Data Cross-Border Transfer Approaches

On July 21, 2022, the Office of the Central Cyberspace Affairs Commission (hereinafter referred to as the "CAC") announced that it had imposed huge administrative fines based on findings of a cybersecurity review on Company A , accounting for 4.6% of its revenue in the previous year, which is undoubtedly a record fine issued since the promulgation of China's Cybersecurity Law. The fine imposed on Company A far exceeds the 743-million-euro fine imposed on Amazon a year ago for violating the GDPR, making it the highest fine ever imposed in the global history of data protection. Based on this event, it is foreseeable that under strong oversight, compliance in cross-border data transfer will become the focus for both multinational enterprises and Chinese enterprises “going abroad”.

Just a few days before the publication of the abovementioned administrative penalty, a series of rules and regulations for cross-border data transfer had been introduced by the CAC. On June 30, 2022, the CAC released the Provisions on Standard Contracts for the Cross-border Transfer of Personal Information (Draft for Comments) (hereinafter referred to as "Standard Contract Provisions") and an annexed standard contract (hereinafter referred to as “Standard Contract”). And on July 7, 2022, the CAC issued the Measures on Security Assessment of Cross-border Data Transfer (hereinafter referred to as "Assessment Measures"), which will come into effect on September 1, 2022. We note that the Assessment Measures and the Standard Contract Provisions complement each other by forming “high and low road” approaches for the cross-border transfer of important data and personal information. In addition, on June 24, 2022, the National Information Security Standardization Technical Committee (hereinafter referred to as "TC260") issued the Practice Guidelines for Cybersecurity Standards - Technical Specification for the Certification of Cross-Border Processing of Personal Information (网络安全标准实践指南——个人信息跨境处理活动安全认证规范in Chinese, hereinafter referred to as "Certification Specification"), which provides a basic reference for the process of security certification of cross-border personal information processing activities.

As such, the implementation rules for the three main cross-border data transfer approaches as described in Article 38 of the Personal Information Protection Law (hereinafter referred to as “PIPL”) have been largely outlined, namely (i) passing a security assessment organized by the CAC; (ii) having been certified by a specialized agency for personal information protection in accordance with the provisions of the CAC; and (iii) entering into a CAC standard contract with the overseas recipient, specifying the rights and obligations of both parties.

In this article, we will introduce the highlights of the above three legislations in the context of the three corresponding cross-border data transfer approaches. By comparing these approaches with activities and scenarios encountered by enterprises, we hope this article can provide reference for concerned enterprises in selecting an approach that fits their respective context[1].

I. Approach I: Security Assessment

The release of the official version of the Assessment Measures marks the final formation of the requirements for cross-border data transfer security assessment, after having released three drafts for comments. What’s more, the Assessment Measures’ introduction combines the administration on cross-border transfers of personal information and important data, which has been governed by separate rules since 2017, by consolidating provisions on the cross-border transfer for both personal information and important data[2].

1. Scope of application

According to Article 4 of the Assessment Measures, a security assessment is mandatory for the entities engaging in at least one of the following data transfer activities. In such cases, entities are barred from taking the other two approaches, and should apply to the competent provincial-level CAC at their registered address for security assessment.

