How to comply with China’s new rules for cross-border transfer of personal information

Multinational corporations operating in China often share information with their subsidiaries or headquarters outside the country. However, since new regulations came into effect in June 2022, certain personal data processors, including companies that only handle data on fewer than 1 million people, are required to sign contracts with overseas recipients before sending data abroad, writes Kristina Koehler-Coluccia, Head of Business Advisory at Woodburn Global

The legislative framework in China for governing data security consists of three laws: the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. The Measures on the Standard Contract for Cross-border Transfers of Personal Information, which came into effect last June, have the biggest impact on companies in China.

Though the measures have been in effect for some time, their implementation has been slow in practice as there are too many such companies in China and not enough manpower to handle their assessment reports. High compliance costs, difficulties in communicating with overseas data recipients and regulatory uncertainty are some key factors affecting companies’ willingness to declare cross-border data transfers.

The new rules, aimed at protecting national security, directly impact the cross-border transfer of personal information by businesses operating in China, Chinese companies listed overseas and those in data-rich industries such as retail, internet, health care, automotive, civil aviation and finance.

Corporations that regularly share employee or customer data with their headquarters, share IT infrastructure with their Chinese subsidiaries or have remote access to data stored in China may be subject to China’s cross-border data transfer requirements.

The first of the three mechanisms for transferring personal information out of China is the signing of a standard contract with an overseas recipient. The other two are a mandatory security assessment by the Cyberspace Administration of China (CAC) for critical information infrastructure operators, and transfers of important/sensitive personal data and certification by an accredited institution (applicable to intra-group transfers and data processors abroad subject to the extra-territorial application of China’s Personal Information Protection Law).

The latter certification is only available if the transfer does not fall within the mandatory assessment requirements, and not all entities can adopt this option. For example, representative offices set up by foreign entities are not eligible.

Businesses that transfer personal data out of Mainland China on a smaller scale, such as small and medium-sized enterprises, may opt for the standard contract. This option can only be used under certain circumstances:

• The data processor is not a critical information operator
• It processes the personal data of less than 1 million individuals
• Since 1 January of the previous year, the personal data of less than 100,000 individuals (in aggregate) has been transferred
• Since 1 January of the previous year, sensitive personal data of not more than 10,000 individuals (in aggregate) has been transferred

A personal information protection impact assessment (PIA) must be executed before entering into the standard contract. This step evaluates important matters such as the legality and necessity of the data transfer, the scale, scope, and sensitivity of the outbound personal data, the risks to the rights and interests of individuals concerned, and other security issues. Data systems must be compatible with Chinese law in order to pass the PIA, and it is prohibited to divide data into smaller quantities to meet the standard contract criteria in an attempt to circumvent the mandatory security assessment regime.

The standard contract, impact assessment report and other supporting documents must be presented to the local cyberspace administration authority within 10 working days of the effective date of the contract.

While the Chinese government hopes to develop the digital economy to uplift the country’s gross domestic product, the rules could slow down progress for the industry. Regulators are struggling to strike a balance between enhancing data security and promoting data-driven economic growth. Moreover, industry experts argue that many aspects of the rules remain vague, such as in security assessments, thus slowing down the approval process and causing confusion for some companies.

A lack of clarity on the review criteria is slowing down the approval process, with regulators and companies not seeing eye-to-eye on why the requested data transfers are necessary. The measures for security assessment require applicants to explain why it is justified, legal and necessary for their data to flow overseas and for overseas recipients to process it, but not much more is specified.

Regulators are trying to shift more of their efforts to helping contracts complete the filing process, which in turn will speed up their approval of security assessments, according to experts.

Companies that need to rectify any non-compliant arrangements occurring before 1 June 2023, have until 30 November 30 to do so.