Series on Implementing PIPL: (1) Cross-Border Data Transfers and Draft Standard Contract
Step by step, the requirements of the Chinese Personal Information Protection Law or PIPL are becoming clearer with the Cyberspace Administration of China (“CAC”) recently issuing long-awaited guidance in addition to China’s draft SCCs. Having come into force on 1 November 2021, a mere 3 months after it was enacted by the People’s Republic of China (PRC), the distinct lack of guidance around PIPL has left many organisations with questions about how to achieve compliance under the new regime. This article is the first in a series to explore certain key aspects of PIPL in more detail, starting here with cross-border data transfers.
I. Cross-Border Transfers
A concept already familiar to international businesses is the need for a lawful transfer mechanism by which to transfer personal data overseas. Under Art 38 PIPL, data processors are required to meet one of the following conditions to transfer the personal information of individuals located in China outside of the PRC:
- pass a security assessment in accordance with Art 40 PIPL;
- undergo certification by the competent authority;
- conclude a Standard Contract; or
- meet other conditions provided in laws or administrative regulations or by the State cybersecurity and informatization department.
We shall look at each of methods 1-3 in turn below.
1. Security Assessments
Subject to the security assessment according to Art 40 PIPL are Critical Information Infrastructure Operators (CIIOs) and data handlers who are handling personal data above a certain threshold (see below). CIIOs are important network facilities and information systems in public communication and information, energy, transportation, water conservancy, finance, public services, e-government, national defence, science and technology and services which could pose a threat to national security, national economy and people’s livelihoods.
CIIOs and large data handlers are required to domestically store personal information collected and produced within the borders of the PRC, and to pass a security assessment laid down by the CAC before transferring such personal information abroad. Earlier this month, the CAC finally published its Measures for Security Assessment of Cross-border Data Transfers (the “Security Assessment Measures”), which will come into force on 1 September 2022. The Security Assessment Measures will put in place rules for cross-border data transfer security assessments in relation to:
- personal information being handled by certain data handlers as set out in PIPL and the Cybersecurity Law of the People’s Republic of China (the “CSL”); and
- “important data” under the Data Security Law of the People’s Republic of China (the “DSL”).
Under the Security Assessment Measures, a data handler will be required to complete a mandatory security assessment before the transfer of personal information outside of the PRC where:
- the transfer is of “important data”. This is thought to extend the obligations of the DSL and CSL from CIIO’s to all data handlers;
- the transfer is undertaken by a CIIO or the data handler is handling personal information of 1 million individuals or more;
- the data handler has cumulatively transferred cross-border the personal information of at least 100,000 individuals or sensitive personal information of at least 10,000 individuals since January 1 of the preceding year; or
- other circumstances specified by the CAC exist.
Where a data handler is required to conduct a security assessment it must complete an initial self-assessment, which it submits as part of its application to the provincial CAC along with the legal documentation it has put in place with the overseas recipient of the personal data. The provincial CAC will review the application before submitting it to the CAC. This process can take up to 2 months and approval by the CAC is valid for 2 years. Companies must apply for recertification for the security assessment 2 months before the validity expires in order to meet the deadline. Those organisations that are not required to conduct a security assessment are able to choose between certification or implementation of China’s version of the SCCs.
Certification is open to multinational companies with an entity in the PRC, also for associate companies and companies which are subject to the extraterritorial scope of Art 3 para 2 PIPL. If a company is subject to PIPL’s extraterritorial scope, the established legal representative according to Art 53 of PIPL is legally responsible to apply for certification. The organisation acting as the certification body has not yet been established by the Chinese authorities. The organisation applying for certification shall accept supervision by the Chinese authorities and accept to be bound by Chinese legislation. Every organisation has to appoint a PIPO (you can find out more about this obligation in our next article) and has to implement safeguards for data subject rights.
3. Standard Contract
On 30 June 2022, the CAC published its draft Standard Contract for Cross-border Transfer of Personal Information (the “Draft Standard Contract”). The draft is now open to public consultation until 29 July 2022, after which you can expect further updates. The Draft Standard Contract proposes a SCC template which includes:
- basic information about the exporter and the recipient of the data, such as their names and contact information as well as details;
- the purposes, scope, categories, sensitivity, quantity, method, retention period, and storage location of the personal information to be transferred;
- the duties and obligations of the exporter and recipient of the data and any technical and organisational measures in place to prevent security risks;
- the impact of the personal information protection laws in the country in which the recipient is located when compared to those of the PRC; and
- data subjects rights and clauses dealing with remedies for breach of contract, rescission of contract, liability and dispute resolution.
The Draft Standard Contract also reinforces the need for a personal information handler to conduct a Personal Information Protection Impact Assessment or PIPIA. The PIPIA must consider:
- whether or not the purpose, scope, and methods of transfer and further processing by the offshore recipient are lawful, legitimate and necessary;
- the quantity, scope, type, and sensitivity of outbound personal information, and the risks that personal information may bring to the rights and interests of personal information that may be brought about by the export of personal information;
- the responsibilities and obligations undertaken by the overseas recipient, as well as whether management and technical measures and capabilities for performing responsibilities and obligations can ensure the security of outbound personal information;
- the risk of personal information being leaked, damaged, altered, or abused after leaving the country, and whether the channels for individuals to safeguard personal information rights and interests are unobstructed and so forth;
- the impact of personal information protection policies and regulations on the performance of standard contracts in the country or region where the overseas recipient is located; and
- Other matters that might affect the security of personal information leaving the country.
The Draft Standard Contract stipulates that no later than 10 days after signing a Standard Contract, both the contract and a report on the PIPIA must be reported to the local CAC. Where any of the following circumstances occur, the applicable Standard Contract would have to be updated, re-signed and filed with the authorities again:
- changes to purpose, scope, type, sensitivity, quantity, method of processing of personal data;
- changes in foreign data protection laws which may affect the rights or interest of the data subjects;
- other circumstances which may affect the rights or interest of the data subjects;
When the authorities suspect that the transfer is no longer compliant with the regulations for international data transfer according to PIPL and the Standard Contract no longer meets the requirement implied by the regulation they can notify the parties handling the transfer and order them to immediately terminate all transferring activities.
II. Separate Consent
Unlike other jurisdictions, Art 39 PIPL requires the personal information handler to obtain the data subject’s separate consent for any cross-border transfer of personal data. The data subject must be fully informed about the transfer, its purpose, the recipients, the contact details of the recipient and the processing activities. In various articles of PIPL, there is still uncertainty as to whether companies that undergo an Art 40 security assessment also must obtain consent. However, since this would contradict the wording of PIPL, we think that consent must be obtained in any case when transferring personal data outside China. We hope to get more clarity on this question with the following guidelines to be published by CAC.
As with all draft measures, we await the result of the public consultation on the Draft Standard Contract and what further guidance emerges from the PRC over time. In the meantime, watch out for our next instalment in this series of PIPL updates which will look at the roles of the representative and PIPO (China’s equivalent to the DPO).