The Personal Information Protection Law of the PRC (the PIPL) provides three mechanisms to export data out of China, namely the data outbound security assessment (the security assessment), the personal information outbound transfer standard contract (the CN SCC), and the personal information outbound transfer security certification (the security certification). The first two are compulsory, and the last one is optional and voluntary.
The Cyberspace Administration of China (the CAC) released two administrative regulations, the Rules on Data Outbound Transfer Security Assessment (the Security Assessment Rules, effective on 1 September 2022) and the Rules on Standard Contract for Personal Information Outbound Transfer (the CN SCC Rules, effective on 1 June 2023), to respectively regulate and guide the compliance of with the security assessment and the CN SCC.
The security assessment and the CN SCC mechanisms have impacts on data exporters in China, direct foreign data recipients, and indirect foreign data recipients. They cover outbound transfer of important data and personal information. MNCs doing business with or without a local presence in China may all be subject to those mechanisms. This article provides a high level overview of those mechanisms and their impacts to the MNCs.
Whether the PRC mechanisms apply to you
What is outbound transfer of data?
Under Chinese data protection laws, an outbound transfer of data refers to the transfer of data from China mainland to overseas locations. Transfer is broadly defined to include electronic and physical transfer to, as well as remote access by entities or individuals in, outside of China mainland. In practice, a data processor in China is outbound transferring data when it transfers the data to a recipient or stores the data, in a destination that is outside of China mainland; or allow an entity or individual outside of China mainland to remote access to the data stored in China mainland. Or, a foreign data processor will be subject to the mechanisms if it processes the personal information of data subjects in China when it sells goods, provides services or remotely assesses or evaluates their behavior.
Comparatively, data subject to the mechanisms are limited to data processed in business operation in China. That means that the mechanisms will not apply where a data processor in China mainland receives data from overseas and, after processing, sends the data outside of China mainland, if such imported data are not mixed with China local data in processing.
What is the important data?
The concept of ‘important data’ was invented by the PRC Cybersecurity Law (CSL) in 2017 but was developed slowly until it was emphasised in the PRC Data Security Law (DSL) in 2021. The general principle under DSL to determine the important data is that the industrial regulatory authorities and the local governments should respectively determine the important data in the industries or the regions they regulate. The automotive industry is the first and so far is the only industry that has clearly identified the scope of important data. It is expected that regulators of other industries and the local government will define the scope or the catalogue of important data in their industries and administrative regions soon, although without a clear timeline.
In association of the effort, China’s National Information Security Standardization Technical Committee (NISSTC) released in January 2022 a draft guideline for the determination of important data, offering high-level guidance and considerations for the determination.
What triggers the security assessment?
A data processor will be required to go through the security assessment if any of the following criteria is satisfied:
- outbound transfer important data;
- is a critical information infrastructure operator;
- has processed personal information of more than one million data subjects as of 1 September 2022, or thereafter;
- a dynamic basis, as of the data of its self-assessment, it has outbound-transferred the personal information of 100,000 data subjects since 1 January of the previous year;
- on a dynamic basis, as of the date of its self-assessment, it has outbound-transferred the sensitive personal information of 10,000 data subjects since 1 January of the previous year.
What is the condition precedent to the adoption of the CN SCC?
Data processors outbound transferring personal information but missing the above threshold should go through the mechanism of the CN SCC.
Which one should you choose? Does a choice exist?
A data processor outbound transfers data from China mainland should be subject to either the security assessment or the CN SCC, unless it outbound transfers data that is not personal information or not important data. There is not a choice in-between for data processors outbound transferring personal information.
About the security assessment
Who should file?
- Domestic processors, by themselves.
- Foreign processors, by the local presence of them in China.
In practice, CAC does not allow foreign processors to engage third parties to file for the security assessment on their behalf. Foreign processors are required to only authorise their subsidies or affiliates in China for the filing purpose.
What is the consequence for ignoring the security assessment?
Data processors illegible for the security assessment but ignore it may be punished for violation of the PIPL, CSL, and DSL. The penalties include suspension of illegal outbound data transfer and administrative fines up to ¥50m or 5% of the annual turnover in the previous year of the violation.
The CAC recently released the Provisions on the Administrative Law Enforcement Procedures (will be effective on 1 June 2023), which indicates that it may shift its focus on law enforcement against violations.
How to apply for the security assessment? What documentation should be prepared and provided?
Step one: Self-assessment. The data processors should assess security risks of personal information and important data in all outbound transfer scenarios.
Step two: Prepare and submit the application package. The processor should first submit the application package to the provincial office of the CAC for a formality check (which should be completed within five working days) to ensure that the application is complete and in good order and format, the original data outbound transfer risk self-assessment report should also be included in this package.
