Data Transfers 101: China’s Regulatory Regime on Cross-border Data Transfer in a Nutshell

Summary:

• The data transfer regime of China is evolving and has become clearer over the past 3 years, with technicalities and procedures being stipulated

• The continuing trend is for a widening of the scope of data which will not require onerous ex ante/ex post procedures

• However, other compliance steps related to data transfer should be taken, and data export in scope for regulatory review will continue to come under close scrutiny by the relevant authorities

Since the promulgation of the Personal Information Protection Law (“PIPL”) (个人信息保护法) in 2021, transferring data out of China has become a heated topic in compliance, drawing much discussion. Since its inception by the Cybersecurity Law in 2017, the perception of, and regulatory focus on, data export by supervisory authorities are also evolving. This has also led to changes in China’s data export regime.

The Cyberspace Administration of China (“CAC”), the country’s primary supervisory authority on data export regulatory regime, has recently published an illustration of China’s cross-border data transfer procedures, together with the imminent effectiveness of the Regulations for the Administration of Network Data Security (网络数据安全管理条例). This is, therefore, a good time to recap on the status quo.

What type of “data” is regulated on export?

There are typically no specific restrictions on the export of general business data generated and collected in ordinary commercial activities. On the other hand, under China’s current data export regulatory regime, the following types of data are subject to export restrictions: (1) “personal information”; and (2) “important data”. Additionally, (3) some types of data in certain industries also come under export scrutiny.

(1)   Personal Information

The PIPL, as the primary source of legal authority on personal information export, defines “personal information” (or PI), as any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded. The definition is broad in that as long as the data is related to a natural person (such as emails, phone numbers and online trackers/cookies), its export shall come under compliance considerations under Chinese laws.

(2)   Important Data

“Important data” is a significant legal term whose cornerstone connotation is national security. According to the Regulations for the Administration of Network Data Security, important data refers to “data from specific fields, groups, or regions, or data of a certain precision or scale, that, if tampered with, destroyed, leaked, illegally accessed, or misused, could directly endanger national security, economic operations, social stability, public health, or safety.” Since national security covers a range of aspects, including energy security, telecommunication security etc., over the years the regulatory authorities have tended to keep a “strategic ambiguity” on what constitutes “important data”.

Due to its nature, the export of important data falls under an onerous and complex ex ante review process known as “Data Export Security Assessment”. However, to the relief of those practising in the field, the law has made it clear that so long as the data to be exported is not notified or published in an official catalogue as important data, then the data handler will not be required to apply for the data export security assessment. Most foreign-invested enterprises in China would fall outside this regime on important data.

(3)   Data from Specific Industries

Apart from personal information and important data, there are other regulated data categories with strong industry-related characteristics, such as medical and life sciences, mapping and surveying, electronic payment and “dual-use items”. Data export in such industries will be subject to more specific regulatory scrutiny and it is advisable to seek external counsel for further determination.

What constitutes “data export”?

The main restraint on data export out of China is the regulatory regime on personal information export.

According to the CAC, the following three types of transfer of personal information shall be deemed as “export”, which is subject to the export regulatory regime:

(1)   A personal information handler (controller under the GDPR sense) transfers or stores personal information overseas by various means;

(2)   Although personal information is stored by a personal information handler within the territory of China, foreign institutions and individuals are allowed to access, search, retrieve, download and/or extract such personal information by various means; or

(3)   A personal information handler carries out personal information processing activity outside the territory of the People’s Republic of China under any of the following circumstances:

a)         where the purpose of the activity is to provide a product or service to that natural person located within China;
b)         where the purpose of the activity is to analyze or assess the behavior of that natural person located within China.

When a company falls within the above scenarios, its transfer activities will be deemed as data export under Chinese law.

What should my company do, both internally and externally, to export personal information out of China?

There are three stakeholders in the export context: the company, the individual whose personal information is to be exported (i.e., the data subject) and the supervisory authority. Respective compliance steps should be taken on all three prongs.

(1)   The Company (internally)

As the personal information handler, the company is obligated under Article 55 of the PIPL to conduct a “personal information protection impact assessment” (“PIA”) on the intended export and keep the PIA report on file for record for at least three years. The PIA report will act as a proof of compliance accountability. The key points of focus of the PIA report are:

a)      Whether the purpose, method or any other aspect of the processing of personal information is lawful, legitimate and necessary;
b)      The impact on personal rights and interests and level of risk; and
c)      Whether any security protection measure taken is lawful, effective and commensurate with the level of risk.

The PIA is the core step in personal information export. In addition, there are other internal obligations applicable to the company, such as to keep the confidentiality, integrity and availability of the data and to identify whether the company processes important data, among other things. It is advisable to tailor the compliance checklist to the business operations of the company.

(2)   The Individual (externally)

To stay compliant with the PIPL, an individual’s right-to-know, and right-to-control should also be respected and maintained. The company is obligated to inform the individual of the details on personal information export, normally including the overseas recipient’s identity, what and how it will process the personal information. A suitable legal basis and the proper formalities (such as consent and the “separate consent”) should be secured by the company for the personal information export.

(3)   The Supervisory Authority (externally)

The CAC and their provincial counterparts are responsible for overseeing the main body of the personal information export review mechanism. When the export volume or the nature of personal information reaches a certain statutory threshold, a review mechanism by the supervisory authority (the “PI Export Mechanism”) will be triggered, which means the company has to submit some form of documentation to the supervisory authority in order to become compliant.

The current PI Export Mechanism consists of three routes for export: a) Data Export Security Assessment (as mentioned earlier in relation to important data); b) Standard Contract Filing Procedure; and c) Personal Information Protection Certification. The three routes correspond to different thresholds.

The current thresholds stand at the following levels: