By issuing the draft of Provisions on Standard Contracts for Cross-border Transfers of Personal Data, the Cyberspace Administration of China have given visibility over the missing piece of the Personal Information Protection Law regulatory framework.
It provides certainty about the process for cross-border transfer of personal data in lower quantities, where the data processors’ operations does not have a significant impact on the public interest. However, the full picture for many businesses is still complex. Businesses may be transferring larger quantities as well as other business data. When deciding on the approach to take, all relevant laws and regulations must be reviewed in parallel to chart a path across this complex landscape.
This alert sets out the impact of the draft provisions and how businesses need to respond.
What is contained in the draft provisions?
The Personal Information Protection Law (PILP) provides three paths for transferring personal data outside of China: (1) passing a government security assessment undertaken by CAC; (2) getting certified for personal data protection from a professional organization; and (3) entering into a standard contract, developed by the CAC, with the outbound recipient.
The draft Provisions on Standard Contracts for Cross-border Transfers of Personal Data (the Draft) specifies details for the third path: entering into a standard contract. This includes a template copy of the contract, with the Standard Contractual Clauses (SCCs).
When can the standard contract route be used?
According to the Draft, any personal data processor meeting ALL of the following circumstances may provide personal data abroad by concluding a standard contract:
1. where it is not a critical information infrastructure operator (CIIO) whose operations have significant impact on the public’s interests (e.g., finance, transport, medical industries);
2. where it processes not more than one million persons’ personal data;
3. where it has provided the personal data of not more than 100,000 persons accumulatively overseas since January 1 of the previous year; and
4. where it has provided sensitive personal data of not more than 10,000 persons accumulatively overseas since January 1 of the previous year.
If a data processor does not meet any of the above thresholds, the cross-border transfer of personal data is highly likely to be subject to the first route, a government security assessment. For the second path, the boundaries of its application are not clear. Further legislation and interpretation from the authorities is required.
If the threshold is met, what is the process to utilise the contract route?
How does the Draft apply to employee personal data?
The SCCs reaffirm that where relevant laws and regulations do not require the individual’s separate consent, it is also not necessary to seek separate consent when signing the standard contract. That means, for employee personal data necessarily collected for the purpose of human resources management, the individual consent of employees to transfer these data overseas is not needed. To avoid potential dispute, we suggest the following actions are taken: the employee privacy policy details the cross-border transfer; employees are informed; and a standard contract has been implemented.
GET SMART:
What is the impact on international business?
Many businesses have been waiting for this clarification relating to cross border transfer of personal data. It is likely that the Draft will be implemented in its current, or close to current format. Businesses can start preparing.
However, for larger, more complex businesses, the overseas transfer of data is likely to also include other types of business data. The handling of those data sets are subject to the other data laws and regulations, some of which are still emerging. For example, on 7 July, the CAC released the Data Export Security Assessment Measures, under the Cybersecurity Law, Data Security Law and PIPL.
Businesses must take into consideration the full spectrum of regulation when defining their overall cross-border data strategies. It is likely there will still be some grey areas which need assessing.
What actions should be taken now to prepare for the contract route?
For Chinese employee data, businesses need to:
- Update their employee privacy policy with details of who is hosting the data, where it is stored and why it needs to be transferred.
- Notify employees with details of the cross-border transfer. Although employees are informed via notices, no individual consent is required.
For the standardised contract:
- Start to negotiate the standardised contract with relevant parties, this includes the relevant entities in the case of intracompany transfer. Ensure parties signing the agreement understand the content and how to follow the requirements. Understand how to make it compatible with other international regulations such as GDPR.
Although the release of these draft provisions are a welcome step forward, the regulatory picture for cross-border transfer of data overall is still complex. Businesses need to keep the three data laws (Cyber Security Law, Data Security Law and PIPL) and their regulatory frameworks in mind as they formulate their overall approach to data transfer outside of China. Although there may be some uncertainties, reviewing the landscape holistically will be critical to successful implementation.
For further information, please contact:
Sunny Su , Rouse
ssu@lushenglawyers.com