The Cyberspace Affairs Commission (CAC) of China published this past July the Measures on Security Assessment of Cross-Border Data Transfer (the Security Assessment Measures), which establish the security framework for cross-border data transfers. This is the latest legislative effort to protect the transfer or process of personal information of Chinese users and customers outside of China.
The Security Assessment Measures will come into effect on September 1, 2022. In addition to this, the CAC also issued an interpretation guideline (the “Interpretation Guideline”). These documents lay out the ground rules for a security assessment filing for cross-border data transfers that was stipulated in the Cybersecurity Law (CSL), the Data Security law (DSL) and the Personal Information Protection Law (PIPL).
Under China’s PIPL, companies must meet certain requirements and undergo a security assessment to transfer or process the personal information (PI) of consumers and users in China. However, many of these requirements had not been specified in the law itself, leaving companies uncertain of their obligations under the law and how to comply with it.
The documents act as a guide for entities and certification agencies that help companies in transferring the personal information of Chinese citizens overseas, putting forward the basic principles for processing and protection of personal information, requirements for all relevant parties in cross-border processing activities, and protection of the rights and interests of personal data.
The specifications define rules for contracts, the obligations of persons in charge, and requirements for conducting data protection impact assessments (DPIA). They serve to clarify conditions in Article 38 of the PIPL, which states that companies transferring data outside of China due to business needs, must meet certain requirements and undergo a security review.
To be able to transfer personal information overseas, companies must meet the following conditions:
Undergo a security review organized by the CAC, except when exempted in relevant laws and regulations.
Undergo PI protection certification by a professional institution in accordance with the regulations of the CAC.
Sign a contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC.
Meet other conditions set by the CAC or relevant laws and regulations.
According to Article 38, companies must adopt necessary measures to guarantee that the overseas recipient of the data complies with the requirements and regulations for processing and protecting personal information stipulated in the law.
Personal information refers to any data that can be used to identify an individual, such as names, phone numbers, and IP addresses. The PIPL also includes “sensitive” personal information, such as biometric data (fingerprints, iris recognition, facial recognition, and DNA), medical history and financial accounts, among others.
The “processing” of personal information is defined as “the collection, storage, use, processing, transmission, provision, publication, and erasure of personal information”.
Not all companies are required to undergo a security assessment before transferring data overseas. The measures reiterate the requirements outlined in previous legislation, which stipulated that companies such as ‘critical information infrastructure’ operators (CIIOs) and state agencies that gather data from Chinese users must undergo a security assessment before being allowed to transfer data overseas.
Entities not considered CIIOs or that handle smaller volumes of data may be able to get clearance to transfer data or PI overseas by simply signing a ‘standard contract’ with the overseas recipient. This procedure is simpler than the CAC security review as it does not require an external audit.
Companies must undergo a security assessment by the CAC under any of the following circumstances:
Data processors providing “important” data overseas.
CIIOs and data processors that process PI of more than 1 million people providing PI overseas.
Data processors that have transferred the PI of over 100,000 people or the “sensitive” PI of over 10,000 people overseas since January 1 of the previous year.
Other situations required to declare data export security assessment as stipulated by the CAC.
The final version of the security assessment measures adds a new article defining the scope of ‘important’ data as “data that may endanger national security, economic operation, social stability, or public health and safety once tampered with, destroyed, leaked, or illegally obtained or used”.
It is also viewed as cross-border processing when overseas employees remotely access and process the personal information of Chinese users stored in China and is subject to the same requirements as if the company was transferring the information to overseas facilities.
The Guidelines will only be applicable to two types of cross-border transfers: (1) internal cross-border transfers within one multinational company or one economic/business entity; and (2) cross-border transfers by foreign entities that analyze and assess the behavior of the individuals located in China subject to the extra-territorial jurisdiction of the PIPL.
In cases of internal transfers, the Chinese entity of the multinational company may apply for the certification and will be liable for the relevant cross-border transfer activities. In cases of extra-territorial jurisdiction of the PIPL, the domestic institution or the representative of the foreign entity may submit the application for certification and will be liable for the relevant cross-border transfer activities.
