Anna Gamvros and Ruby Kwok explain the compliance burden businesses face as China’s complex data governance landscape takes shape and the deadline for security assessments looms.
The Cyber Security Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL) together form China’s data governance regime, a key element of which is the regulation of data cross-border activities.
In 2022, we saw significant legislative developments under the PIPL as the relevant Chinese authorities published further details elaborating on the cross-border transfer mechanisms. With the digital economy booming and cross-border data activities increasing, it has become more crucial than ever for organisations doing business in or with China to understand the new requirements and how to navigate through China’s complex data protection regulatory landscape.
When the PIPL first came into effect last year, concrete guidelines and regulations were absent on how businesses would implement the cross border data transfer mechanisms set out in Article 38 of the PIPL: these are security assessment, security certification, and Standard Contractual Clauses (SCC). During the course of this year, the Cyberspace Administration of China (CAC) issued a series of documents that provided more details on each of these mechanisms, namely:
- Security Assessment Measures for Outbound Data Transfers (Security Assessment Measures) released on 7 July 2022;
- Certification Guidelines for Cross Border Data Transfer (Certification Guidelines) released on 24 June 2022;
- draft Standard Contractual Clauses Provisions (China SCC Provisions) released on 30 June 2022.
More detail of each of the mechanisms is set out below.
1. Security assessment
The first mechanism is to file and pass a security assessment by the CAC, which is also the most demanding of the three mechanisms. It targets personal information handlers (PI handlers) who:
- process important data or are a critical information infrastructure operator (CIIO);
- processed more than 1 million individuals’ personal information;
- have transferred more than 100,000 individuals’ personal information since 1 January of the previous year; or
- have transferred more than 10,000 individuals’ sensitive personal information since 1 January of the previous year.
A security assessment is mandatory for PI handlers if any of the above criteria are met. The Security Assessment Measures took effect on 1 September 2022 with a six-month grace period, which means PI handlers in the above categories must complete a security assessment by 28 February 2023. A security assessment approval is only valid for two years, therefore if a PI handler plans to continue cross-border data transfer activities, it should renew the assessment 60 working days before the expiration date.
The CAC released its Guidelines for Security Assessment Application (Guidelines) on 31 August 2022 to clarify the scope and requirements of the security assessment. Some key points are highlighted below:
- The Guidelines deem the following as cross-border data transfers:
- where a business transfers or stores the data collected or generated during its operation in China to overseas; and
- where the data collected and generated by a business is stored within China, but can be accessed, retrieved, downloaded or exported by overseas entities.
- The Guidelines provide a checklist of the required documents for the security assessment application, including:
- an application form (a template is provided);
- a copy of the contract / legal document to be concluded with the overseas recipient(s);
- a self-assessment report on cross-border data transfer risks that is to be completed within 3 months prior to the application (a template is provided);
- business documents (i.e. a copy of business licence; a copy of legal representative’s ID; a copy of the person in charge of the application and power of attorney for the person in charge of the application) and other supporting materials.
2. Security certification
The second mechanism is to obtain certification and is only applicable where:
- cross-border data transfers are within multinational group company or within the subsidiaries or affiliated companies of the same economic or entity;
- personal information processing by overseas handlers is covered by Article 3(2) of the PIPL (i.e. where the business provides products or service to individuals in China, or analyses the behaviour of individuals in China).
The certification should be filed by the domestic affiliate or the designated China representative of the applicant if the applicant has no entity in China. However, the Certification Guidelines leave out some key details of certification, in that they do not identify any certification bodies or provide any details regarding the certification process. But on 18 November 2022, the CAC released the Personal Information Protection Certification Implementation Rules (Certification Rules) which took immediate effect on the same day.
The Certification Rules provided further details on the certification stages, which will include technical verification, field inspection and post-certification supervision. The Certification Rules also addressed matters such as validity period of the certification, alteration, suspension and cessation of the certification, and provide the certification mark samples. Although the Certification Rules filled in some gaps, there are still uncertainties with the certification bodies. More details may be specified in future guidance but this means it is still impractical to rely on this mechanism at present.
3. Standard Contractual Clauses
The final mechanism is to sign the China SCC. Although the China SCC Provisions are still in draft, given the fast-evolving development of China’s data governance regime, the China SCC Provisions are likely to be finalised soon. It is also likely that the China SCC will become the most widely adopted cross border transfer mechanism due to their accessibility.
However, when an overseas handler directly collects personal information from data subjects in China, it will not be able to rely on the China SCC due to the absence of a counter party (i.e. there should be a domestic handler who collects data subjects’ personal information and transfer to the overseas handler).
Which route should you consider?
As set out above, the three mechanisms are triggered by certain conditions, which means a business must first consider:
- whether it is a CIIO;
- whether it processes “important data” or “large-scale personal information” (i.e. 1 million individuals in China);
- the number of individuals whose personal information / sensitive personal information it has transferred overseas since 1 January 2021 (i.e. > 100,000 individuals’ personal information or >10,000 individuals’ sensitive personal information; and
- the nature of transfer (e.g. intragroup transfer, direct collection from overseas).
In relation to the security assessment, businesses must complete this assessment if they meet the threshold. If the answer to the first three questions is “yes”, a security assessment is required. Also, assistance and cooperation is required from the overseas recipient as the self-assessment template in the Guidelines explicitly require businesses to provide detailed information on data security protection capability of the overseas recipient and the regulations and the cybersecurity environment in the country or region where the overseas recipient is located. Further, activities of financial institutions are generally considered more risky by the CAC because they involve a stronger data export demand and may subject to offshore compliance regulations to disclose certain data to foreign authorities.
If a business is not required to conduct the security assessment, then they may choose between security certification or the SCC. SCC is less costly than security certification and can be incorporated into the primary agreement between the parties. However, the SCC only provides for two parties on the front page, so whether the SCC can be signed by multiple parties to cover daily data transmission between intragroup companies is yet to be clarified. If the data transfer between intragroup entities cannot be covered by the same SCC agreement, security certification may be a better option.
As China’s complex data governance landscape taking shape, businesses are facing a greater compliance burden especially those with strong demands for data export, such as financial service institutions. With the deadline for security assessment being only three months away, businesses that are subject to the security assessment requirements should have mapped out their cross border data transfer flows already and understanding either of the following:
- reorganising their data infrastructure to avoid the security assessment threshold before the deadline; or
- preparing all the documents required for a security assessment application for submission.
All businesses with data export needs are strongly recommended to pay close attention to any upcoming regulations and take compliance actions immediately.
Anna Gamvros is Head of Information Governance, Privacy and Cybersecurity for Asia Pacific, and Ruby Kwok is Senior Associate, at Norton Rose Fulbright.