Under the PRC Personal Information Protection Law ("PIPL") which became effective on 1 November 2021, a transfer of personal information outside of China requires multiple conditions to be met.

Personal information can only be transferred overseas upon obtaining separate consent from the data subjects, conducting a personal information protection impact assessment ("PIA") and complying with one of the conditions set out below, namely

  1. a data transfer agreement adopting the PRC standard contractual clauses ("SCCs");
  2. personal information protection certification from a designated certification agent ("Certification"); or
  3. passing the security assessment by the Cyberspace Administration of China ("CAC Security Assessment").

After months of waiting, in the last few weeks, there have been significant developments in respect of all the conditions above:

  1. Draft regulations were finally issued in respect of the SCCs for public consultation.
  2. Detailed specifications on the Certification were issued.
  3. Updated measures on CAC Security Assessment have also been published
  1. THE PRC SCCs

On 30 June 2022, the Cyberspace Administration of China ("CAC") published the Provisions on Standard Contract for Cross-border Transfer of Personal Information (Draft for Comment) for public consultation. The consultation period will end on 29 July 2022.

What do the SCCs cover

The SCCs cover the following:

  1. the basic information of both the data processer and overseas recipient, including but not limited to name, address, contact name and contact information;
  2. the purpose, scope, type, sensitivity, quantity, provision manner, retention period, storage location of the personal information to be transferred;
  3. the responsibilities and obligations of the data processer and overseas recipient with respect to the protection of personal information, as well as the technical and management measures to be taken to prevent potential security risks arising from the cross-border transfer of personal information;
  4. the impact of local policies and regulations on the protection of personal information where the overseas recipient is located may have on the compliance with the SCCs;
  5. the rights of data subjects, and the ways and means of safeguarding the rights of data subjects; and
  6. remedies, termination of contract, liabilities for breach of contract, dispute resolution, etc.

When the SCCs can be adopted

The SCCs can only be adopted if the PRC data processor:

  1. is not a critical information infrastructure operator ("CIIO") (as defined under the PRC Cybersecurity Law);
  2. does not process personal information of 1,000,000 individuals or more;
  3. does not provide personal information of 100,000 individuals or more in aggregate to overseas recipients since 1 January of the previous year; and
  4. does not provide sensitive personal information of 10,000 individuals or more in aggregate to overseas recipients since 1 January of the previous year.

If the data processor does not meet the requirement for adopting the SCCs, it shall consider alternative safeguards, namely Certification or CAC Security Assessment.

PIA required for cross-border transfer

As a pre-requisite for adopting the SCCs, a PIA must be conducted before cross-border transfer of personal information under a data transfer agreement. This is consistent with PIPL. A PIA shall focus on matters such as:

  1. the legality, legitimacy and necessity of the purpose, scope and manner of processing personal information by the data processor and overseas recipient;
  2. the quantity, scope, type and sensitivity of the personal information to be transferred to the overseas recipient, and the associated risk of such transfer;
  3. the ability of the overseas recipient to take security measures to fulfill the protection obligations;
  4. the risk of any information leakage, destruction, falsification, misuse after such transfer, as well as the available remedial measures for the data subjects in the overseas jurisdictions; and
  5. the impact of local policies and regulations on the protection of personal information in the overseas jurisdictions.

It is noted that the Standardization Administration of China issued the Guidance for Personal Information Security Impact Assessment (effective on 1 June 2021) which could be used as a reference for implementing a PIA by data processors.

Filing of data transfer agreement and PIA

A data processor shall file a copy of the data transfer agreement adopting the SCCs with the provincial cyberspace administration where it is located within 10 working days from the effective date of the agreement.

Both the data transfer agreement and the relevant PIA report shall be filed. The relevant personal information transfer can be carried out after the data transfer agreement becomes effective.

Renewal and re-filing of data transfer agreements

A data transfer agreement shall be renewed and re-filed when any of the core terms and conditions stipulated in the data transfer agreement changes.

