Cross-border transfer of personal data: navigating compliance issues
In recent years, China has strengthened cybersecurity and data protection regulations—especially for personal data—by introducing new legislation covering the whole process of data collection, storage, usage, processing, transmission, provision and disclosure. This article by Carlo Diego D’Andrea and Aris Xie of D’Andrea & Partners & Legal Counsel briefly introduces the current legal framework and compliance challenges related to transferring personal data overseas.
What constitutes cross-border data transfer?
Data is defined as“any record of information in electronic or other form”, while personal information refers to all kinds of information related to the identified or identifiable natural persons recorded by electronic or other means, excluding information that has been anonymised, and which cannot be traced back to the specific individual.
Based on the relevant regulations, personal data is transferred overseas when the act meets the following conditions:
- a data processor moves or stores data collected and generated within China’s territory to an overseas recipient;
- a data processor stores any data collected and generated within the territory of China but allows any overseas entity, organisation or individual to consult, retrieve, download or export such data; or
- other behaviour involving outbound data transfer prescribed by the Cyberspace Administration of China (CAC).
For example, if a Chinese subsidiary of a European company wants to transfer customers’personal information to a data processing system that uses a server located in the European Union (EU), it would be considered a cross-border data transfer.
What are the requirements for transferring personal data?
When it comes to cross-border data transfer, there are certain general requirements that apply. However, specific processes and requirements are still being developed. The following compliance requirements are key considerations for multinational companies (MNCs) operating in this context:
a. Inform and obtain separate consent
Under Article 39 of the Personal Information Protection Law of PRC (PIPL), MNCs must inform individuals if they are providing their personal information to recipients outside China. This information includes the recipient’s name, contact details, why the information is needed, the types of personal information involved, and how individuals can exercise the rights stipulated against the overseas recipient if necessary. The data processors must get separate consent from each individual before transferring their personal information.
b. Conduct protection impact assessment
According to article 55 and 56 of the PIPL, it is mandatory for MNCs to assess the risks involved before transferring personal information to overseas recipients. The assessment should consider the legality, appropriateness and necessity of the data processing methods and purposes. It must also consider the potential impact on an individual’s rights and interests, and the associated level of risk. And the evaluation and documentation of security protection measures are required. All records must be retained for at least three years.
c. Compliance approach for cross-border data transfer
In addition to the above procedures, under the current legal framework governing the cross-border transfer of personal data, regardless of the volume of data to be transferred, there are currently three approaches that a company can use when transferring personal data overseas:
Security evaluation: Pass the security evaluation organised by the CAC in accordance with the provisions of PIPL if any of the following conditions are met: the data involves more than 1 million people; the data contains personal information on 100,000 people or more cumulatively, or the sensitive personal information of 10,000 people cumulatively since 1st January of the previous year.
Certified protection: Get the data certified by a specialised agency for the protection of personal information in accordance with the provisions of the CAC.
Standard contract: Enter into a contract with the overseas recipient under the standard contract formulated by the CAC, which specifies the rights and obligations of both parties. This approach applies the following conditions: data sent to overseas recipients since 1st January of the previous year must contain personal information on fewer than 1 million individuals; the data must involve the personal information of fewer than 100,000 individuals or sensitive personal information of fewer than 10,000 individuals.
Currently, the authorities have issued some guidelines for the above approaches involving cross-border data transfers which clarify detailed compliance requirements and procedures. Compared to the first two approaches, security evaluation and certified protection, signing the standard contract is generally considered to be a more convenient route for personal information transfers at present.
At the end of September 2023, considering the strict rules on cross-border data transfer, the CAC issued some draft rules on exemptions from regulatory requirements to ease the limitations on data transfers. While the new rules are still in the review stage and have not yet come into effect, it is worth monitoring the development of related legislation.
How should enterprises address the compliance challenges?
In light of the strict regulatory requirements on transferring personal data, it is essential that businesses implement appropriate measures to safeguard the processing of personal data provided to overseas recipients in line with the current regulations.
Data identification and classification
It is evident that distinct types of data are subject to specific processing and cross-border transfer requirements. Therefore, the initial significant measure is to determine and categorise the data that the company will have in its daily business and operations. This is particularly crucial if personal data is transferred in a manner that triggers the security evaluation mechanism.
