All Things Newz
Law \ Legal

New implementing regulations for data exports in China: What do they mean for my company? – Contracts and Commercial Law


By Art Dicker, Matthew Ding & Robin Tabbers

China has recently issued new implementing regulations for its
trinity of data protection laws – the 2017 Cybersecurity Law
(“CSL”), the 2021 Data Security Law (“DSL”) and
particularly the 2021 Personal Information Protection Law
(“PIPL”). We were overdue for some clarifications from
the Cybersecurity Administration of China (“CAC”) as the
DSL and PIPL already came out last year.

Here are the two new implementing regulations from CAC:

  • The Draft Provisions on Standard Contracts for Outbound
    Transfers of Personal Information
    , which is currently seeking
    comments from the public (“Draft Standard Contracts
    Provisions”); and

  • The Security Assessment Measures for Outbound Data
    , which will become effective as of 1 September 2022
    (“Security Assessment Measures”).

To put these into context, you may recall, that the PIPL formally sets
out the following paths for a personal information processor to
transfer personal information outside of China:

  1. entering into a contract with the overseas recipient adopting
    the standard contractual clauses (“SCCs”) formulated by
    the CAC;

  2. passing a security assessment by the CAC (“Security
    Assessment”); or

  3. obtaining certification by a CAC designated agency for
    protection of personal information

This creates several different routes for companies that we will
discuss in the following:

Route 1: Adopting China Standard Contractual Clauses (SCC)

An official Security Assessment or any Certification process
would be considerably more complicated and time intensive,
stretching the limited resources of many small and medium-sized
companies here. These and even larger enterprises would much prefer
to choose the (1) SCC route if they’re at all eligible (see
discussion below).

The catch is that, only a personal information processor meeting
ALL of the following requirements can adopt the SCC approach:

  1. It is not a Critical Information Infrastructure
    (“CII”) operator;

  2. It does not process more than 1,000,000 individuals’
    personal information;

  3. It has not provided the personal information of more than
    100,000 individuals (in total) overseas since 1 January of the
    previous year (i.e. the last 1-2 years); and

  4. it has not provided sensitive personal information of more than
    10,000 individuals (in total) overseas since January 1 of the
    previous year (i.e. the last 1-2 years).

The Draft Standard Contracts Provisions also set more detailed
requirements on impact assessments on personal information
protection (“PIA”), which is a prerequisite for
cross-border transfers of personal information established by the

A PIA must focus on:

  1. the legality, legitimacy and necessity of the purpose, scope
    and methods of processing by the personal information processor and
    overseas recipient;

  2. the quantity, scope, type and sensitivity of the personal
    information to be transferred to the overseas recipient, and the
    associated risk of such transfer;

  3. the ability of the overseas recipient to take security measures
    to fulfill data protection obligations (under the PIPL);

  4. the risk of any information breaches, destruction,
    falsification, misuse after transfer, as well as the available
    remedial measures for individuals; and

  5. the impact of local policies and regulations on the protection
    of personal information in the overseas jurisdictions.

According to the Draft Standard Contracts Provisions, any
contract concluded by and between the personal information
processor and the overseas recipient shall not conflict with the
SCCs on matters related to the cross-border transfer of personal
information, and the SCCs shall prevail in case of any

In other words, much like labor contracts quote directly from
the language of the Labor Contract Law (even if that language
leaves a lot open to interpretation), we expect to see data
transfer agreements quoting directly from the SCCs.

SCC Coverage:

  1. basic information on the personal information processor and the
    overseas recipient;

  2. the purpose, scope, type, sensitivity, quantity, method,
    retention period, storage place, etc. of personal information to be

  3. the responsibilities and obligations of the personal
    information processor and overseas recipient to protect personal
    information, as well as the technical and management measures
    adopted to prevent the possible security risks arising from
    cross-border transfer of personal information;

  4. the impacts of the policies and regulations on personal
    information protection of the country or region where the overseas
    recipient is located on the compliance with the SCCs;

  5. the rights of the individuals, as well as the channels and
    methods for protection of the rights of the individuals; and

  6. remedy, liability for breach of contract and dispute
    resolution, etc.

