China recently finalized the Measures for Security Assessment for Cross-Border Data Transfers, unveiling the last piece of the puzzle for cross-border data transfer. This LawFlash highlights the key requirements in the data protection regime and the implications for business operators in the highly regulated, data-intensive field of healthcare.
Data privacy has been a hot topic in China since the Chinese government actively released data privacy laws and regulations in recent years. Three milestone laws in the privacy regime have been published and come into effect, including the Cybersecurity Law (CSL) (2017), the Data Security Law (DSL) (2021) and the Personal Information Protection Law (PIPL) (2021).
Under the umbrella of these fundamental laws, the Chinese government has recently been focusing on rolling out rules and regulations for implementing its cybersecurity, data security, and personal information protection laws.
For example, on June 24, 2022, China published the final version of the Certification Specification for Cross-Border Processing of Personal Information, which provides guidance for companies to have their cross-border data transfer certified as one of the legal routes for business operators to transfer the personal information outside China. On June 30, China further published the draft version of the standard contract for the cross-border transfer of personal information, considered China’s standard contractual clauses (similar to SCC under the EU General Data Protection Regulation), which also provides additional obligations for filing of the standard contract with the government authorities, before the cross-border data transfer can take place.
Finally, on July 7, the Measures for Security Assessment for Cross-Border Data Transfers were finalized, which clarify under what circumstances a company must undergo a security assessment approved by the competent Chinese government authority before exporting data out of China.
HIGHLIGHTS OF DATA PROTECTION LAWS
The data protection laws require companies as data handlers (a concept under the PIPL, similar to data controllers under the General Data Protection Regulation) to obtain informed and separate consents from the data subjects for the collection, processing, and cross-border transfer of personal information (limited exceptions apply).
The law has an extra-territorial effect, which applies both to personal information processing activities within China and those that take place outside China if their purpose is to provide products or services to individuals located in China, or to analyze or assess the behaviors of individuals located in China. Overseas companies caught by the exterritorial jurisdiction of the PIPL should establish a dedicated entity or appoint a representative in China to handle matters in relation to the protection of personal information they collect, and to file the information of the entity or the representative with competent government authorities. Foreign organizations or individuals may be put on a "blacklist" that would restrict or prohibit them from receiving personal information from China if they infringe the personal information rights and interests of Chinese citizens or harm the national security or public interest of China.
Additionally, the law grants statutory rights to data subjects, such as the right to withdraw and modify consents, the right to data portability, and the right to refuse automated decision-making. The law also imposes a number of new administrative requirements on the data handlers, including, but not limited to, designating a data protection officer, signing data processing agreements with data processors, preparing data breach notices, conducting a personal information protection impact assessment (PIPIA), or in some cases obtaining regulatory approval for certain data processing transfer activities.
Employers also qualify as data handlers, so every company will need to ensure that they understand the new requirements that cover the collection and processing of their employees’ personal information, in addition to other types of personal information, as part of their routine employee management functions.
A company must undergo a security assessment approved by the competent government authority before exporting data under any of the following scenarios:
- transferring “important data” out of China;
- the company is certified as a critical information infrastructure operator (CIIO), or transferring personal information out of China if it processes personal information of over one million individuals;
- having transferred personal information out of China reaching the following thresholds since January 1 of the previous year:
- other personal information of more than 100,000 individuals, or
- the sensitive personal information of more than 10,000 individuals; or
- under other circumstances specified by the government authority.
Companies in violation of the data protection laws may be subject to severe penalties, including a fine of up to 5% of the last year's turnover of the company, revocation of the company’s license to do business in China, and personal liabilities for company executives.
IMPLICATIONS FOR THE HEALTHCARE INDUSTRY
Healthcare data (such as medical, genetic, and biometric data) is sensitive personal information, which is subject to a higher level of protection. Processing sensitive personal information requires the data handlers to ensure:
- data subjects have given their explicit and separate consent;
- data subjects have been well informed as to the purposes, scope, necessity and methods of the processing, retention period, and impact on an individual’s rights and interests of the processing, among other things;
- measures (such as encryption, anonymization, etc.) are implemented;
- an internal risk assessment (i.e., the personal information protection impact assessment) is conducted; and
- before transferring the personal information outside China, depending on the nature of the exporter and the nature and volume of the data to be transferred, one of the following mechanisms should be completed:
- undergo a security assessment approved by the government authority (for the CIIOs and entities that transfer important data and a large volume of personal information as analyzed above);
- obtain certification from “qualified institutions” in accordance with the rules of the government authority (e.g., the Certification Specification for Cross-Border Processing of Personal Information that is newly published);
- enter into a data transfer agreement with the overseas recipient based on a “standard contract” published by the government authority; or
- other transfer mechanisms permitted under laws and regulations.