Rules on Cross-border Transfer of Data and Personal Information

On July 7, 2022, the Cyberspace Administration of China officially issued the Measures for th Security Assessment of Outbound Data Transfers (the “Security Assessment Measures”), effective on September 1, 2022.

In addition, on June 24, 2022, the National Information Security Standardization Technical Committee released the Practical Guidance on Cyber Security Standards – Specification on Authentication Technologies for Cross-border Personal Information Processing Activities (the " Authentication Specification"); On June 30, 2022, the Cyberspace Administration of China published the Provisions on Standard Contract on the Outbound Transfer of Personal Information (Draft for Public Comment)

01 What does Outbound Data Transfer mean?

According to the Security Assessment Measures, Outbound Data Transfer activities include:

  1. The data processor transmit and store abroad the data collected and generated in domestic operations;
  2. The data collected and generated by the data processor is stored in China but can be accessed or invoked by institutions, organizations or individuals abroad.

02 Are all data outbound transfer acts subject to restrictions?

China's personal information protection legal regime mainly restricts the outbound transfer of important data and personal information. In particular, the application of the Security Assessment Measures is clearly limited to the important data and personal information.

The exit of important data is subject to strict restrictions regardless of the quantity and the exit assessment by the cyberspace administration of the State. As for the personal information, the restrictions and compliance requirements vary, depending on whether the processor belongs to the Crucial Information Infrastructure Operator ("CIIO") and the number of people involved.

03 What should be done to comply with the rules?

Scenarios

routes and procedures

Other major compliance measures

1.     Provision of important data abroad by data processors; or

2.     Provision of personal information abroad by CIIO or data processors processing personal information of more than 1million people; or

3.     Provision of personal information abroad by data processors who have provided personal information abroad of 100,000 people or sensitive personal information of 10,000 abroad accumulatively since January 1 of the previous year; or

4.     Other situations as stipulated by the Cyberspace Administration of China.

Declaration of Security Assessment on Outbound Data Transfer

 Where personal information is involved, it is also necessary to:

1. Obtain individual’s consent;

2. Carry out personal information protection impact assessment;

Record the transfer.
Other situations of providing personal information abroad, such as:

1.     non-CIIO;

2.     the processor is processing personal information of less than 1 million people;

3.     providing personal information of less than 100,000 people abroad since January 1 of the previous year;

4.     providing personal information of less than 10,000 sensitive personal information since January 1 of the previous year;

 1. Certified by professional institutions for personal information protection; or

2. Sign Standard Contract on the Outbound Transfer of Personal Information and file it with the cyberspace administration of the province.
Special circumstances, such as:

Providing personal information stored in the territory of the China to foreign judicial or law enforcement agencies.

 Submit an application to the competent authority to decide whether to approve it in accordance with international treaties /agreements or the principle of equality and reciprocity.

04 Is the Contract on the Outbound Transfer of Personal Information necessary to be signed where the processor has applied for Security Assessment?

According to the Security Assessment Measures, the data processor should clearly stipulate the data security protection responsibilities and obligations of the receiving party by signing legal documents with the overseas receiving party.

05 How to certify the personal information protection?

The data processor shall apply with the qualified professional institutions for the certification, the list not announced by the cyberspace administration yet.

06 How about the previous outbound data transfer?

For the outbound data transfer act prior to the effective date of the Security Assessment Measures, there is a rectification period ending on February 28, 2023 (inclusive).

Written by: Adv. Monica Han