Filing Requirements on Data Transfer Agreements:

  1. the data transfer agreement incorporating the SCCs and the PIA
    report should be filed with the CAC within 10 working days from the
    effective date of the agreement.

  2. a data transfer agreement shall be renewed and re-filed when
    any of the core terms and conditions stipulated therein changes,
    such as changes in the purpose, scope, methods of processing by the
    overseas recipient, changes in regulations of the country or region
    where the overseas recipient locates which may affect the rights
    and interests of the individuals, etc.

Route 2: Passing Security Assessment

The Security Assessment Measures are overlapping implementation
rules for the CSL, DSL and the PIPL. It covers not only the
cross-border transfers of personal information, but also
“important data” referred to in those laws. The
requirements are in sync with the Standard Contract Clause (SCC)
requirements discussed above.

A data processor should adopt the Security Assessment approach
in ANY of the following circumstances:

  1. where a data processor provides important data abroad;

  2. where a CII operator or a data processor processing the
    personal information of more than 1,000,000 individuals provides
    personal information abroad;

  3. where a data processor has provided personal information of
    100,000 individuals or sensitive personal information of 10,000
    individuals in total abroad since 1 January of the previous year;

  4. other situations set out by CAC that require a filing under the
    security assessment regime.

Notably, item (3) above sets a more practical threshold than the
Draft Security Assessment Measures released in October 2021, as
this final version includes a definite starting point for
calculating the total processing volume.

While CAC will obviously rely to a large extent on companies
adequately tracking their data and self-policing, at a minimum, a
robust system needs to be in place to track in case of any CAC
audit (whether triggered by a whistleblower, user complaint, or
otherwise) for companies which could come even remotely close to
these thresholds. Showing a fancy, detailed policy without an
implemented system to demonstrate is not going to be looked upon
kindly by CAC.

The Security Assessment procedures:

  1. Before applying for the Security Assessment, the data processor
    should conduct a self-assessment on the risks of outbound data
    transfer, very much akin to the PIA as discussed above.

  2. The data processor must apply for the Security Assessment
    through the provincial level CAC and submit a declaration form, the
    self-assessment report, the data transfer agreement and other
    necessary materials.

  3. The Security Assessment primarily focuses on similar matters
    that are critical in a PIA (summarized above) or the
    self-assessment, with the priority on the assessment of the risks
    to national security, public interests, or the legitimate rights
    and interests of individuals or organizations that may be caused by
    the cross-border data transfers.

  4. The data processor should normally get the results from the CAC
    in around 60 working days calculating from the data of submission
    of the filings. Notably, the final Measures have removed the time
    limitation for completing assessment of more complicated

As the results of a Security Assessment for cross-border data
transfers are valid only for two years, the data processor must
re-apply for a Security Assessment if the validity period expires
or if other special circumstances (e.g., the purpose, method, scope
or type of the outbound data transfer changes) occur. This again
places additional burden on the data processor.

Route 3: Obtaining Certification

As we discussed in the beginning, there is still a third
alternative for cross-border data transfers: Certification. While
there are no regulations yet covering this approach, we have seen
some national standards issued by relevant institutions, setting
guidance for the implementation of the Certification, such as the
Specification for Certification of Cross-border Personal
Information Transfer (TC260-PG-20222A). However, according to this
Specification, the Certification approach can only be adopted in
company intra-group data transfers, or by overseas processors which
are subject to the extra-territorial scope of PIPL (per Article 3
of PIPL).


With these new implementing regulations coming into effect, we
are gradually getting a clearer picture on what should be done to
bring data processing activities in line with legal requirements.
But still, there are gaps to fill. For example, there is still a
lot of room open for interpretation as to whether a data processor
is a CII operator, or if the data collected or generated during its
operation constitute important data.

Without specific, practical guidance from the law itself, it is
still incredibly helpful to try to think about what purpose these
regulations are trying to serve and where the regulators will
naturally have their priorities.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.


Source link

Related posts

NY Dept. Of Financial Services’ First Enforcement Action Against A Crypto Company, And What It Means For Crypto Trading – Fin Tech

The Supreme Court Overturns The Clean Power Plan—Analysis And Key Takeaways – Oil, Gas & Electricity

Review Of Australia’s Carbon Credit Units Announced – Environmental Law