China’s rise on the global stage has manifested itself in many ways, and it should be no surprise that China has gained prominence in terms of its privacy and security legislation. In recent years, major pieces of legislation have been promulgated: the 2017 Cybersecurity Law, the 2021 Data Security Law and the 2021 Personal Information Protection Law.

One common area of interest arising from those three laws, especially for organizations, is how cross-border data transfers will be addressed and implemented. And perhaps fittingly in the heat of summer, the cross-border data transfer landscape in China heated up with the following developments:

  • On June 24, the National Information Security Standardization Technical Committee released the Cybersecurity Standard Practice Guideline — Specification for Security Certification of Personal Information Cross-Border Processing Activities introducing a certification framework for cross-border data processing.
  • On June 30, the Cyberspace Administration of China released the draft Provision on the Standard Contract for Personal Information Cross-Border Transfer, which introduces standard contractual clauses for public consultation.
  • On July 7, the CAC further released the long-awaited Measures for Security Assessment of Cross-Border Data Transfer, which takes effect Sept. 1.

These developments provide the initial implementation details for engaging in cross-border data transfers from China for organizations. The details are familiar in some parts, while others raise questions and contain implications to ensure compliance.

Overview of China’s cross-border data transfer rules

While the rules continue to evolve, the current rules require a step-by-step approach to navigate the cross-border data transfer requirements.

The first step to consider is if the transfer is a regulated cross-border data transfer scenario. A useful reference point is the 2017 draft Guidelines for Cross Border Data Transfer Security Assessments issued by TC260, which listed situations which would be considered as cross-border data transfers, including remote access to the data from abroad.

The second step to consider is if there are any applicable exceptions. For example, Article 35 of the 2021 draft Network Data Security Regulations contains the exception “where the Personal Information Processor [i.e., a data controller] needs to provide the personal information of related party abroad in order to conclude or perform the contract to which an individual is a party, or where personal information must be provided abroad in order to protect the personal life and health and the safety of property.” It remains to be seen if the exception will be included in the final version, but the inclusion of the exception would certainly be reasonable.

The third and final step is to choose from the following three cross-border data transfer mechanisms depending on the specific circumstances. An organization will undergo a CAC security assessment if:

  • It is a critical information infrastructure operator or a personal information processor based in China (the equivalent term of “data controller”) who processes 1 million or more individuals’ personal information.
  • The data being transferred is important data (which is defined in Article 19 of the CBDT Rules, and which will vary from sector to sector).
  • The transfer meets any of the following criteria: (i) transfers of personal information of more than 100,000 individuals or (ii) transfers of sensitive personal information of more than 10,000 individuals (the number of individuals will be calculated from Jan. 1 of the preceding year). Once obtained, the security assessment is valid for two years.
  • If the transfer does not fall within the above, the China-based personal information processors should go for the standard contractual clauses. Again, this is still a draft for public comment.
  • Finally, if none of the above apply, for China-based personal information processors which are transferring data to overseas subsidiaries or affiliates of a multinational or an economic or non-economic entity, certification may be an alternative option.

Comparison of the three mechanisms

Currently, the only mechanism organizations can avail themselves of is the security assessment when it takes effect Sept. 1. That said, when the three mechanisms do come into effect, the following may be worth keeping in mind when embarking on a specific mechanism:

Security assessments are valid for two years. Once a security assessment is passed, this provides a degree of certainty for organizations. The uncertainty, however, is the amount of time it would take for the security assessment process to be completed, especially if the assessment is deemed to be complicated, and with the probable involvement of the national and provincial-level CAC, State Council authorities and other specialized organizations.

Certification is anticipated to solve frequent personal information transfers among subsidiaries or affiliates. However, we expect certification may not have broad applicability in practice. This is due to the low thresholds that would trigger security assessments and the fact certification applies to data transfers out of China among intra-company/group entities only. It is also unclear how long certification, once obtained, will be valid.

SCCs presumably allow for cross-border data transfers without the regulator’s prior approval. However, SCCs may be difficult to conclude when foreign recipients do not have a China office or are unfamiliar with China's laws or some of the obligations within the SCCs. Further, we expect that as in the case of certifications, the SCCs may not have wide applicability in practice as a standalone data transfer mechanism due to the low thresholds for security assessments.

Implications for MNCs in China

It would be a mistake to ignore the sea change of regulation taking place in China. While relying on existing processes and governance structures may be a good starting point for most multi-national companies, adopting further prudent steps to ensure compliance is probably the best way forward.

Bring out the calculators. Self-assessment and calculating the number of individuals to which the processing and transfers relate will be critical as that determines if the CAC security assessment is required. Processes may be required to monitor thresholds and to trigger internal reviews.

Know your data. As the CAC security assessment is also tied to the classification of the data, e.g., sensitive personal information, knowing what data is being transferred is also crucial. This would require a good understanding of data flows.

Hire a DPO in China if you do not have one. In the current guidelines, a DPO is necessary for domestic and overseas entities applying for certification. In any event, an organization also needs designated personnel to conduct data protection impact assessments and to communicate with the CAC, e.g., for security assessment approval or filing the SCC with the CAC. An expert in the area may also facilitate communication and mitigate the risk of possible confusion or misunderstanding.

Privacy by Design will help you. Incorporating additional questions in your existing DPIA process to address the purpose of transfer, risk of transfer, and the number of individuals will help assess the need for security assessments and ensure that transparency, consent and DSAR requirements are complied with.

Be conservative. Be cautious in handling the ambiguities in the legislation. A fair amount within the rules remains unclear, e.g., what is considered a cross-border data transfer. We suggest aiming for a higher bar to minimize the frequency of revisiting earlier positions and the risk of law enforcement.

The rules for cross-border data transfers will continue to evolve. Continued watchfulness and investments in compliance is required. If the recent summer heat is anything to go by, we will continue to see an elevated frequency of changes in the data regulatory climate.