Before submitting the application materials, it is strongly recommended that processors have a fully disclosed consultation with the provincial office of the CAC under whose jurisdiction they fall. If an off-line meeting can be arranged, that is better.
Step three: Review by CAC. The provincial counterparts of CAC will conduct a formality review upon the application. If the application passes the formality review, the provincial CAC will forward the application to the state CAC for a substantive review, and the state CAC will decide within seven working days whether to accept the application and issue a notice to the applicant.
What is the focus of the security assessment?
The security assessment focuses on assessing the risks that outbound data transfer activities may bring to national security, the public interest, and the lawful rights and interests of individuals and organisations.
The security assessment rules provide seven specific types of considerations for the self-assessment, which are also the focus of the CAC in reviewing the application.
The considerations include the legality, propriety, and necessity of outbound data transfer; the scale, scope, categories, and degree of sensitivity of the data transferred abroad; the risk of alteration, destruction, leak, and other unlawful use or disclosure during or after the outbound transfer, and others.
About CN SCC
What is the mechanism of the CN SCC?
Step one: Personal Information Protection Impact Assessment (PIPIA). According to the PIPL and the CN SCC Rules, a PIPIA should be conducted prior to signing each CN SCC, which should cover impact assessment of the scenarios of the outbound transfer of personal information under that specific CN SCC. The CN SCC Rules provide clarifications on what factors should be evaluated under the PIPIA.
Step two: No modification or conflicts are allowed between the specific CN SCC signed and the official template. Not like the EU SCC, the data processors are not allowed to change anything to the main text of the government template of the CN SCC. Although it is permissible for the CN SCC to include other and additional terms and conditions in its annexes, such other and additional terms and conditions must not be in conflict with the main text of the governmental template.
Step three: File the effective CN SCC with the provincial CAC office for records. The CN SCC Rules require personal information processors to file the executed specific CN SCC for record-keeping with the provincial-level cyberspace department, within ten working days after it takes effect. The PIPIA report should also be submitted together with the specific CN SCC.
Processors of personal information are required to re-assess the impact of the protection of personal information, supplement or enter into a new CN SCC, and initiate a new CAC filing, whenever there is a material change to the key clauses covered by the CN SCC, such as a change in the purpose, scope, type of data to be exported, etc.
Similarities and differences between CN SCC and EU SCC
There are several similarities between the CN SCC and EU SCC, including but not limited to:
- Data subjects are entitled the right as a third-party beneficiary and can bring claims against both the data exporter and foreign data recipient.
- Both the personal information exporter and foreign recipient shall assume the joint and several liabilities to the data subjects.
- Both jurisdictions require data exporter and data importer to exercise reasonable care to assess the impact of local laws on the performance of the SCC, and impose notification obligations on data importer in case of access by local public authorities.
However, there are differences. For example, the structure of the two SCC templates has been discussed a lot, as EU segment modules for different roles of data importer and data exporter (C-C, C-P, P-C, P-P), while China provides a universal template without reference to the different roles that may be involved. The reason behind is that the two jurisdictions choose to adopt different regulatory approaches. EU attempts to strike a balance between the protection of individual rights and the free movement of data, while China places more emphasis on management and control of data security.
Therefore, existing EU SCC will not be acceptable as a qualified legal document alternative to the CN SCC.
Security certification: a question mark to watch for
What are the qualified institutions, certification procedures, and costs?
On 16 March 2023, the National Information Security Standardization Technical Committee (TC260) sought for public comments for a draft national standard – certification requirements for cross-border transmission of information security technology and personal information (the draft certification requirements).
This draft document is based upon a practical guide to cybersecurity national standards, which provides guidance on the basic principles and requirements of the security certification mechanism. According to the earlier draft, adoption of the security certification is viable under two scenarios: (1) outbound personal information transfer among the members of one same corporate group or an economic or public association/institution; or (2) outbound personal information transfer conducted by the overseas personal information processors.
The draft certification requirement removed such restrictions on the applicable scope of security certification, providing that ‘this document applies to the certification of personal information protection by certification institutions for the cross-border transfer of personal information activities’, which at the same time expands the applicability of the certification mechanism but also creates questions as to its relationship with the other mechanisms above.
The China Cybersecurity Review Technology and Certification Centers (CCRC) has claimed that it has obtain the authorisation to do the security certification and released on its website an application portal for this mechanism. CCRC has not published any information about the costs associated with the security certification. CCRC is the first institution in China that is designated to do the security certification. It is expected that there will be more qualified institutions in the future.
Review and technical verification by the certification
According to the CCRC, it will review application documents that should describe in detail the data processor’s outbound transfer to be covered by the certification. In addition, CCRC will conduct onsite and ongoing technical verification of the applicant and the covered information systems.