Multinational corporations operating in China often share information with their subsidiaries or headquarters outside the country. However, since the Measures on the Standard Contract for Cross-border Transfers of Personal Information came into effect last June, certain personal data processors, including companies handling data on fewer than 1 million people, are required to sign contracts with overseas recipients before sending data abroad.
The legislative framework in China for governing data security consists of three laws , the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, and a series of government regulations backed by these laws.
The new rules, aimed at protecting national security, directly impact the cross-border transfer of personal information by businesses operating in China, Chinese companies listed overseas and those in data-rich industries such as retail, internet, health care, automotive, civil aviation, and finance.
Corporations which regularly share employee or customer data with their headquarters, share IT infrastructure with their Chinese subsidiaries or have remote access to data stored in China, may be subject to China’s cross-border data transfer requirements.
One of the three mechanisms for transferring personal information out of China is the signing of a standard contract with an overseas recipient.
The other two are a mandatory security assessment by the Cyberspace Administration of China (CAC) for critical information infrastructure operators and transfers of important/sensitive personal data; and certification by an accredited institution (such as for intra-group transfers, and data processors abroad subject to the extra-territorial application of China’s Personal Information Protection Law).
The certification is only available if the transfer does not fall within the mandatory assessment requirements, and not all entities can adopt this option, for example if representative offices set up by foreign entities are not eligible.
Businesses that transfer personal data out of Mainland China on a smaller scale, such as small and medium-sized enterprises, may opt for the standard contract.
This option can only be used under certain circumstances:
the data processor is not a critical information operator;
it processes the personal data of less than 1 million individuals;
since 1 January of the previous year, the personal data of less than 100,000 individuals (in aggregate) has been transferred; and
since 1 January of the previous year, sensitive personal data of not more than 10,000 individuals (in aggregate) has been transferred.
A personal information protection impact assessment (PIA) must be executed before entering into the standard contract, according to the measures. This step evaluates important matters such as the legality and necessity of the data transfer, the scale, scope, and sensitivity of the outbound personal data, the risks to the rights and interests of individuals concerned, and other security issues.
Data systems must be compatible with Chinese law in order to pass the PIA.
It is prohibited to divide the data into smaller quantities to meet the standard contract criteria in an attempt to circumvent the mandatory security assessment regime.
The standard contract, impact assessment report and other supporting documents must be presented at the local cyberspace administration authority within 10 working days of the effective date of the contract.
Industry experts consider that many aspects of the rules remain vague, such as in security assessments, thus slowing down the approval process and causing confusion for some companies.
While the Chinese government hopes to develop the digital economy to uplift the country's gross domestic product, the rules could slow down progress for the industry. Regulators are struggling to strike a balance between enhancing data security and promoting data-driven economic growth.
Though the Measures have been effective for some time, their implementation has been slow in practice as there are too many such companies in China and not enough manpower to handle their assessment reports.
A lack of clarity of the review criteria is slowing down the approval process, with regulators and companies not seeing eye-to-eye on why the requested data transfers are necessary. The measures for security assessment require applicants to explain why it is justified, legal and necessary for their data to flow overseas and for overseas recipients to process it, but not much more is specified.
With the implementation of the Measures on the standard contract, regulators will shift more of their efforts to helping these contracts complete the filing process, which in turn will speed up their approval of security assessments, according to experts.
He Yuan, executive director of Shanghai Jiao Tong University's data law research center, noted the workload on local regulators could increase substantially as firms with fewer than 1 million people will also need to sign a standard contract starting June.
High compliance costs, difficulties in communicating with overseas data recipients and regulatory uncertainty are some key factors affecting companies' willingness to declare cross-border data transfers.
Companies that need to rectify any non-compliant arrangements occurring before June 1, 2023, have until November 30, 2023 to do so.
To learn more about our services in China, contact our Head of Business Advisory - Ms. Kristina Koehler-Coluccia at kristina@woodburnglobal.com.
DISCLAIMER: All information in this article is verified to the best of our ability and is assumed to be correct at time of release; however, Woodburn Accountants & Advisors does not accept responsibility for any losses arising from reliance on the information provided within. The information provided is for general guidance and does not replace specialized advice.