Chinese Regulations on International Data Transfer
It has become increasingly significant for companies to keep abreast of data compliance trends to comply with data compliance-related policies and regulations in China. With the start of 2023, reviewing the regulations related to data transfer released in China over the last year is essential. These regulations may impact multinational companies investing in China and companies involved in cross-border business.
These policies aim to regulate the transfer of personal information outside of China, protect personal data, and promote the safe and free flow of cross-border personal data.
Recently, the Cyberspace Administration of China (“CAC”) released the Standard Contract Provisions for the Export of Personal Information (Draft for Comment) (“Standard Contract Provisions Draft”) on June 30, 2022 following the Personal Information Protection Law of the People’s Republic of China (“PIPL”).
When a personal information processor agrees with an overseas recipient to provide personal information outside of China following Paragraph 1(3), Article 38 of the PIPL, the information processor and the overseas recipient shall sign a standard contract for the export of personal information (“Standard Contract”) according to the Standard Contract Provisions. Additional contracts relating to the export of personal information shall not conflict with the Standard Contract.
Personal information processors who meet the following conditions may provide personal information overseas by signing a Standard Contract:
- infrastructure operators handling non-critical information;
- personal information for less than 1 million people;
- since January 1 of the previous year, the accumulated personal information provided overseas is less than 100,000 people; and
- since January 1 of the previous year, the accumulative number of sensitive personal information provided overseas is less than 10,000 people.
Additionally, the Standard Contract Provisions stipulate that personal information processors should conduct an impact assessment of personal information protection before providing personal information overseas. It lists the main contents that the personal information processors should include in the Standard Contract and the impact assessment.
Importantly, the Standard Contract Provisions Draft introduces a new filing obligation.
The filing obligations require that personal information processors file the Standard Contract and Personal Information Protection Impact Assessment Report with the local provincial-level cyberspace administration department within ten (10) working days from the effective date of the Standard Contract. Personal information processors can carry out the export of personal information after the Standard Contract takes effect.
The Standard Contract Provisions Draft states that the personal information processor shall be responsible for the authenticity of the filing materials. However, the Standard Contract Provisions do not mention a requirement for the substantive review of the submission materials. Parties should understand that the filing requirement are widely understood and observed. Accordingly, the local provincial-level cyberspace administration department will only conduct formality review of the filing materials. The review is for archiving purposes in preparation for the subsequent supervision, not as an administrative approval procedure. However, the Standard Contract Provisions for the Export of Personal Information have yet to be formally implemented.
It is recommended that relevant companies continue to pay attention to the details of the subsequent legislative process and filing procedures.
John DeStefano, is a patent and technology technical advisor at Founders Legal. He received his Bachelor’s Degree in Electrical Engineering from Missouri University of Science and Technology (Rolla) and is pursuing a J.D. at Franklin Pierce School of Law with a focus on Intellectual Property.