A renewal and re-filing is required when there are:

  1. changes in the purpose, scope, type, sensitivity, quantity, provision manner, retention period, storage location of the personal information transferred and the purpose and manner of processing by the overseas recipient, or extension of the retention period of the personal information transferred;
  2. changes in the personal information protection policies and regulations of the country or region where the overseas recipient is located which may affect the rights and interests of the data subjects; or
  3. any other circumstances that might affect the rights and interests of the data subjects.

Legal consequences of non-compliance

If any of the following has not been complied with:

  1. non-filing of the data transfer agreement or submission of false materials for filing;
  2. failure to perform the obligations stipulated in the data transfer agreement infringing the rights and interests of data subjects; or
  3. any other event adversely affecting the rights and interests of data subjects,the cyberspace administration at or above the provincial level could order the data processor to rectify the non-compliance within a prescribed period of time, failing which the data processor may be ordered to cease transferring personal information overseas and relevant penalties could be imposed according to applicable laws.

Where the cyberspace administration finds that any activity related to cross-border transfer of personal information no longer meets the security management requirements under the applicable laws and regulations including but not limited to PIPL, it could notify the data processor in writing to terminate the cross-border transfer of personal information, and the data processor shall immediately cease transferring personal information outside of China upon receipt of the notice.

Any organization or individual may also file a complaint or report any non-compliance to the cyberspace administration.

Our observations

Any data processor in PRC including Chinese subsidiaries of multinational companies shall consider the situations where cross-border transfer of personal information may occur and adopt the SCCs as appropriate.

For multinational companies which have adopted the EU standard contractual clauses under the General Data Protection Regulation ("GDPR"), they shall consider preparing an addendum adopting the PRC SCCs to cover transfer of personal information from China. This also applies to intra-group transfer agreements.

  1. CERTIFICATION

On 24 June 2022, the National Information Security Standardisation Technical Committee ("Committee") promulgated the Specification for Certification of Cross-border Personal Information Transfer ("Certification Specification"). The Certification Specification aims to provide the standards and requirements to support designated certification agents in their certification process and guide data processors in their personal information cross-border transfer activities.

When Certification can be adopted

The Certification Specification sets out two scenarios under which Certification can be adopted:

  1. intra-group data transfer, i.e. cross-border transfer of personal information within a multinational company or between subsidiaries of the same economic or business entity or between affiliated companies; or
  2. cross-border transfer of personal information by overseas processors which are subject to the extra-territorial scope of PIPL (per Article 3 of PIPL), i.e. overseas entities providing products or services to natural persons located within PRC; or analysing or assessing the behaviour of natural persons located within PRC. A special agency or designated representative should be set up within PRC by the overseas processor.

The intra-group data transfer scenario is modelled on the Binding Corporate Rules mechanism under GDPR, providing a compliance option for intra-group transfer of personal information. In these situations, the processing activities are conducted between parties with a stable relationship and a consistent management structure.

Designated certification agents

The Certification Specification does not specify who the designated certification agents are.

Considering that organisations such as the China Cybersecurity Review Technology and Certification Centre and the China Electronics Standardisation Institute have provided technical support for the development of the Certification Specification, it is possible that any of them would be the designated certification agent.

Major requirements for Certification

In order to successfully obtain a certification, the Certification Specification introduces a number of requirements as follows:

  1. A binding agreement shall be signed between the data processor and relevant overseas recipient in order to protect data subjects' legitimate rights and interests.
  2. Each party shall appoint a person to be responsible for personal information protection, i.e., the Data Protection Officer ("DPO"). A DPO shall possess special knowledge and management experience in terms of data protection and shall be a member of the decision-making mechanism.
  3. Each party shall establish a personal information protection department responsible for personal information protection, and formulating and performing plans for cross-border transfer, supervising processing in accordance with cross-border transfer rules, etc.
  4. The parties shall comply with unified rules regarding cross border processing of personal information.
  5. A PIA shall be performed. The parties shall evaluate whether such transfer is based on the principles of legitimacy and necessity and whether the adopted protective measures are proportionate to the level of risks, etc.

