In February 2023 Cyberspace Administration of China (the “Cyberspace Administration”) published rules on Standard Contractual Clauses for transfer of personal information to third countries pursuant to China’s Personal Information Protection Law (the “PIPL SCCs”). These PIPL SCCs rules will come into effect June 1, 2023. We now have rules on all three main mechanisms for cross-border data transfers outlined in the PIPL.
China passed its Personal Information Protection Law (the” PIPL”) in 2021 and the law came into effect that same year. The PIPL regulates processing of a natural person’s personal information within China as well as foreign processing of personal information of a natural person located in China (1) if the processing is for providing products or services to the natural person, (2) if the processing is for analyzing or evaluating the behaviors of the natural person, or (3) in other situations as stipulated by other laws or regulations.
PIPL covers many similar topics seen in other data privacy laws, such as defining personal information, limiting the bases on which a company can process personal information, obtaining consent from data subjects, processing sensitive personal information, cross-border data transfers, etc. The PIPL defines personal information broadly to be any information which is related to an identified or identifiable natural person, same as the GDPR. In the PIPL, data controller is called personal information processor and data processor is called trustee or entrusted party.
Under the PIPL, there are three primary ways for a personal information processor to satisfy the conditions for transfer of personal information to third countries:
- by completing a Cyberspace Administration security assessment
- by completing a third-party personal information protection certification for cross-border personal information transfer
- by entering into a contract with foreign recipient of personal information using the PIPL SCCs published by Cyberspace Administration
1. Cyberspace Administration Mandatory Security Assessment
Cyberspace Administration published the Measures for Security Assessment of Outbound Data Transfers (the “Security Assessment Measures”) in July 2022 and the Guide to the Application for Security Assessment of Outbound Data Transfers (the “Security Assessment Guidelines”) in August 2022, both of which came into effect on September 1, 2022.
Not all three mechanisms are available to every personal information processor. A personal information processor must request the Chinese government to complete the mandatory security assessment if it meets one of the following three criteria:
- it is an operator of critical information infrastructure,
- it has processed total personal information of more than 1 million individuals,
- it has processed personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals since January 1 of the preceding year.
Critical information infrastructure is defined under the Regulations on Critical Information Infrastructure Security Protection to include telecommunication, information services, energy, transportation, water resources management, financial, public service, e-government, defense technology and other important industries, as well as other important networks and information systems, the damage, impairment and data breach of which would seriously endanger the national security, public interest and economy of China.
To complete the mandatory government security assessment, the company subject to such assessment in China must submit a self-assessment report, the cross-border data transfer agreement, the application form, and any other documents/information requested by Cyberspace Administration. Based on the timeline given in the Security Assessment Measures, if the company submits an adequate application, it will take about 60 days to complete the security assessment, but such time may be extended depending on the complexity of each application. Once approved, the security assessment is valid for two years, except that a new security assessment is required if there are certain changes, such as changes in how the foreign recipient uses the data, change of control at the personal information processor or the foreign recipient.
2. PIPL SCCs for Cross-Border Transfer
If the personal information processor does not meet any of the three criteria, it would have a choice between completing a third-party personal information protection certification or using the PIPL SCCs.
Cyberspace Administration issued the official rules on the PIPL SCCs for cross-border transfer of personal information in February 2023, which clarified how companies can use PIPL SCCs to facilitate transfer of personal information to third countries1. Under these rules, the personal information processor must file the following documents with the provincial cyberspace administration within 10 business days of the effective date of the SCCs which it enters into with the foreign personal information recipient:
- the PIPL SCCs/standard contract, and
- a personal information security impact assessment report
A personal information processor can add content to the SCCs/standard contract, provided such additional content does not contradict the PIPL SCCs.
It is worthy of note that the rules stated explicitly that companies subject to the mandatory security assessment shall not circumvent such requirement by splitting the amount of overall transferred data among separate PIPL SCCs.
3. Third-Party Certification
For third-party certification, the Cyberspace Administration published implementation rules in November 2022. So far we know that China Cybersecurity Review Technology and Certification Center is authorized to perform the certification and it has posted an certification application form on its website. Third-party Certification is a more involved process than using SCCs, but multinational companies with offices in China that constantly transfer personal information to their own subsidiaries or affiliated companies located outside China may want to consider this option. The certification is valid for 3 years, during which period the personal information processor would be subject to post-certification monitoring of the certification agency. For a processor to be certified for personal information cross-border processing, it is required to meet the national standards specified in the Personal Information Security Specification (GB/T 35273) as well as Regulations on Personal Information Cross-border Processing Certification (TC260-PG-20222A).
With rules for all three main mechanisms now in place, it is a good time for companies to evaluate or reevaluate which mechanism(s) are available to them and how to implement to minimize risk exposure for cross-border data transfers under China’s PIPL. It is yet to be seen how these rules on cross-border data transfers would be enforced by China. Penalties under the PIPL range from suspension of data processing applications and fines to cancellation of business permit and personal liability for senior executives of the business.