Conventus Law

Conventus Law

by

In our previous alert, we reported on the proposal of the China Administration of Cyberspace (“CAC”) to relax the cross-border data transfer compliance requirements under the PRC Personal Information Protection Law (“PIPL”). On 22 March 2024, the CAC issued the much-anticipated Provisions on the Promotion and Regulation of Cross-border Data Transfer (“Provisions”) which confirm the relaxation measures which will have significant implications for multinational businesses. The CAC’s guidelines on applications for security assessment and standard contract recordal (“Updated Guidelines”) have also been updated to reflect the new measures. The Provisions and the Updated Guidelines have all come into force with immediate effect.

What has been relaxed?

A significant change is that the Provisions allow certain exemptions from compliance with the required transfer mechanisms under Art.38 of the PIPL, i.e. passing a security assessment led by the CAC, recording a standard contract with the CAC, or obtaining a certification before transferring personal data abroad.

The Provisions also raise the threshold for triggering a security assessment, allowing businesses more flexibility to adopt the alternative transfer tools of standard contract recordal or certification. For example, businesses processing a large volume of personal data (exceeding 1 million data subjects) used to be subject to the official assessment requirement, even if the volume of data exported may be limited. In contrast, the new Provisions focus on the volume of data subjects whose data are exported in determining which transfer tool is applicable.

For exportation of important data, data handlers still have to undergo the official assessment but the Provisions clarify that this only applies to “important data” that has been classified as such by official notices or published announcements by relevant regulators.

The key exemptions and revised thresholds for outbound transfer of personal data by data handlers that are not Critical information infrastructure operator (“non-CIIO”) are summarised below:-

#ScenariosRequired transfer tools or exemptions
1.Since 1 January of the current year, accumulated exportation of:
more than 1 million data subjects’ personal data (not involving sensitive personal data); ormore than 10,000 data subjects’ sensitive personal data  		Passing the CAC’s security assessment (subject to exemptions under Nos. 4-6 below)  
2.Since 1 January of the current year, accumulated exportation of:
more than 100,000 but less than 1 million data subjects’ personal data (not involving sensitive personal data); or
less than 10,000 data subjects’ sensitive personal data		Recording the standard contract with the CAC, or obtaining certification from a recognised organisation (subject to exemptions under Nos. 4-6 below)  
3.Since 1 January of the current year, accumulated exportation of less than 100,000 data subjects’ personal data (not involving sensitive personal data)Exempted from adopting any of the 3 transfer tools
4.Necessary for:
conclusion/ performance of a contract to which the data subject is a party;
cross-border HR management purposes in accordance with lawfully formulated labour rules and collective contracts;
protecting life, health and property safety in an emergency situation
5.Exportation of data first collected overseas and then imported into Mainland China for further processing, provided that no domestic personal data or important data is involved throughout the process
6.The data handler is within a free-trade zone and the exported data does not fall within the negative list

What has not been relaxed?

It is important to note that the Provisions do not exempt businesses from other relevant compliance obligations applicable to cross-border data transfer, such as obtaining informed and separate consent (where applicable), conducting personal information impact assessment (PIA), ensuring data security and reporting data breaches. Therefore, it is still necessary for data handlers to maintain suitable privacy policies, obtain relevant consents (if applicable), and have appropriate data processing / transfer agreements in place, to ensure compliance.

It remains to be seen whether the CAC will adopt a more liberal or conservative approach in interpreting the exemptions, especially in relation to the “necessity for conclusion / performance of a contract”, as well as “cross-border HR management purposes”, which could substantially ease the compliance burden on multinational businesses.

Clarification on data processing activities under Art.3(2) of the PIPL

One important area of uncertainty under the previous regime was whether the collection and processing of the personal data of data subjects in Mainland China, by an overseas data handler, amounts to cross-border data transfer. For example, where an overseas business has no physical presence in Mainland China but provides goods/ services to its Mainland customers, or analyses or evaluates their behaviour through online platforms, during which their personal data is directly processed by the overseas data handler.

It has now been clarified under the Updated Guidelines that such overseas data processing activities falling within Art.3(2) of the PIPL will be considered cross-border data transfer. Therefore, overseas businesses with no physical presence in Mainland China may find themselves subject to the transfer tools requirement under Art. 38 of the PIPL, subject to any exemption under the Provisions.

Why does this matter to you?

The Provisions address some of the important concerns of businesses and offer some relief from the compliance burden of the transfer mechanism under the PIPL. Businesses should now review their data portfolio to ascertain whether they are subject to the cross-border data transfer regulatory regime and whether any exemptions may apply. In particular, business should be alert if they handle and transfer any sensitive personal data (i.e. information about biometrics, religious belief, specific identities, healthcare, financial accounts, location tracking and personal data of minors aged under 14) outside China, considering the threshold of exportation of sensitive personal data that will trigger the transfer tool requirement is relatively low.

For data transferred within the Greater Bay Area, businesses should also consider if they can take advantage of the separate mechanism of Standard Contract for the Cross-boundary Flow of Personal Information within the Greater Bay Area which seems to have less stringent requirements.

However, it must be remembered that the Provisions do not exempt businesses from the normal data compliance obligations. As the regulatory regime for cross-border data transfer continues to evolve, it is imperative for businesses to stay ahead of the data compliance curve and review their practices to manage the rising enforcement risks. Please contact Deacons Intellectual Property Department if you wish to discuss any questions.

WRITTEN BY

Deacons
For further information, please contact:

Annie Tsoi – Partner, Deacons
annie.tsoi@deacons.com

Annie is Co-Head of Deacons’ Intellectual Property Department and Head of China IP Practice Group.