Conduct a comprehensive assessment
Once the identification and classification of the data to be processed has been completed, it is advisable to conduct a comprehensive assessment of the internal system and business activities in accordance with China’s data processing regulations. This assessment will help to understand the necessary information, consents and special rules that must be implemented. It is particularly important to distinguish the roles played by each entity involved in data processing within the company. This understanding is vital for ensuring compliance with the requirements for cross-border data transfer.
Pay attention to compliance requirements and potential costs
Following the comprehensive assessment, it is essential for companies to conform to the data compliance requirements specified in the relevant laws and regulations. It is crucial to take into account the current data processing situation and enterprises’ business requirements, as well as the potential cost of fully complying with the requirements.
It might be advisable for SMEs with whole operations localised in China to also consider localising data processing activities if there is no need from a business and management perspective to transfer personal data abroad. Localising data processing can help minimise the cost and compliance risks arising from data privacy protection. Small companies without the resources to localise data processing should bear in mind the potential costs that can arise when seeking business opportunities in China.
Monitor data legislation and enforcement
Data compliance is an important and constantly evolving topic. New laws and regulations, along with detailed operational rules and enforcement requirements, continue to be enforced in China. One significant aspect is the issue of cross-border data transfers. Therefore, it is essential to closely monitor the progress of data compliance legislation and enforcement practices, which will help MNCs operating in the country to stay informed of the latest compliance requirements.
With the advent of the big data era and the booming digital economy, cross-border data transfer will often be unavoidable. Understanding the procedures and compliance challenges will help companies navigate the risks of business operations in the current economic climate. It is essential for firms to combine their own business needs and clarify scenarios for cross-border data flow, while closely monitoring their actions and situations to take corresponding measures in line with the compliance requirements.
Carlo Diego D’Andrea is managing partner at D’Andrea & Partners & Legal Counsel.
Aris Xie is senior associate at D’Andrea & Partners & Legal Counsel.
D’Andrea & Partners Legal Counsel is a leading international law firm, with European headquarters situated in Milan, Italy, and Asia-Pacific headquarters based in Shanghai, China. The firm has a strong presence across major cities in China. The firm is one of the very few international law firms in China duly authorised by the Ministry of Justice of the PRC to operate as a Representative Office of a foreign law firm in China.
 Article 3 of Data Security Law of PRC, Standing Committee of the National People’s Congress, 10th June 2021, viewed 19th January 2024, <https://flk.npc.gov.cn/detail2.html?ZmY4MDgxODE3OWY1ZTA4MDAxNzlmODg1YzdlNzAzOTI%3D>
 Article 4 of Personal Information Protection Law of the PRC, Standing Committee of the National People’s Congress, 20th August 2021, viewed 19th January 2024, <https://flk.npc.gov.cn/detail2.html?ZmY4MDgxODE3YjY0NzJhMzAxN2I2NTZjYzIwNDAwNDQ%3D>
 Guide to Applications for Security Assessment of Outbound Data Transfers (First Edition), Cyberspace Administration of China, 31st August 2022, viewed 19th January 2024, <http://www.cac.gov.cn/2022-08/31/c_1663568169996202.htm>
 Sensitive personal information refers to personal information that, once leaked or illegally used, will easily lead to infringement of the human dignity or harm to the personal or property safety of a natural person, including biometric recognition, religious belief, specific identity, medical and health, financial account, personal location tracking and other information of a natural person, as well as any personal information of a minor under the age of 14.
Article 28 of Personal Information Protection Law of the PRC, Standing Committee of the National People’s Congress, 20th August 2021, viewed 19th January 2024, <https://flk.npc.gov.cn/detail2.html?ZmY4MDgxODE3YjY0NzJhMzAxN2I2NTZjYzIwNDAwNDQ%3D>
 Provisions on Regulating and Facilitating Cross-border Data Flow (Draft for Comment), Cyberspace Administration of China, 28th September 2023, viewed 19th January 2024, <http://www.cac.gov.cn/2023-09/28/c_1697558914242877.htm>