• Data processors transferring important data: According to the Data Security Law, each region and department shall issue a catalog of important data for their respective region, department, as well as relevant industries and fields. However, as of now, no departments have released such catalogs yet. We suggest that concerned entities should refer to the identification factors listed in the national standard Information Security Technology – Rules for Identification of Important Data (Draft for Comments) (信息安全技术 重要数据识别指南（征求意见稿）in Chinese), to identify whether they do process important data.
• Critical information infrastructure operators (“CIIOs”): CIIOs are identified and notified of their status by competent authorities and administrating departments. As a precaution, concerned entities can determine whether they belong to CIIOs based on the Guidance for Operations of National Cybersecurity Check (重要数据识别指南 in Chinese). Please refer to the steps described in our newsletter release for February 2022, i.e., Data Compliance in the Fields of Energy and Chemical Industry - Article 1.
• Data processors handling personal information of more than 1 million persons: This provision echoes the Cybersecurity Review Measures (网络安全审查办法in Chinese), which stipulates that online platform operators handling personal information of more than 1 million users must apply for a cybersecurity review when they seek listing abroad. Therefore, some online platform operators may be required to apply for both security assessment and cybersecurity review when they seek listing abroad, though the two procedures may overlap in some review elements.
• Data processors that have transferred personal information of 100,000 persons in aggregation or sensitive personal information of 10,000 persons in aggregation abroad since January 1 of the previous year: This cumulative standard means that data processors who have transferred personal information continuously for a period of up to two consecutive years may also be required to apply for security assessment even if each transfer is well below the threshold.
• Other situations requiring security assessment as stipulated by the CAC: This miscellaneous provision leaves room for other situations that may arise in the future where security assessment is needed, such as the transfer of core data as defined in the Regulations on Network Data Security Management (Draft for Comments).

2. The "two-step" process for security assessment

A self-assessment is required by the Assessment Measures as a precondition to the security assessment process. While the issues to be assessed in self-assessment and the final security assessment are roughly the same, those of the latter encompass more national security and data security considerations such as the impact of the data security protection policies and regulations and the cybersecurity environment of the country or region where the overseas recipient is located on the security of data to be provided abroad, and whether the data protection level of the overseas recipient meets the requirements of the laws and administrative regulations of the People's Republic of China and mandatory national standards, and compliance with Chinese laws, administrative regulations and departmental rules.

3. Other key take-aways

The process of security assessment is quite complex and may be time-consuming. Provided that no application documents are subject to resubmission and no extension in assessment duration is needed, the maximum duration of an assessment will be 57 (i.e., 5+7+45) working days. Where the assessment result is negative, another 15 working days is available for applying for reassessment. Since the assessment result is only valid for two years, concerned entities need to re-apply for assessment 60 working days before the expiration date or when the situation changes during the validity period. This also means that concerned entities need to regularly self-assess their data transfer activities.

Although the Assessment Measures do not directly provide for penalties for non-compliance, it does contain provisions linking to the penalties laid out by the Cybersecurity Law, Data Security Law, Personal Information Protection Law and other laws and regulations. Having reviewed such legislations, we understand that the maximum administrative penalty for illegal cross-border data transfer could be more than 50 million yuan or not more than 5% of the enterprise’s turnover of the previous year in fines, being ordered to suspend relevant activities or suspend business for rectification, and revocation of the business permit or license. A fine of not less than 100,000 yuan but not more than 1 million yuan may also be imposed on the person directly in charge and other directly liable persons, and the said persons might be prohibited from acting as directors, supervisors, senior executives and persons-in-charge of personal information protection of relevant enterprises within a certain period of time[3]. The Assessment Measures also provide that, where the violation constitutes a crime, relevant entities shall also be held criminally liable in accordance with law.

II. Approach II: Security Certification

Security certification corresponds to the second compliance approach stipulated in Article 38 of the PIPL. Though the CAC has not yet promulgated specific implementation rules for this approach, the Certification Specification, as a standard-related technical document, can be a useful reference for concerned entities, considering that TC260 is the developer of several national standards in the field of information security technology.

According to the Certification Specification, the circumstances under which the safety certification is applicable are relatively narrow, including only the cross-border personal information processing activities between subsidiaries and affiliates under multinational companies or the same economic or business entity, as well as the personal information processing activities carried out by overseas entities targeting natural persons residing within China, as stipulated in Article 3(2) of the PIPL.

In addition to clarifying some of the substantive and procedural requirements for certification, the Certification Specification also stipulates that personal information processors should comply with the requirements of GB/T 35273 Information Security Technology - Personal Information Security Specification (信息安全技术-个人信息安全规范in Chinese). However, being constrained by its contents, structure and level of effectiveness, the Certification Specification has left items such as the certification authorities, certification procedures and requirements to be stipulated in future regulations to be released by the CAC.

