment is triggered, companies shall complete the Assessment as required during the 6-month transition period or choose the appropriate cross-border transfer mechanism as stipulated by the laws.
In general, it is recommended that companies take the following steps to better respond to the compliance requirements for various data cross-border transfer mechanisms:
Overall strategy for data cross-border transfers. Data cross-border transfer regulation will be the continuous supervision focus. Time for companies to develop overall strategy has come as the fundamental laws as well as the supplemental implementing rules have mostly been settled, which outlines the three clear mechanisms of the CAC Security Assessment, the CN SCCs as well as the Certification.
Data mapping. Carry out data stocking taking in combination with various business scenarios, e.g., with respect to volume, scope, type, sensitivity, etc. of PI transferred, purpose, method of cross-border transfers, overseas systems, etc. Conduct self-check with respect to high-risk points such as identification of Important Data, CII determination, etc., put prior focus on business lines with over 1 million users, or Important Data, etc.
Risk self-assessment. Self-assessment with respect to risks of cross-border transfers is required for all cross-border transfer mechanisms.
Choose cross-border transfer mechanism. Choose the appropriate cross-border transfer mechanism as stipulated by the laws closely based on the factual situations of the processing at question and company operations. Also, it is recommended that companies keep tuned to any legislative developments, enforcement trends and industrial practice.
Implementation of the cross-border transfer mechanism selected. Companies shall start related preparation based on its Mechanism selected. For effective implementation of such mechanism, companies can first start to prepare the self- assessment work and the legally binding agreements to be concluded, etc.
[Note]
[1] TC260= National Information Security Standardization Technical Committee of China
[2] Personal Information refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized, (Art.4, PIPL)
[3] Legal reference: CSL, Art.37, DSL, Art.31 and PIPL, Art.36, 38 and 40; Measures for the Security Assessment of Data Cross-border Transfer, effective as of Sep 1, 2022, 6 months grace period.
[4] Important Data refers to the data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and security, etc. (Art.19, Measures for the Security Assessment of Data Cross-border Transfer)
[5] CII refers to the important network facilities and information systems in important industries and fields such as public telecommunications, information services, energy, transportation, water conservancy, finance, public services, e-government and national defense science, technology and industry, as well as other important network facilities and information systems which, in case of destruction, loss of function or leak of data, may result in serious damage to national security, the national economy and the people's livelihood and public interests. (CSL, Art.31, Security Protection Regulations for Critical Information Infrastructure (“关键信息基础设施安全保护条例”), Art.2)
[6] Legal reference: PIPL, Provisions on Standard Contracts for Cross-border Transfers of Personal Information (Draft) by the CAC.
[7] PI processor refers to any organization or individual that independently determines the purpose and method of processing in their activities of processing of PI, which is substantially equivalent to the concept of “controller” under the GDPR. (Art.73, PIPL)
[8] Legal reference: PIPL, Practice Guideline for Cybersecurity Standards- Specification for Security Certification of Cross-Border Transfers of Personal Information by the TC 260.
About the Author
Jihong Chen
Beijing Office
Equity Partner
Practices:IP Licensing & Enforcement, Cybersecurity & Data Protection, Antitrust & Competition
Industry Sectors:Financial Services, Telecommunications and Technology
Jiawei Wu
Beijing Office
Intellectual Property Department
Jiabin Sun
Beijing Office
Intellectual Property Department
The author recommended articles in the past:
《Commentary on the Chinese Personal Information Protection Law》
《China’s Data Security Law: Analysis and Compliance Guidance》
《New Legislative Trend of Tightening ICV Data Regulation in China》
《Commentary on the New Draft Personal Information Protection Law》
《Annual Reviews on Cyber Security Law 2018》
特别声明:
以上所刊登的文章仅代表作者本人观点,不代表北京市中伦律师事务所或其律师出具的任何形式之法律意见或建议。
如需转载或引用该等文章的任何内容,请私信沟通授权事宜,并于转载时在文章开头处注明来源于公众号“中伦视界”及作者姓名。未经本所书面授权,不得转载或使用该等文章中的任何内容,含图片、影像等视听资料。如您有意就相关议题进一步交流或探讨,欢迎与本所联系。
点击“阅读原文”,可查阅该专业文章官网版。