Companies transferring data out of China for processing should be aware of new cross-border data regulations in China issued on June 26 by China’s National Information Security Standardization Technical Committee - the Cybersecurity Standards Specification for the Certification of Cross-Border Processing of Personal Information.
Companies that wish to transfer data outside of China for processing are required by the Personal Information Protection Law (PIPL) to do so in accordance with provisions of the law. One basis for lawful transfer certification by a third party. The Specification contains details about how certification works and what obligations companies must fulfil to obtain it. It establishes the situations in which the Specification applies, fundamental principles that form the basis of the certification, basic requirements, and ways to obtain certification.
The Specification is not compulsory but represents one of several ways in which companies can assure the legal transfer and processing of data across borders. Article 38 of the Personal Information Protection Law provides five ways to legally process personal information across borders. In addition to certification, organizations can:
- Meet the criteria of the security assessment provided for in Article 40 of the PIPL.
- Execute a contract, in accordance with the requirements of the CAC, that stipulates the rights and obligations of the party receiving the data in accordance with the standard contract formulated by the CAC.
- Meet the criteria of the security assessment required by industry regulators.
- Transfer and process data in accordance with the requirements of applicable
international agreements or treaties.
Data controllers and processors may apply for certification in two circumstances:
- First, when personal information is processed by data processors belonging to the
same multinational company or single economic or business entity. Thus, if a
company’s Chinese subsidiary collects personal data and it is transferred for
processing outside of China but within the company, certification can support the
legal transfer and processing of the data.
- Second, when personal information is processed by data controllers/processors
outside China in accordance with paragraph 2, Article 3 of PIPL. This provides that
certification is appropriate when transfer and processing occurs for purposes of
providing products or services for persons within China; to analyze or evaluate the
behavior of persons in China; or any other circumstance provided by law or
Companies exporting data from China are well-advised to understand their obligations to establish a basis for processing that is recognized in China law. As noted above, in some cases companies may rely upon contractual provisions as provided for by the Cyberspace Administration of China (CAC). Contractual provisions do not meet requirements in every case, and where they do not, companies must pursue certification. Reliance on contractual provisions is limited to situations where:
1. The number of individuals whose personal information has been transferred is less than 100,000;
2. The number of individuals whose sensitive personal information whose data has been transferred is less than 10,000; and
3. The volume of personal information processed by the data pertains to no more than 1 million individuals
It will be important for companies to understand how much data, and what kind of data, is being processed and transferred when determining its obligations under Chinese law.
The Specification outlines the basic principles, requirements, and data subject rights as factors to be considered before issuing the certification.
First, certification is based on basic principles related to lawfulness, transparency, data integrity, accountability, and equivalent levels of protection.
Second, it establishes basic requirements such as the need for companies receiving data to appoint a data protection officer and to conduct a data protection impact assessment. Companies must also establish and abide by contractual obligations with respect to the information transferred and processed and ensuring data subject rights.
Third, it articulates data subject rights and the steps that data controllers and processor must take to honor them.
In comparison with the broad language of Article 38 of the PIPL, the Specification
demonstrates a more detailed scheme for certification. Additional points remain to be clarified by regulators in China. Achieved Compliance will monitor further developments with respect to the Specification and with China’s requirements for cross border data transfer and processing generally.
These are complicated and fast changing regulations, and it's important that your business avoids the fines and legal headaches that come with violating them. Please schedule a free consultation with Achieved if you have any questions.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.