III. Approach III: Entering CAC Standard Contract

1. Scope of application

Entering into a CAC standard contract is complementary to the security assessment in that the upper limit of its threshold corresponds to the lower limit of the latter’s. Specifically, personal information processors who enter into a CAC standard contract shall meet the following conditions simultaneously:

• Being Non-CIIOs;
• handling personal information of less than 1 million persons;
• having transferred personal information of less than 100,000 persons abroad since January 1 of the previous year and；
• having transferred sensitive personal information of less than 10,000 persons abroad since January 1 of the previous year.

As mentioned above, the Assessment Measures require concerned entities to conduct a self-assessment before conducting cross-border data transfer. Similarly, the Standard Contract Provisions require concerned entities to conduct a personal information protection impact assessment (“PIA”) before conducting the transfer as well. Although the two assessment procedures are not mutually substitutable, their respective assessment items are largely similar, with both elaborating on key points of assessment of cross-border data transfer on the basis of the assessment items provided in Article 56 of the PIPL.

2. Key Points of the Standard Contract

We’ve listed some key points of the Standard Contract as below:

• Prerequisite Provisions: The contracting parties shall ensure that the Standard Contract contains the required terms and conditions listed in Article 6 of the Standard Contract Provisions, as well as ensuring that the other agreements between them related to cross-border data transfer do not conflict with the Standard Contract.
• Impact of local personal information protection policies and regulations: The Standard Contract is notably lax on its requirement in this regard, requiring both the personal information processor and the foreign recipient to ensure that they have not been informed, after reasonable efforts, of relevant local policies and regulations that would prevent the foreign recipient from performing its obligations under the contract.
• Dispute resolution: To handle disputes that may arise during the performance of the Standard Contract, the parties to the contract may designate either a Chinese court for litigation or an arbitration institution locating in a New York Convention member state for arbitration. Furthermore, no further provisions are made regarding the seat of arbitration. Such an option provided by the Standard Contract will make it easier to be accepted by the offshore recipient.

3. Filing of the Standard Contract

The personal information processor shall submit the text of the Standard Contract along with the personal information PIA report to the local provincial-level CAC for filing. It is worth noting that the Standard Contract Provisions does not provide for substantive review of the filing items, nor does it make the completion of filing a pre-requisite for cross-border data transfer. After the Standard Contract takes effect, the personal information processor can carry out transfer activities, while the period required for submission is within 10 working days from the effective date of the Standard Contract.

In addition, Article 8 of the Standard Contract Provisions listed the circumstances in which the parties shall enter into a new agreement and submit for filing again, which has some overlap with the circumstances where security assessment should be re-applied under the security assessment approach.

IV. Comparison of three cross-border data transfer compliance approaches

As introduced above, the scopes of application of all three cross-border data transfer compliance approaches have clear boundaries, and the differences among all the three approaches are obvious.

1. Scope of application

The scope of application of the security assessment approach is the widest. The sheer size of internet users in China means that medium-sized internet enterprises and leading enterprises in other fields can reach the security assessment threshold easily, not to mention that applying for a security assessment is the “only way out” for cross-border data transfer by important data processor and CIIOs. The scope of application of the Standard Contract is wider than that of security certification, which is narrower and explicitly defined.

2. Process and time frame

The security assessment procedure is the most complex of the three approaches, with its time frame being the longest. Since the completion of filing is not a pre-requisite for cross-border data transfer under the Standard Contract approach, its time frame is relatively the shortest, making it the best choice for enterprises that do not meet the security assessment threshold. As for security certification, the Certification Specification has left items such as the certification authorities, certification procedures and requirements to be stipulated by future regulations to be released by the CAC.