The Guidelines specify the basic requirement for certification agencies that conduct personal information protection certification for companies that need to engage in cross-border processing of personal information.
Foreign companies, which engage in the overseas processing of PI, can apply for certification from specialized agencies or set up a designated representative in China, which will also bear the legal responsibility.
The Guidelines establish several areas that must be addressed in the certification, including among other, legally binding agreements between the parties involved; management of personal information protection within the parties’ organizations; personal information protection impact assessments (PIPIA); and rights of the data subject.
The parties involved in the cross-border transfer must execute a legally binding and enforceable contract that, among other things, describes the parties involved in the cross-border transfer, the purposes of the transfer and the types and scope of personal information to be transferred and the safeguards for protection of rights of data subjects.
The contract must require that the parties comply with the uniform personal information processing rules and specify that the level of personal information protection shall not be lower than that stipulated by Chinese law with respect of personal information protection.
In addition, it shall require the parties to accept the supervision of the certification institution; abide Chinese personal information protection laws; and explicitly appoint a Chinese entity, which shall be responsible for the cross-border transfer activities.
The Guidelines demand that the parties designate a Personal Information Protection Officer, who must have sufficient knowledge of personal information protection requirements and appropriate work experience. This officer should be a senior management-level employee within the organization.
The parties must also set up a personal information protection department, which will be responsible for promulgating and implementing the cross-border transfer plan; organizing the PIPIA; supervising the personal information processing according to the rules; and receiving and handling the complaints and requests of data subjects.
The Guidelines also require the parties to implement and comply with cross-border personal information transfer and processing policies, such as including the types of personal information transferred or processed, the degree of sensitivity and the volume of personal information transferred; the purpose, means and scope of cross-border transfer; the starting and ending time for personal information storage and the country/region where the information will be transferred; among other.
The parties must execute a PIPIA, which must at least address whether the cross-border transfer complies with Chinese laws; the impact of cross-border transfer on the interests of the data subjects; the impact of legal environment of the foreign country/region and cybersecurity environment on the interests of data subjects; and other matters for safeguarding personal information interests.
In addition to obtaining certification of the cross-border transfer, the parties must acquire the individual’s informed separate consent to the cross-border transfer of their personal information.
Individuals must be notified by email, SMS, mail, or fax about the overseas PI processor’s identity; the categories of personal information transferred; the purpose for transferring the personal information; and the retention period for the information.
Subjects should be able to access their data and exercise their rights to copy, correct, supplement, or delete their personal information as provided for under the PIPL.
The PIPL states that personal information shall be processed in accordance with the principles of legality, legitimacy, necessity, and good faith, and shall not be processed through deception, fraud, coercion, or other dishonest means.
Cross-border processing of personal information must adopt the “Principle of Least Privilege”, which means that the person or company processing the information is only allowed to access the minimum amount of data required to complete a certain task. The PIPL states that “the collection of personal information shall be limited to the minimum scope to achieve the purpose of processing, and excessive collection of personal information shall be prohibited”.
One principle that is not mentioned in the PIPL is the principle of voluntary certification for cross-border personal information processing. The Guidelines state that eligible parties involved in cross-border personal information processing can volunteer to undergo certification “at the recommendation of the state” and are encouraged to do so. The purpose of the certification is to strengthen personal information protection and improve the efficiency of cross-border processing.
Foreign companies had expressed concern in the past for the lack of clarity on several steps they must take to comply with the PIPL. The Guidelines address some of these questions. They also focus on China’s PI protection framework, expanding upon concepts raised in the PIPL and applying them specifically to the cross-border processing and transfer of personal information.
Though some issues still remain, the Chinese cybersecurity authorities are expected to continue publishing guidelines and regulations in the near future. Companies should keep informed and updated on any further developments and have a proactive approach to compliance. To learn more about our services in China, contact our Head of Business Advisory - Ms. Kristina Koehler-Coluccia at firstname.lastname@example.org.
DISCLAIMER: All information in this article is verified to the best of our ability and is assumed to be correct at time of release; however, Woodburn Accountants & Advisors does not accept responsibility for any losses arising from reliance on the information provided within. The information provided is for general guidance and does not replace specialized advice.