By issuing the draft of Provisions on Standard Contracts for Cross-border Transfers of Personal Data, the Cyberspace Administration of China have given visibility over the missing piece of the Personal Information Protection Law regulatory framework.
It provides certainty about the process for cross-border transfer of personal data in lower quantities, where the data processors’ operations does not have a significant impact on the public interest. However, the full picture for many businesses is still complex. Businesses may be transferring larger quantities as well as other business data. When deciding on the approach to take, all relevant laws and regulations must be reviewed in parallel to chart a path across this complex landscape.
This alert sets out the impact of the draft provisions and how businesses need to respond.
The Personal Information Protection Law (PILP) provides three paths for transferring personal data outside of China: (1) passing a government security assessment undertaken by CAC; (2) getting certified for personal data protection from a professional organization; and (3) entering into a standard contract, developed by the CAC, with the outbound recipient.
The draft Provisions on Standard Contracts for Cross-border Transfers of Personal Data (the Draft) specifies details for the third path: entering into a standard contract. This includes a template copy of the contract, with the Standard Contractual Clauses (SCCs).
According to the Draft, any personal data processor meeting ALL of the following circumstances may provide personal data abroad by concluding a standard contract:
1. where it is not a critical information infrastructure operator (CIIO) whose operations have significant impact on the public’s interests (e.g., finance, transport, medical industries);
2. where it processes not more than one million persons’ personal data;
3. where it has provided the personal data of not more than 100,000 persons accumulatively overseas since January 1 of the previous year; and
4. where it has provided sensitive personal data of not more than 10,000 persons accumulatively overseas since January 1 of the previous year.
If a data processor does not meet any of the above thresholds, the cross-border transfer of personal data is highly likely to be subject to the first route, a government security assessment. For the second path, the boundaries of its application are not clear. Further legislation and interpretation from the authorities is required.
The SCCs reaffirm that where relevant laws and regulations do not require the individual’s separate consent, it is also not necessary to seek separate consent when signing the standard contract. That means, for employee personal data necessarily collected for the purpose of human resources management, the individual consent of employees to transfer these data overseas is not needed. To avoid potential dispute, we suggest the following actions are taken: the employee privacy policy details the cross-border transfer; employees are informed; and a standard contract has been implemented.
Many businesses have been waiting for this clarification relating to cross border transfer of personal data. It is likely that the Draft will be implemented in its current, or close to current format. Businesses can start preparing.
However, for larger, more complex businesses, the overseas transfer of data is likely to also include other types of business data. The handling of those data sets are subject to the other data laws and regulations, some of which are still emerging. For example, on 7 July, the CAC released the Data Export Security Assessment Measures, under the Cybersecurity Law, Data Security Law and PIPL.
Businesses must take into consideration the full spectrum of regulation when defining their overall cross-border data strategies. It is likely there will still be some grey areas which need assessing.
For Chinese employee data, businesses need to:
For the standardised contract:
Although the release of these draft provisions are a welcome step forward, the regulatory picture for cross-border transfer of data overall is still complex. Businesses need to keep the three data laws (Cyber Security Law, Data Security Law and PIPL) and their regulatory frameworks in mind as they formulate their overall approach to data transfer outside of China. Although there may be some uncertainties, reviewing the landscape holistically will be critical to successful implementation.