Our observations

The Certification Specification describes who is eligible to apply for certification under the certification mechanism, as well as whether and how processors are required to fulfil certain obligations in relation to cross-border transfer of personal information. However, the Certification Specification is a recommended industrial practice issued by the Committee but not a mandatory regulation by CAC. Therefore, the Certification Specification's legal effect is not clear. That said, PRC data law practitioners generally take the view that a certification according to the Certification Specification will be an effective method to satisfy the certification requirement under Article 38 of PIPL for cross-border transfer.

The Certification Specification alone is not sufficient and the implementation of the certification mechanism is still subject to further clarification, including what entities will be designated to perform certification; the certification's validity period; the circumstances where a re-certification is required; and whether there is an appeal mechanism for review and supervision of decisions made by the designated certification agents.

  1. Updated Measures on CAC Security Assessment

On 7 June 2022, CAC published the Measures for Security Assessment of Cross-border Transfer of Data ("Measures", which will become effective on 1 September 2022) with the aim to implement CAC Security Assessment stipulated under PIPL, the Data Security Law and the Cybersecurity Law covering both personal information and important data. The draft version of the Measures was published on 29 October 2021 and we have published a detailed article on the draft Measures – please refer to our previous article Proposed security assessment mechanism for transferring data outside of China for details.

Comparing with the draft Measures issued in October 2021, the final version of the Measures has introduced the following key changes.

Comparing with the draft Measures issued in October 2021, the final version of the Measures has introduced the following key changes.

  1. The final Measures have re-categorised the circumstances for which CAC Security Assessment is required. Under the final Measures, a data processor must file a security assessment for cross-border data transfer with CAC through the provincial cyberspace administration where the data processer is located if:
  1. important data will be transferred;
  2. personal information will be transferred by CIIOs or data processors processing personal information of over 1,000,000 individuals in China;
  3. personal information will be transferred by data processors who have either accumulatively transferred (i) personal information of more than 100,000 individuals; or (ii) sensitive personal information of more than 10,000 individuals outside of China since 1 January of the previous year; or
  4. other situations set out by CAC that require a filing under the security assessment regime.

These thresholds are in line with the draft SCC provisions discussed in Section A.

b. The final Measures have clarified the procedural requirements and timeline for the provincial cyberspace administration to conduct the security assessment review. The provincial cyberspace administration shall confirm whether the application documents are in order within 5 working days upon receiving the filing submission. Upon confirmation that the documents are in order, the provincial cyberspace administration shall submit the application to CAC and CAC will review the submission according to the following timeline: (i) 7 working days for the pre-acceptance review upon receiving the submission; and (ii) 45 working days upon acceptance of the submission. Notably, the final Measures have removed the time limitation of 60 working days for completing assessment of more complicated cases, and only stipulate that the extended assessment period shall be notified to the data processor. If the data processor does not agree with the assessment decision of CAC, it is entitled to apply for a reassessment within 15 working days upon receipt of the assessment decision, and the results of the reassessment will be final.

c. The final Measures will take effect on 1 September 2022, and there will be a transition period of 6 months by which full compliance of the Measures is expected.

Our observations

The Measures provide a transition period of 6 months (i.e. by 28 February 2023) for the data processors to bring their cross-border data transfer activities in line with the requirements of the Measures. Given that the security assessment process takes time, it is recommended that all data processors who are subject to CAC Security Assessment shall make necessary arrangements as early as possible to avoid any disruption to their cross-border data activities.

Notably, the CAC security assessment approval for cross-border transfer is only valid for two years, which means that data processors will need to go through the same exercise every two years. Applications shall also be re-submitted if there is any change to the scope and manner of cross-border transfer, change to the data regime of the jurisdiction where the overseas recipient is located, or change of control of the parties.

It would be interesting to see whether data localisation in China will become a priority agenda item for the boards of multinational companies operating in China as a response to the new Measures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.