September 3, 2022
By Donnie Dong
The Cyberspace Administration of China (CAC), the national cybersecurity authority empowered to review and approve applications for the cross-border transfer of large-volume personal data, released a Guidelines on Applications for Cross-border Data Transfer Security Assessment (the Guidelines) on August 31, 2022.
Under the PRC Personal Information Protection Law (PIPL) and subordinate regulations, if a data controller/processor were to transfer personal data outside of China and the proposed transfer met the following thresholds, it should apply for the CAC to proceed with a “data security assessment.”
- provide “important data” (as defined by the authority) outside Mainland China;
- identified (by the government) to be operators of the critical information infrastructure or have processed over 1 million individuals’ personal information;
- have provided overseas recipients with over 100,000 individuals’ personal information or over 10,000 individuals’ sensitive personal information during the last calendar year, or
(We have published a newsletter focusing on the situations where the above thresholds are unmet. Click here to read.)
Define cross-border data transfer.
The PIPL does not define the “provision of personal data outside of China”, while the general understanding is it refers to the activities of having one company operating in China copy or transmit the personal data it collected in China to foreign recipients.
The Guidelines do not exceed this understanding but left discretion for CAC to determine whether a data moving/copying process amounts to cross-border data transfer. According to the Guidelines, the following scenarios would amount to the “provision of personal data outside of China”:
- Where (i) personal data is collected and generated during a data sender’s operation in China and (ii) the data sender sends the data to or stores the data in a location outside of China;
- Where the personal data is stored in China but can be queried, retrieved, downloaded and/or exported by foreign entities or individuals (unless such data is publicly accessible data); or
- Other activities that CAC determines to be cross-border data transfers (which gives the CAC wide discretion).
When a threshold is met, the Guidelines require the proposed data sender to produce and submit a bunch of documents along with the application form for the assessment. This includes:
- The data sender’s company certificates to identify its identity
- The data transfer agreement between the data sender and the data recipients – the CAC released a Draft Standard Contractual Clauses (SCCs) in July (Click here to read our summary and comments on it)
- a self-assessment report on the proposed cross-border data transfer – the Guidelines have provided a template outline of such a report, which requires a thorough disclosure of how the data will be protected, transferred, and secured.
Cross-border data transfer has become a focused issue for multinational companies operating in China. Each company should develop a wise and practical compliance strategy with experienced advisors. Please contact us to review your data-transfer practice so we may tailor an appropriate action plan to sustain your business in China.
* * * * *
Author: Dr. Donnie Dong is a partner of Hylands Law Firm, a Certified Information Privacy Manager (IAPP/CIPM), and an Adjunct Professor at the University of Hong Kong’s Academy of Senior Executives. He regularly advises MNCs, unicorns, and start-ups on cross-border intellectual property, data privacy, related investment and contentious matters.