3. Flexibility

Security assessment and entering Standard Contract are both "one-off" in nature, with the relevant regulations providing for the circumstances in which re-entering into Standard Contract or re-applying for security assessment within the validity period is needed. In contrast, security certification is suitable for cross-border processing of personal information between subsidiaries and affiliates under multinational companies or the same economic or business entity. Since the validity period of security certification is expected to be long-term (to be further defined by relevant regulations), if there is no substantial change in the certification matters, the security certification obtained can be used as the legal basis for continuous and high-frequency cross-border processing activities such as HR information and email exchange. As such, concerned enterprises may not need to apply for certification again.

4. Legal documentation requirements

All the three compliance approaches have clear requirements for legal documents entered into between the data processor and the recipient. Among others, both entering Standard Contract and security assessment require an agreement/contract, except that the security assessment requires documents in a form that is not limited to an agreement, e.g., other documents with similar legal effect. However, since the security assessment procedure contains a substantial review on whether such documents have adequately provided for data security protection responsibilities, the flexibility of legal documents under this approach is actually quite limited.

In terms of the content of the agreement, the requirements of the Standard Contract for the recipient to accept the jurisdiction of Chinese law is more flexible. Security certification, however, requires the foreign recipient to accept the supervision of the PRC certification body and accept the jurisdiction of Chinese laws and regulations related to personal information protection. The Standard Contract, in contrast, only limits the contract to be governed by Chinese law, and also allows the concerned parities the liberty to select from a larger range of dispute resolution methods.

V. Conclusions

The Assessment Measures provides a 6-month grace period. Enterprises within the scope of its application must complete a rectification of past non-compliance by February 28, 2023, which is a relatively tight schedule. Since the whole security assessment process can take more than two months, in order to avoid being unable to carry out cross-border data transfer activities when the grace period expires while the assessment results are not yet available, we suggest that concerned enterprises should complete self-rectification including self-assessment as soon as possible, preferably before December 1, 2022, and prepare the documents for submission to the competent authorities.

Specifically, we recommend that concerned enterprises review and select a suitable cross-border data transfer compliance approach as soon as possible via the following process:

• Data mapping and classification: This includes calculating the number of personal information subjects that the concerned enterprise has engaged, and whether the amount of personal information to be transferred meets the above-mentioned threshold, and mapping potentially important data. We recommend that concerned enterprises suspend any and all transfer of such potentially important data while waiting for the release of the relevant important data catalog by authorities.
• Reducing the size of data to be transferred by sorting out data that are not necessary to be transferred based on the “as minimum and as necessary” principle embodied in the PIPL. To this end, data localization measures may be considered for such types of data.
• Considering the overlap in assessment matters, the personal information PIA or the cross-border data transfer self-assessment may be conducted simultaneously.
• When a cross-border data transfer compliance approach is selected, the preparation of application documents including the Standard Contract or assessment documents according to the requirements of relevant regulations can follow.

[1]The following types of data are not included in the scope of this article:

(i) data prohibited from transferring abroad e.g., data deemed as state secrets; and

(ii) data temporarily not included in the cross-border data transfer regulation system, such as business data handled by non-critical information infrastructure operators, which are not important data and personal information, and are not otherwise prohibited or restricted from being transferred abroad.

In such cases, we understand that existing legislation does not restrict or prohibit the export of such data. However, the Regulations on Network Data Security Management (Draft for Comments) may include all kinds of data into the cross-border data transfer regulatory regime. We hence recommend that concerned enterprises should monitor its development for any further change to occur.

[2]Examples include the changes made by Measures on Security Assessment of Cross-border Transfer of Personal Information (Draft for Comments) on the 2017 Measures on Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft for Comments), which setting uniform provisions for the cross-border transfer of personal information and important data, and the separate provisions for the cross-border transfer of important data and personal information in Article 31 of the Data Security Law and Chapter 3 of the Personal Information Protection Law.

[3]Please see Article 66 of the Personal Information Protection Law, for details.

特别声明：

以上内容属于作者个人观点，不代表其所在机构立场，亦不应当被视为出具任何形式的法律意见或建议。