Closing the gap on cross-border transfer of personal data

By issuing the draft Provisions on Standard Contracts for Cross-border Transfers of Personal Data, the Cyberspace Administration of China (CAC) has given visibility over the missing piece of the Personal Information Protection Law regulatory framework. It provides certainty on the process for cross-border transfer of personal data in lower quantities, where the data processors’ operations do not have a significant impact on the public interest. However, the full picture for many businesses is still complex, as they may be transferring larger quantities as well as other types of business data. When deciding on the approach to take, all relevant laws and regulations must be reviewed in parallel to chart a path across this complex landscape.

This article by Ling Jin and Sunny Su of Lusheng Digital & Commercial and Holly White of Rouse Digital & Commercial Service sets out the impact of the draft provisions and how businesses need to respond.

What is contained in the Draft?

The Personal Information Protection Law (PILP) provides three paths for transferring personal data outside of China: (1) passing a government security assessment undertaken by the CAC; (2) getting certified for personal data protection from a professional organisation; and (3) entering into a standard contract, developed by the CAC, with the outbound recipient.

The draft Provisions on Standard Contracts for Cross-border Transfers of Personal Data (Draft) specifies details for the third path: entering into a standard contract. This includes a template copy of the contract, with the standard contractual clauses (SCCs).

When can the standard contract route be used?

According to the Draft, any personal data processor meeting ALL of the following circumstances may provide personal data abroad by concluding a standard contract:

1. where it is not a critical information infrastructure operator (CIIO) whose operations have significant impact on the public’s interests (for example, finance, transport or medical industries);
2. where it processes not more than one million persons’ personal data;
3. where it has provided the personal data of not more than 100,000 persons accumulatively overseas since 1^st January of the previous year; and
4. where it has provided sensitive personal data of not more than 10,000 persons accumulatively overseas since 1^st January of the previous year.

If a data processor does not meet any of the above thresholds, the cross-border transfer of personal data is highly likely to be subject to the first route, a government security assessment. For the second path, the boundaries of its application are not clear. Further legislation and interpretation from the authorities is required.

If the threshold is met, what is the process to utilise the contract route?

How does the Draft apply to employee personal data?

The SCCs reaffirm that where relevant laws and regulations do not require the individual’s separate consent, it is also not necessary to seek separate consent when signing the standard contract. That means, for employee personal data necessarily collected for the purpose of human resources management, the individual consent of employees to transfer these data overseas is not needed. To avoid potential dispute, the following actions should be taken: the employee privacy policy should detail the cross-border transfer; employees should be informed; and a standard contract implemented.

GET SMART

What is the impact on international business?

Many businesses have been waiting for this clarification relating to cross-border transfer of personal data. It is likely that the Draft will be implemented in its current, or close to current, format, which means businesses can start preparing now.

However, for larger, more complex businesses, the overseas transfer of data is likely to also include other types of business data. The handling of those data sets is subject to other data laws and regulations, some of which are still emerging. For example, on 7^th July 2022, the CAC released the Data Export Security Assessment Measures, under the Cybersecurity Law, Data Security Law and PIPL which take effect from 1^st September 2022.

Businesses must take into consideration the full spectrum of regulations when defining their overall cross-border data strategies. It is likely there will still be some grey areas that need assessing.

What actions should be taken now to prepare for the contract route?

For Chinese employee data, businesses need to:

• Update their employee privacy policy with details of who is hosting the data, where it is stored and why it needs to be transferred.
• Notify employees with details of the cross-border transfer. Although employees are informed via notices, no individual consent is required. 

For the standardised contract:

• Start to negotiate the standardised contract with relevant parties, including the relevant entities in the case of intracompany transfer.
• Ensure parties signing the agreement understand the content and how to follow the requirements.
• Understand how to make it compatible with other international regulations such as the European Union’s General Data Protection Regulation.

Conclusion

Although the release of these draft provisions is a welcome step forward, the regulatory picture for cross-border transfer of data overall is still complex. Businesses need to keep the three data laws (Cybersecurity Law, Data Security Law and the PIPL) and their regulatory frameworks in mind as they formulate their overall approach to data transfer outside of China. Although there may be some uncertainties, reviewing the landscape holistically will be critical to successful implementation. 

About Rouse and Lusheng Law Firm

Rouse is a leading intellectual property services business, an,d together with its strategic partner Lusheng Law Firm, offer a dedicated digital & commercial service. The service supports the world’s IP-rich businesses to successfully exploit cutting-edge digital technologies, either their own or for the purposes of marketing and commerce. By bringing together IP value and commercial objectives, IP and regulatory risks are understood and mitigated, enabling businesses to reap the rewards without exposing their brand or creations.