Annie is qualified in Hong Kong and England and Wales.  She holds an LLB (Hons) from the University of Hong Kong.

Annie has more than 25 years’ experience in advising on all aspects of intellectual property work in China and on the unique challenges arising from doing business there.  Annie has advised many major Hong Kong and international clients on strategic issues in Mainland China relating to the protection, enforcement and commercial exploitation of intellectual property rights including managing complex intellectual property portfolios and she represents some of the world’s leading companies in the luxury goods, cosmetic, pharmaceutical, entertainment, fashion and electronics industries.

Annie has advised extensively on the IP aspects of acquisition and restructuring of businesses including technology transfer, licensing and cooperation issues, technology development and improvement.  Annie also advises on Internet-related regulations and domain name disputes.

Annie is an active member of many committees and serves as the First Deputy Secretary General, Assistant Secretary General and Chairman of Independent Members of The International Association for the Protection of Intellectual Property (AIPPI) and is also on the BIP Asia Steering Committee (2021), HKTDC and the IP Committee of the Law Society of Hong Kong.

Annie is the recipient of many awards and accolades including recognition by Legal 500 as a Recommended Lawyer for Intellectual Property (Foreign Firms, China) (2021), by World Trademark Review 1000 (WTR 1000) as a WTR Global Leader: Hong Kong (2021) and a Gold Tier Individual in Prosecution and Strategy in Hong Kong (2019 – 2021), and by Managing IP as a Trade Mark Star in China (2017 – 2021).

Highlights

  • Advised a Silicon Valley semiconductor company (a leading provider of highly integrated semiconductor products that enable intelligent processing for networking, communication and the digital home), on all IP-related issues in a cross-border asset acquisition and migration of R&D employees
  • Advised a UK company on cross-border commercial acquisition for the exploitation of R&D facilities in China
  • Advised a US IT solution provider serving the global hospitality industry on cloud computing and relevant data privacy issues in China
  • Advised a well-known Swiss watch brand in connection with worldwide trade mark portfolio, trade mark infringement, infringing domain names and cyber-squatting cases
  • Advised one of Hong Kong’s largest public institutions on trade mark infringement and unfair competition matters
  • Advised a major Italian sportswear company on a re-financing scheme based on IP rights in the Greater China region, trade mark infringement and unfair competition cases in China
  • Represented leading German electronics and chemical company in infringing company names cases
  • Represented Hong Kong, US and Swiss companies in relation to mergers and acquisitions and the transfer of IP rights

More about Annie Tsoi

Accolades

  • Chambers Greater China Region
    • Band 2 Leading Individual in Intellectual Property: International Firms (2022)
  • Chambers Asia Pacific
    • Band 2 Leading Individual in Intellectual Property: International Firms – China (2021)
  • Legal 500
    • Recommended Lawyer in Intellectual Property – Hong Kong (2022)
    • Recommended Lawyer in Intellectual Property: Foreign Firms – China (2021 – 2022)
    • Leading Lawyer in Intellectual Property: Foreign Firms – China (2019 – 2020)
  • World Trademark Review 1000 (WTR 1000)
    • Highly Recommended Individual in Prosecution and Strategy in Hong Kong (2019 – 2021)
    • WTR Global Leaders: Hong Kong (2020)
    • Highly Recommended Individual in Enforcement and Litigation in Hong Kong (2016 – 2018)
  • Managing IP
    • Trade Mark Star in Hong Kong (2016 – 2021)
    • Trade Mark Star in China (2017 – 2019)
    • World’s Top 250 Women in IP (2016 – 2018)
  • Asia IP Experts
    • IP Expert in Hong Kong (2020)
    • Leading Trade Mark Lawyer in Asia (2015 – 2018)
  • AsiaLaw Profiles
    • Elite Practitioner in Intellectual Property in Hong Kong (2020)
    • Market Leading IP Lawyer in Hong Kong (2017 – 2019)
  • Doyle’s Guide
    • Recommended Leading Intellectual Property Lawyer (2020)
  • Euromoney Legal Media Group’s Expert Guide
    • Leading Women in Business Law in Hong Kong (2015 – 2021)
    • Leading Trade Mark Lawyer in Hong Kong (2012 – 2020)
  • Who’s Who Legal
    • Global Leader in Trademarks (2012 – 2021)
    • Global Leader in Copyright (2021)
  • World IP Review (WIPR)
    • World’s Top Leader in IP (2021)
    • WIPR’s Influential Women in IP (2016 – 2020)

Appointments/ Memberships

  • First Deputy Secretary General, Assistant Secretary General and Chairman of Independent Members, The International Association for the Protection of Intellectual Property (AIPPI)
  • Member, The BIP Asia Steering Committee (2021), HKTDC
  • Member and IP Committee, The Law Society of Hong Kong
  • Member, The Law Society of England and Wales
  • Member, The Asia Patent Attorneys Association (APAA)
  • Member, The Hong Kong Institute of Trade Mark Practitioners (HKITMP)
  • Adjunct Associate Professor, Faculty of Law, The University of Hong Kong
  • Jurisdiction Council Member for Hong Kong and Co-Chair of the Organising Committee of the 2015 Annual Meeting, The Inter-Pacific Bar Association (IPBA)

Education

  • LLB (Hons), University of Hong Kong
  • PCLL, University of Hong Kong 

Recent Activities

Annie has written numerous articles for legal publications such as China Law and Practice and The Journal of World Intellectual Property.  Annie is also a regular speaker on PRC IP issues for international and regional conferences.  Annie is an Adjunct Associate Professor of the Faculty of Law, University of Hong Kong.

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES