New Implementing Regulations for cross-border data transfer in China

New administrative regulations have brought more clarity to Chinese data security law. Specifically, these are the “measures for security assessment of cross-border data transfer” (effective from 1 September 2022; with retroactive effect up to and including March 1, 2022) and the “guideline on security certification for cross-border transfer of personal information activities” (effective from 24 June 2022). I will discuss the innovations brought about by the new regulations – In order to really understand the changes, I would first like to give an overview of the system of cross border data transfer in Chinese data security law.

*

Chinese data security law basically has three sources of law: Chinese Cybersecurity Law, Chinese Data Security Law and Chinese Personal Information Protection Law (PIPL). The hub of cross-border data transfer in this context is Article 38 of the PIPL. This article namely clarifies when a cross-border data transfer is generally permissible. Specifically, one of the following conditions must be met:

a) passing an official security assessment conducted by the Cyberspace Administration of China (CAC);
b) obtaining a personal information protection certification from a recognised organization;
c) executing a contract, in a form prescribed by the CAC, with the data recipient; or
d) other conditions provided in relevant laws and regulations, or by the CAC.

All in all, at least one of the four (4) conditions mentioned must be fulfilled. Only then is the data transfer considered to be legally compliant.

*

The “measures for security assessment of cross-border data transfer” have now clarified that the security assessment conducted by the CAC (a) is mandatory if one of the following criterias is met:
a1) important data is transferred outside Mainland China
a2) personal information processor is a critical information infrastructure operator
a3) personal information of more than 1 million people is being processed
a4) personal information of more than 100,000 people, or the sensitive personal information of more than 10,000 people, has been transferred outside Mainland China since 1 January of the previous year.

As a result, this may show a significant expansion of the duty of the CAC security assessment (a) and at the same time a kind of downvaluing of the other grounds for exemption (b-d).

*

The “guideline on security certification for cross-border transfer of personal information activities” itself clarified: Obtaining certification is available to intra-group company transfers of personal information, and personal information processors who are outside Mainland China, but are subject to the extra-territorial application of the PIPL. Though, clarification on a number of issues is required, for instance, whether intra-group companies that meet one of the above prescribed criteria set out in the above writen “measures”, can be exempted from official assessment if they have already obtained this certification.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
%d bloggers like this: