Conventus Law

Conventus Law

by

Did you know?

The Measures on the Standard Contract for Cross-border Transfers of Personal Information (the Measures) promulgated by the Cyberspace Administration of China (CAC) came into operation on 1 June 2023.

Why does this matter to you?

China’s rules on the cross-border transfer of personal information may impact on businesses operating in China. Multinational organisations will often have a business need to share employee or customer data with their global headquarters or other parts of the business outside of China. Many corporations may share IT infrastructure with their Chinese subsidiaries or have remote access to data stored in China. Such activities could be subject to China’s cross-border data transfer requirements.

The signing of a standard contract with an overseas recipient is one of the three mechanisms for transferring personal information out of China. The others are mandatory security assessment by the CAC (for critical information infrastructure operators and transfers of important/sensitive personal data at the prescribed levels) and certification by an accredited institution (such as for intra-group transfers, and data processors outside the Mainland who are subject to the extra-territorial application of China’s Personal Information Protection Law). The accreditation route is only available if the transfer does not fall within the mandatory assessment requirements, and not all entities and organisation can adopt this option, e.g. representative offices set up by foreign entities are not eligible. The standard contract route may be preferred option for businesses that transfer personal data out of the Mainland on a smaller scale, such as small and medium-sized enterprises. It may be used where the following criteria are met:

  • the data processor is not a critical information operator;
  • it processes the personal data of less than 1 million individuals;
  • since 1 January of the previous year, the personal data of less than 100,000 individuals (in aggregate) has been transferred; and
  • since 1 January of the previous year, sensitive personal data of not more than 10,000 individuals (in aggregate) has been transferred.

However, the Measures also require the business to conduct a personal information protection impact assessment (PIA) prior to entering into the standard contract. This should assess key matters including the legality and necessity of the data transfer, the scale, scope, and sensitivity of the outbound personal data, the risks to the rights and interests of individuals concerned, as well as security issues. It is important that data systems are compatible with Chinese law in order to pass the PIA.

The Measures specifically prohibits dividing the data into smaller quantities in order to meet the standard contract criteria in an attempt to circumvent the mandatory security assessment regime. 

The standard contract, impact assessment report and other supporting documents should be filed with the local cyberspace administration authority within 10 working days of the effective date of the contract.

Organisations have until 30 November 2023 to rectify any non-compliant arrangements occurring before 1 June 2023, and should take steps now to assess the impact of their cross-border data transfer, and seek advice on the best option for them to ensure compliance.

Please see here for our earlier alert on “Challenges under China’s complex privacy compliance framework”.

WRITTEN BY

For further information, please contact:

Dora Si – Partner,
dora.si@deacons.com

Dora is a Partner in the China IP Practice.

Dora is admitted as a solicitor in Hong Kong and England and Wales. She holds a LLM (Commercial and Corporate Law) degree from the University College London and a LLB (Hons) degree from the University of Hong Kong.

Dora’s practice covers all aspects of China IP protection and enforcement. She has supported many multinational and Asian businesses in IP portfolio management, and has extensive experience in brand protection, particularly brand selection, re-branding, and conducting trade mark opposition proceedings and settlement negotiations. Dora has handled complex cross-border and online infringement cases, involving administrative actions and contentious proceedings in China and has successfully obtained well-known trade mark recognition for international clients in China.

Dora advices on a wide range of commercial IP transactions including e-commerce issues, advertising compliance, celebrity rights, licensing, franchising and distribution. She has represented many clients in relation to IP audits, due diligence for mergers and acquisitions, technology transfer, and technology development cooperation.

Dora also advises on China-related data privacy and cybersecurity issues including advising on the legal framework for the protection of personal data, important data, confidential information, trade secrets and state secrets in China, cross-border data transfer issues, data privacy audits, policies and compliance strategies.

Dora has been recognised as a Top 40 under 40 Lawyer (2020) by Asian Legal Business, as a Silver Tier Individual in Enforcement and Litigation in Hong Kong (2019-2021) by World Trademark Review 1000 and a Recommended IP Lawyer in China (2020-2021) by Legal 500.

Highlights

  • Advising on copyright transfer in China for a US video games and software company.
  • Successful recordal of franchise for a Swedish furniture wholesaler in China.
  • Advising on distribution and licensing arrangements involving garments and home products for a global sourcing firm based in Hong Kong.
  • Advising a US-based cosmetic and personal care corporation on data protection issues in relation to its launch of a new e-commerce platform including local law compliance of its global privacy policy and website terms and conditions.
  • Advising a Hong Kong-listed conglomerate on the compliance requirements to facilitate the cross-border transfer of personal data from Mainland China to Hong Kong, including preparing template data transfer contracts and data protection clauses in employees’ contract and assisting with self-security assessment.
  • Managing trade mark portfolios in China and Hong Kong for multinational clients including a US-based direct sales company, a leading US car manufacturer, a world leading fashion magazine, a global banking card company and a US-based food manufacturer.
  • Successful petition on behalf of a French veterinary pharmaceutical company to Beijing Communications Authority to close down website suspected of trade mark infringement in China.
  • Successful advising a US-based technology company in relation to a .CN domain name dispute and limitation issues.
  • Advising a US-based sports equipment company in trade mark proceedings in China resulting in recognition as a well-known trade mark.

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES