1、Researched and Authored by PIPL 2024 Cross-Border Data Transfer in China HandbookThis edition of PIPL 2023/24:Cross-Border Data Transfer in China Handbook was produced by a team of professionals at Dezan Shira&Associates,with Qian Zhou and Arendse Huld as editors,and Nathaniel Rushforth as contribut
2、or.Creative design of the guide was provided by Aparajita Zadoo and Miguel Enrico Anciano.2024 Dezan Shira&Associates DisclaimerThe contents of this guide are for general information only.For advice on your specific business,please contact a qualified professional advisor.Copyright 2024,Asia Briefin
3、g Ltd.No reproduction,copying or translation of materials without prior permission of the publisher is permitted.VISIT US ON FACEBOOKFOLLOW US ON TWITTERDezanShiraChinaBriefingVISIT US ON LINKEDINTHE DOING BUSINESS IN ASIA GUIDES SERIESAvailable to Download Now:China Guide India Guide Vietnam Guide
4、ASEAN Guide Hong Kong Guide Indonesia Guide Singapore Guide China Super City Clusters Dubai Guide Doing Business in China Portal Our latest online Doing Business in China Portal consists of 100+guides,videos,publications,and tools that are practical and easy to navigate,covering:Why China,Regions to
5、 Invest,Sector Insights,How to Setup,Tax,Audit and Accounting,HR,Recruitment,PEO,and Payroll,News,Events,and more.3PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKAbout Dezan Shira&AssociatesDezan Shira&Associates is a pan-Asia,multi-disciplinary professional services firm,providing legal,tax
6、and operational advisory to international corporate investors.Operational throughout China,India and ASEAN,our mission is to guide foreign companies through Asias complex regulatory environment and assist them with all aspects of establishing,maintaining and growing their business operations in the
7、region.With over 30 years of on-the-ground experience and a large team of lawyers,tax experts and auditors,in addition to researchers and business analysts,we are your partner for growth in Asia.4PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKTable of ContentsIntroduction:Why does it matter?6
8、What data are subject to CBDT mechanisms?7Personal Information7Important Data8What kind of companies will have CBDT issues?10Multinationals and foreign companies10Critical Information Infrastructure Operators10What counts as CBDT activities?11Exemptions for certain CBDT activities12What are the curr
9、ent rules for CBDT?13CBDT mechanism I:Security assessment by the CAC14Who must undergo a security assessment for crossborder data transfer?14Procedures of a data export security assessment14Validity and extension of security assessment17CBDT mechanism II:Third party PI protection certification18Who
10、can apply for the PI protection certification?18PI protection certification requirements19The impact of the Security Certification Standards on businesses23CBDT mechanism III:Signing a standard contract25Who can apply the standard contract mechanism for CBDT?25Pre-condition:Conducting PIPIA25What mu
11、st be stipulated in the standard contract?265PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKFiling procedures for the standard contract27New Standard Contract Guidelines Streamline in the GBA28Recent developments&trends:Easing CBDT requirementsfor foreign companies29Increased data volume thre
12、sholds for CBDT complianceprocedures29Easing requirements for the export of“important data”30Exemptions for certain cross-border data transactions31Facilitated data flows in FTZs31Extension of security assessment validity period32Implications of the new regulations for foreign companiesin China32202
13、4 outlook for cybersecurity and data protection regulations34More clarity on legal definitions34Implementation of trials for“green channels”and“generaldata”lists for free CBDT34Further adjustments to align with DEPA and CPTPPbenchmarks34Conclusion:How businesses can deal with Chinas evolvingcross-bo
14、rder data transfer regimes36Appendix I:Regulatory framework for CBDT in China376PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKIntroduction:Why does it matter?The global surge in cross-border data flow has prompted governments worldwide,including China,to intensify oversight of data export an
15、d enhance security provisions.Against the backdrop of the European Unions enactment of the General Data Protection Regulation(GDPR),China responded by enacting the Cybersecurity Law of the Peoples Republic of China(CSL),introducing restrictions on data export.Subsequent legislation,such as the Data
16、Security Law(DSL)and the Personal Information Protection Law(PIPL),along with supplementary regulations,have continually refined Chinas cross-border data transfer(CBDT)regime.For multinational corporations that regularly send data overseas or remotely access data in China as part of their operations
17、,understanding the evolving requirements and criteria for CBDT is of paramount importance.Compliance with Chinas relevant data laws is not only essential for conducting business legally but also crucial for maximizing data security and facilitating the smooth flow of data across borders.Failure to i
18、mplement proper CBDT mechanisms may result in delayed data sharing,business disruptions,and unforeseen penalties.Despite cybersecurity and data protection laws being well developed,Chinas regulatory landscape continues to evolve.In 2023,several new regulations specifically addressing data protection
19、 and cybersecurity were introduced,with a particular emphasis on CBDT.Additionally,a new regulation has been released in March 2024,introducing easing CBDT rules.This ongoing developmental phase has created some framework gaps,making it challenging for foreign companies to precisely discern applicab
20、le requirements and necessary actions for full compliance.Consequently,many companies have yet to take action,exposing themselves to coming policy shifts and compliance risks.Given the current dynamic environment,experts in the legal and cybersecurity fields emphasize the importance of businesses ad
21、opting a proactive stance toward CBDT.Rather than awaiting enforcement,companies should address both known and unknown aspects appropriately.This PIPL handbook explains key facets of Chinas CBDT regime from a business perspective,highlights recent trends and expected developments,and offers practica
22、l steps for enterprises to consider when planning their compliance approach.ADAM LIVERMOREPartnerDezan Shira&Associates7PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKWhat data are subject to CBDT mechanisms?China first put limits on the export of certain types of data in the CSL,enacted in 2
23、016.Later,the DSL and the PIPL,both of which took effect in 2021,set out principles for CBDT within their respective regime.From 2021 to 2023,Chinas cybersecurity authorities have been making continuous refinement of legal requirements governing the procedures to export important data and personal i
24、nformation,bringing further clarity to the responsibilities and accountabilities of companies.Under the current regulatory framework regarding CBDT(See Appendix I for a summary of Chinas CBDT regulatory framework),“important data”and“personal information”are the two current data categories that are
25、subject to Chinas cross-border data transfer mechanisms,although in practice Chinese government tends to implement a broader definition of CBDT any data flowing across borders needs to comply with the CBDT requirements.Personal Information Under the PIPL,Personal Information(PI)is defined as“all kin
26、ds of information related to identified or identifiable natural persons recorded by electronic or other means,excluding the information processed anonymously”.Compared to the European Unions General Data Protection Regulation(GDPR),the PIPL explicitly excludes“anonymized”PI from the definition.Anoth
27、er important difference between the GDPR and the PIPL definition of PI concerns deceased persons.The PIPL does not apply to the PI of deceased people as the GDPR does.However,Chinas PIPL allows a close relative of a deceased person to duplicate or request access to relevant PI.They also have partial
28、 rights to copy,correct,or delete any relevant PI for their own lawful or legitimate interests.The definition and scope of“Sensitive PI”(SPI)under the PIPL is also different from the“special category data”under the GDPR.Article 28 of the PIPL specifies that Sensitive PI is“PI that is likely to damag
29、e the personal dignity of any natural person or damage to his or her personal or property once disclosed or illegally used”.This is followed by a non-exhaustive list,which includes:biometric data,information on religious beliefs,“specific identity”,medical health,financial accounts,whereabouts and l
30、ocation,any PI of minors people under the age of 148PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKThe fact that financial account information is categorized as SPI came as a surprise to many foreign companies.It implies that almost any business activity involving a payment transaction would
31、involve the processing of SPI.The company can refer to the national standard number GB/T35273-2020 to better understand the detailed scope of SPI defined by the PIPL.The GDPR lists all Special Category Data,making it easy for companies or individuals to identify whether or not the PI they are proces
32、sing falls within this category.The PIPLs definition is more descriptive but does not include a full list as the GDPR does.The GDPR treats the PI of minors under the age of 16 as special category data(though specific EU member countries have different rules on age limits,with some lowering it to 13)
33、while the PIPL specifies the age of 14,which means high-school students personal info will not be treated as sensitive PI by default.PIPL vs GDPR Definition of Personal Information Similarities Both the GDPR and the PIPL have a similar definition for general PI,either direct or indirect.Both the GDP
34、R and the PIPL subject some categories of PI to more stringent protection requirements “special category data”in the GDPR and“sensitive PI”in the PIPL.Both the GDPR and the PIPL define similar rights for individuals.Differences The PIPL excludes anonymous information from the definition of PI.The PI
35、PL has a much wider scope of what is considered“sensitive”PI than GDPRs“special category”data.Important Data“Important Data”is defined as data specific to certain fields,groups,and regions,or reaching a certain level of precision and scale that,once leaked,tampered with,or destroyed,may directly jeo
36、pardize national security,economic operation,social stability,public health,and safety.Its important to note that data affecting only the organization itself or individual citizens is generally not considered important data.This definition is provided in the technical standards released by the State
37、 Administration of Market Regulation(SAMR)and the Standardization Administration of China(SAC)in March 2024,titled Data security technology Rules for data classification and grading GB/T 43697-2024.The technical standards offer the most recent guidelines for companies and regulators to identify and
38、classify different types of data to comply with Chinas personal information and data protection regulations,which will take effect from October 1,2024.9PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKThe technical standards also include guidelines for stakeholders to identify important data.Th
39、ese guidelines outline factors that should be considered when assessing the risk level of the data.Some of these factors include:Whether the data directly affects territorial security and national unity or reflects the basic situation of national natural resources,such as undisclosed data on land,wa
40、ter,and airspace;Whether the data can be utilized by other countries or organizations to launch military attacks against China or reflect Chinas strategic reserves,emergency mobilization,combat capabilities,and so on,such as geographical data that meets certain accuracy indicators or data related to
41、 the production capacity and reserves of strategic materials;Whether the data directly affects the order of the market economy,such as data supporting the operation of core businesses in industries or sectors where critical information infrastructure is located or important economic sectors;Whether
42、the data is related to Chinas real or potential interests in strategic new regions such as space,deep sea,and polar regions,such as undisclosed data related to scientific exploration and development and utilization of space,deep sea,and polar regions,as well as data affecting the safe entry and exit
43、 of personnel in the above areas;and Whether the data reflects the situation of nuclear materials,nuclear facilities,or nuclear activities,or can be used to cause nuclear damage or other nuclear safety incidents,such as data involving design drawings of nuclear power plants and the operation of nucl
44、ear power plants.In addition to the technical standards above,the Cyberspace Administration of China(CAC)has recently made it clear that any data that hasnt been explicitly identified as“important”by an industry regulator will not be considered as such,and therefore will be subject to less strict co
45、mpliance procedures.Moreover,Chinas free trade zones(FTZs)are allowed to independently implement their own negative list of data that must be subject to compliance procedures when exported.These lists will be applicable to companies established in the FTZs.By the time of writing,the FTZs are still i
46、n the process of developing these negative lists.Given the current developments,foreign companies are advised to carry out the necessary data classification and grading work in order to assess if any data they hold is graded“important”.Our Cybersecurity and Compliance expertise in China and across A
47、sias regulatory frameworks,offers companies the necessary experience they need to define and improve their security and compliance posture.CYBER AND DATA SECURITYEXPLORE DETAILS10PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKAny company that collects a certain amount of data from subjects in
48、 China and needs to send it overseas or allow access to the data from persons located overseas will be faced with cross-border data transfer issues.In general,the cross-border data transfer mechanisms mostly affects:Multinationals and foreign companies;and Industrial/Telecom companies/Critical Infor
49、mation Infrastructure Operators(CIIOs).Multinationals and foreign companies Examples of multinationals and foreign companies that commonly face a higher likelihood of concern regarding CBDT issues,include those which operate in certain sectors or with larger operations in China:Companies with a larg
50、e number of employees,partners,members,or clients,Technology device manufacturing,Medical device manufacturers,Data and information services providers,Software developers,Marketing services,Financial services,Healthcare services,Education services;Hospitality and travel services;Other services firms
51、.Critical Information Infrastructure Operators Foreign multinationals can also operate in a few of the sectors that would be defined as“CIIO”.CIIO is defined in the Regulations on the Security and Protection of Critical Information Infrastructure regulations as companies engaged in“important industr
52、ies or fields”,including:Public communication and information services;Energy;Transport;Water;Finance;Public services;E-government services;National defense;and Any other important network facilities or information systems that may seriously harm national security,the national economy and peoples li
53、velihoods,or public interest in the event of incapacitation,damage,or data leaks.What kind of companies will have CBDT issues?PHOEBE YANPartnerDalian officeDezan Shira&Associates“Multinationals and foreign companies commonly face a higher likelihood of cross-border data transfer concerns.”11PIPL 202
54、4:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKWhat counts as CBDT activities?There is no specific definition for“cross-border data transfer”in Chinas CSL,DSL,or PIPL laws.However,clues can be found in the following three documents:The Measures for Data Export Security Assessment;The Guidelines for D
55、ata Exit Security Assessment and Declaration(First Edition);and The Standard Contract Measures for the Export of Personal Information.Under the Measures for Data Export Security Assessment,cross-border data transfer is defined as:the provision of PI and important data collected and generated in the
56、operation within the territory of the Peoples Republic of China to institutions,organizations,and individuals located outside the country.The Guidelines for Data Exit Security Assessment and Declaration(First Edition)lists out some specific circumstances that are deemed as cross-border data transfer
57、,including:where a data processor transfers or stores abroad the data collected or generated during its operation within the territory of China;where the data collected and generated by a data processor is stored within the territory of China for inquiry,retrieval,download and export by overseas ins
58、titutions,organizations or individuals;and any other activity involving data to be transmitted abroad prescribed by the CAC.Finally,under the Standard Contract Measures for the Export of Personal Information,cross-border data(PI)transfer is defined as:when PI processors transmit and store PI that ha
59、s been collected and generated during domestic operations overseas;when PI collected and generated by PI processors is stored within China,but overseas institutions,organizations,or individuals can inquire,retrieve,download,and export the PI;Other acts of exporting PI abroad as specified by the CAC.
60、From these above definitions,cross-border data transfer might be interpreted as:direct transfer and storage of important data and PI to overseas locations,remote access to important data and PI stored in China by a person or entity located outside of China-this is to say,if an overseas party within
61、a same or different company,remotely accesses the Important Data or PI of an individual located in China,then this activity will also constitute cross-border data transfer,even if the data is not actively exported to a location outside of China.While these definitions may suggest which company activ
62、ities could constitute CBDT,it is by no means a comprehensive definition.The above measures and the overall framework include an“other”clause implying that additional definitions may be left open to interpretation by the authorities in China.12PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKEx
63、emptions for certain CBDT activities According to the Regulations to Promote and Standardize Cross-Border Data Flow,a new regulation released in March 2024 to facilitate CBDT,there are several scenarios in which a company will be exempted from undergoing any compliance procedures to export data out
64、of China.First,if a company collects and generates data through activities such as international trade,cross-border transportation,academic cooperation,transnational manufacturing,and marketing,and it wishes to provide this data overseas,then it is not required to undergo any of the three compliance
65、 procedures,provided the data does not contain any PI or important data.Second,if the PI collected and generated by a company outside of China is transferred to China for processing and then retransferred abroad,then the company is exempted from the compliance procedures,provided no domestic PI or i
66、mportant data is introduced during the processing.Finally,the regulations outline cases in which the company may be exempted from the compliance procedures,if it meets certain conditions.These conditions are as follows:It is necessary to export PI to enter into and perform a contract to which an ind
67、ividual is a party,such as cross-border e-commerce,postal services,remittances,and payments,opening accounts,air ticket and hotel booking,visa processing,and examination services;It is necessary to export the PI of employees must be exported in order to implement human resources management in accord
68、ance with the labor rules and regulations and the collective contract signed with employees;It is necessary to export PI overseas in order to protect the life,health,and property of natural persons in an emergency;and If a company other than a CIIO has provided PI of less than 100,000 people(excludi
69、ng sensitive PI)overseas since January 1 of that year.Note that important data is not included in the above scenarios,and a company will still need to undergo a security assessment process(introduced later)to export it.13PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKUnder the current data la
70、ws and regulations,companies that wish to export over these data overseas are required to take certain steps to get approval,depending on the volume and sensitivity of the data to be transferred.This may include:A security assessment organized by the CAC;PI protection certification by a professional
71、 institution in accordance with the regulations of the CAC;Sign a standard contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC;or Meet other conditions set by the CAC or relevant laws and regulations.The CAC has subsequently
72、released separate measures for each of the above mechanisms,excluding the final item.These measures not only outline how the requirements will be implemented but also stipulate the conditions under which companies must be subject to one of these mechanisms.What are the current rules for CBDT?14PIPL
73、2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKSecurity assessment is the highest bar of compliance within the cross-border data transfer regime.It presents a rigorous evaluation standard and a relatively time-consuming review process.Since the enactment of Measures for Data Export Security Assess
74、ment(the“security assessment measures”),the CAC and local cyberspace administrations,including those in Beijing,Shanghai,Jiangsu,and Zhejiang,have been actively engaging in clarifying and streamlining the security review process.A security assessment is valid three years,from the date of issuance of
75、 the assessment result.Who must undergo a security assessment for cross-border data transfer?Under the security assessment measures,a company must undergo a security assessment by the CAC in any of the following circumstances:The company is a CIIO;The company exports important data overseas;The comp
76、any has provided the PI(excluding sensitive PI)of over 1 million people to overseas parties since January 1 of the current year;or The company has provided the sensitive PI of over 10,000 people to overseas parties since January 1 of the current year.While the scope of important data and the definit
77、ion of CIIO have been explained in earlier chapters,“sensitive PI”is defined in the PIPL includes(but is not limited to):Biometric data(such as fingerprints,iris and facial recognition information,and DNA)Data pertaining to religious beliefs or“specific identities”Medical history Financial accounts
78、Location and whereabouts Any PI of minors under the age of 14 The definition of sensitive PI is further expounded upon in the personal information security specification GB/T 35273-2020.However,it does not include data that has been anonymized or abstract data that doesnt contain any specific PI on
79、individuals,such as aggregated information.Meanwhile,the“processing”of PI is defined as“the collection,storage,use,processing,transmission,provision,publication,and erasure of PI”.Procedures of a data export security assessment If a company meets the criteria outlined above,it must apply for a secur
80、ity assessment by CAC in order to get clearance to transfer the data outside of China.The security assessment measures provide a detailed description of the procedures and criteria companies must meet to pass a security assessment.CBDT mechanism I:Security assessment by the CAC15PIPL 2024:CROSS-BORD
81、ER DATA TRANSFER IN CHINA HANDBOOKConducting a self-assessment To apply for a security assessment,companies must first conduct a security risk self-assessment of the data they wish to export.The self-assessment largely focuses on evaluating the risks the export of the data could pose to Chinas natio
82、nal security,as well as the personal rights of the individuals or organizations in China from whom the data was collected.When conducting the self-assessment,companies must consider the below questions:1.The legality,legitimacy,and necessity of the purpose,scope,and method of the cross-border data t
83、ransfer,and the processing of the data by the overseas recipient.2.The scale,scope,type,and sensitivity of the data being transferred,and the possible risks that the cross-border data transfer could pose to Chinas national security,public interests,and the legal rights of individuals and organizatio
84、ns.3.The responsibilities and obligations undertaken by the overseas recipient of the data,and whether the management and technical measures and capabilities for fulfilling the responsibilities and obligations can ensure the security of outbound data.4.The risk of the data being tampered with,destro
85、yed,leaked,lost,transferred,or illegally obtained or used during the overseas transfer or after it exits the country,and whether the channels for safeguarding the rights and interests of the PI subjects are unobstructed.5.Whether or not the data export-related contracts or other legally binding docu
86、ments(hereinafter collectively referred to as“legal documents”)that are entered into with the overseas recipient fully stipulate the responsibility and obligations of data protection.6.Other matters that may affect the security of data export.Applying for the security assessment When applying for th
87、e data export security assessment,companies are required to submit the following materials:A declaration Cross-border data transfer risk self-evaluation report Legal documents to be signed between the data processor and the overseas recipient;Other materials required for security assessment work The
88、 legal documents signed between the data processor and the overseas recipient must include(but is not limited to)the following duties and obligations:1.The purpose and method for the data transfer and the scope of data being transferred;what the overseas recipient needs the data for and the methods
89、they will use to process it.2.Where and for how long the data will be stored overseas;the processing measures for the exported data after the data storage time limit is up,the stipulated objectives have been achieved,or the legal documents have been terminated.16PIPL 2024:CROSS-BORDER DATA TRANSFER
90、IN CHINA HANDBOOK3.Binding requirements for the overseas recipient to transfer the data to another organization or individual.4.The security measures that will be taken in the event that there is a substantive change in the overseas recipients control or operating scope,or if there is a change to th
91、e security protection policies and regulations of the region where the data is being transferred to,a change to the network security environment,or other force majeure circumstances that make it difficult to guarantee the security of the data.5.Remedial measures,liabilities for breach of contract,an
92、d dispute resolution methods for breaching data security protection obligations stipulated in legal documents.6.Requirements for proper emergency response and the channels and methods to protect individuals rights to safeguard their PI in the event that the outbound data is at risk of being tampered
93、 with,destroyed,leaked,lost,transferred,or illegally obtained or used.7.After having submitted the requisite materials,the CAC will inform the applicant in writing of their decision to accept the application within seven days.Undergoing the security assessment After the CAC has accepted the applicat
94、ion,it will organize for the relevant State Council departments and government agencies to conduct the security assessment in accordance with the circumstances of the declaration.The authorities will be taking the following criteria into consideration when conducting the security assessment:The lega
95、lity,legitimacy,and necessity of the methods,scope,and purpose of the data export.The impact that the data security protection policies,regulations,and general cybersecurity environment of the country or region in which the data recipient is located may have on the security of the data,whether the o
96、verseas recipients data protection standards are compliant with Chinas laws,administrative rules and regulations,and requirements for mandatory national standards.The scale,scope,type,and sensitivity of the outbound data,and the possible risks posed to the data during and after the transfer,such as
97、leakage,tampering,loss,damage,or illegal acquisition or use of the data.Whether or not data security and personal information rights can be fully and effectively protected.Whether or not the legal documents to be signed between the data processor and the overseas recipient has sufficiently stipulate
98、d the data security protection responsibilities and obligations.The data processors compliance with Chinese laws,administrative regulations,and departmental rules.Other matters deemed necessary by the CAC.The cybersecurity departments will carry out the security assessment within 45 working days of
99、17PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKissuing the notice that the application was accepted.However,this procedure may be extended for complicated cases or where additional documentation,or corrections are required.In this case,the data processor will be notified of the expected ext
100、ended duration of the assessment.The results of the assessment will be provided to the applicant in writing.If during the assessment period,the application materials are found to not meet the requirements,the authorities will request the data processor to make the required corrections or supplement
101、the missing materials.If the data processor fails to provide the right materials and information without justifiable reasons,then the assessment may be terminated.Data processors are also legally liable for the authenticity of the materials provided and may face legal consequences if they are found
102、to knowingly submit false materials or information.Objections to assessment results and requests for re-assessment If the data processor objects to any of the results of the assessment,it may apply to the relevant authorities for re-evaluation within 15 working days of receiving the results.The resu
103、lts of the reassessment will however be final.Validity and extension of security assessment The security assessment will be valid for a period of three years from the date that the assessment results are issued.If a company needs to continue its data export activities after its assessment has expire
104、d,it can apply for an extension through the local provincial cybersecurity and informatization department within 60 working days of the assessments expiration date.In this instance,the company wont need to conduct another data export security assessment.If the application is successful,the assessmen
105、t can be extended for another three years.The relevant authorities may also revoke the security assessment if the activity no longer meets the security management requirements while the data is being processed.They will then inform the company in writing of the revocation,after which the company wil
106、l be required to terminate all CBDT activity.The company can then re-apply for a security assessment after having rectified the issues that caused it to lose its approval status.18PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKThe PI protection certification is another security mechanism for
107、cross border data transfer as outlined in Article 38 of the PIPL.On December 16,2022,the NISSTC released the Cybersecurity Standards Practical Guide Security Certification Specifications for Cross-Border Processing of Personal Information V2.0(the“Security Certification Specifications”),outlining th
108、e requisites and procedures for the PI protection certification.Building on this,on March 16,2023,the NISSTC re-released the Security Certification Specifications as an official set of standards,called the Information security technology-Certification requirements for cross-border transmission of pe
109、rsonal information(the“draft certification requirements”),for public comment until May 15,2023.This document is almost identical to the Security Certification Specifications,except for additional clarifications of certain definitions.At the time of writing,no update has been provided on the public f
110、eedback on the draft certification standards,and they have therefore not yet been officially adopted.This means that the rules for the certification method have not yet been finalized.Who can apply for the PI protection certification?This mechanism is only applicable to companies that engage in the
111、cross-border data transfer of a relatively small volume of PI and are not involved in scenarios where a data export security assessment with the CAC is required.That is to say,companies that meet all of the following criteria are eligible to export data through PI protection certification mechanism:
112、They are not a CIIO.Since January 1 of the current year,they have transferred the PI of between 100,000 people and 1 million people out of China(excluding sensitive PI).Since January 1 of the current year,they have transferred the“sensitive”PI of less than 10,000 people out of China.For multinationa
113、l companies that engage in cross-border PI processing between their own subsidiaries or affiliated companies located in another country,the domestic party can apply for certification and assume legal responsibility on behalf of both parties.Overseas PI processors as defined in the PIPL are also perm
114、itted to apply for certification through their specialized agencies or designated representatives set up in China,which can also assume legal responsibilities on their behalf.CBDT mechanism II:Third party PI protection certification19PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKPI protectio
115、n certification requirementsThe Security Certification Specifications outline the basic principles that PI processors and the overseas recipient should adhere to when engaging in cross-border PI processing.These basic principles are based on the requirements stipulated in Chinas existing PI protecti
116、on framework,most significantly the PIPL.They cover the basic obligations of the companies involved to comply with relevant laws and regulations,keeping the PI subjects informed of the activity,and the companies obligations to ensure the security of the PI,among others.Below we have summarized the b
117、asic principles for protecting the security of PI and the rights and interests of PI subjects.Basic Principles of Cross-Border PI Processing for PI Processors and Overseas Recipients Principles of lawfulness,propriety,necessity,and good faith Adhere to relevant laws and regulations on cross-border P
118、I processing Process PI in accordance with the purpose that has been agreed upon and in a manner that has the least impact on the rights and interests of the PI subject Abide by contracts,agreements,and legally binding documents Principles of openness and transparency Meet the requirements for the d
119、isclosure of processing rules and process Inform the PI subject of the name and contact information of the overseas recipient,the purpose for the cross-border processing of their PI,the scope and processing methods,as well as their rights and methods and procedures for exercising their rights Princi
120、ple of equal protection Ensure the quality of the PI and avoid causing adverse effects on the personal rights and interests of the PI subject as a result of inaccurate or incomplete PI Take necessary measures to protect the security of the processed PI and ensure that cross-border processing of PI m
121、eets the information protection requirements of the PIPL Principle of clear responsibility Designate a domestic party,multiple parties,or an institution set up by an overseas recipient in China to bear civil legal liability for the PI processing activities of the overseas recipient in the event of d
122、amage to the rights and interests of PI subjects Principle of voluntary certification Encourage PI processors to voluntarily apply for PI protection certification and fully leverage the role of certification in strengthening PI protection and improving the efficiency of cross-border PI processing 20
123、PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKLegally binding documents Under the Security Certification Specifications,PI processors and their overseas recipients are required to sign legally binding and enforceable documents to ensure the protection of the rights and interests of PI subjec
124、ts.At the very least,these documents should specify the following:The basic information of the PI processors and overseas recipients,including but not limited to name,address,contact name,contact information,and so on;Information on the cross-border PI processing activity,including but not limited t
125、o the purpose for the processing,the scope of PI and processing activity,the type,sensitivity level,and quantity of the PI being processed,the method for processing the PI,and the PIs retention period and storage location;The responsibilities and obligations of PI processors and overseas recipients
126、to protect PI,as well as the technical and management measures taken to prevent possible security risks caused by cross-border processing of PI;The rights of PI subjects and the methods for them to protect their rights;Clauses on remedy,contract termination,liability for breach of contract,dispute r
127、esolution,and more A promise by the overseas recipient to abide by the same cross-border PI processing rules,and assurance that the level of PI protection is not lower than that of standards stipulated in Chinas relevant laws and administrative regulations.Acceptance by the overseas recipient to con
128、tinuous supervision over the cross-border PI processing by the certification body;Promises by the overseas recipient to accept the jurisdiction of Chinas relevant laws and administrative regulations on PI protection;Specification of the organization that assumes the legal responsibility within China
129、,and its promise to fulfill the obligations to protect PI;A statement that both the PI processor and the overseas recipient bear civil legal liability for violations of PI rights and interests,and clear agreement on the civil legal liability of each party;Obligations stipulated in other laws and adm
130、inistrative regulations.Appointing a person in charge of PI protection According to the Security Certification Specifications,both the PI processor and the overseas recipient engaged in cross-border PI processing are required to appoint a person to be in charge of PI protection.This person must have
131、 professional knowledge of PI protection and relevant management work experience and should hold a decision-making position within the organization.The person in charge of PI protection is required to undertake the following responsibilities:Clarifying the main objectives,basic requirements,tasks,an
132、d protection measures of the PI protection work;21PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOK Ensuring adequate human resources and financial and material support for the organizations PI protection work,and ensuring the availability of required resources;Guiding and supporting relevant p
133、ersonnel in carrying out the organizations PI protection work to ensure that the work achieves the intended goals;and Reporting the PI protection work situation to the main person in charge of the organization,and promoting the constant improvement of the PI protection work.Setting up a PI protectio
134、n agencyPI processors and overseas recipients who carry out cross-border PI processing activities are required to set up PI protection agencies to perform the relevant obligations and carry out work such as preventing unauthorized access to PI,as well as leaks,tampering,and loss of PI.Specifically,t
135、he agency is required to undertake the following responsibilities for cross-border PI processing activities:Formulating and implementing a plan for cross-border PI processing in compliance with relevant laws;Organizing a PI protection impact assessment;Supervising the organizations cross-border PI p
136、rocessing in accordance with the agreed rules and protecting the rights and interests of PI subjects;Taking effective measures to ensure that cross-border PI is processed in accordance with the purpose,scope,and method of the PI processing that has been agreed upon,fulfilling PI protection obligatio
137、ns,and ensuring the security of the PI;Regularly reviewing the organizations compliance with relevant laws and administrative regulations when processing PI conducting compliance audits;Accepting and handling requests and complaints from PI subjects;Accepting the continuous supervision of certificat
138、ion bodies on cross-border processing of PI,including answering inquiries,cooperating with inspections,and other liaising activities.Mutual agreement upon the rules of PI processing PI processors and overseas recipients must agree upon and jointly abide by the same set of rules for cross-border PI p
139、rocessing.At the very least,the rules should include the following clarifications:The basic situation of cross-border processing of PI,including the amount and scope of PI that will be processed,the type and sensitivity level of the PI being processed,and so on;The purpose of processing the PI and t
140、he method for and scope of the cross-border processing of PI;The duration that the PI will be stored overseas,including a start and end date,and details on how the PI will be processed after this duration has ended;The countries or regions to which the cross-border PI processing will be transferred;
141、The resources and measures needed to protect the rights and interests of PI subjects;and The rules on compensation for and handling of PI security incidents.22PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKPI protection impact assessment PI processors are required to conduct a personal inform
142、ation protection impact assessment(PIPIA)for activities that have the intention of providing PI overseas and compile a PIPIA report.This report should be kept for at least three years.The PIPIA report should at the very least contain the following information:The legality,legitimacy,and necessity of
143、 the purpose for the cross-border PI processing,the scope of and method for processing the PI;The scale,scope,type,and sensitivity level of the PI being processed,the frequency of cross-border PI processing activity,and the risks that this activity may pose to the rights and interests of the PI subj
144、ects;The responsibilities and obligations promised by the overseas recipient,and whether their management,technical measures,and capabilities are sufficient to fulfill their responsibilities and obligations to guarantee the security of the cross-border PI processing activity;Risks of leakage,damage,
145、tampering,abuse,and other violations or breaches during the cross-border processing of PI and whether there are unobstructed channels for individuals to protect their rights and interests;The impact of the PI protection policies and regulations in the country or region where the overseas recipient i
146、s located may have on their ability to fulfill their obligations to protect the PI and the rights and interests of the PI subjects.This may include(but is not limited to):The overseas recipients previous similar experience in cross-border transmission and processing of PI,whether any data security-r
147、elated incidents have occurred under their authority,whether these incidents have been dealt with in a timely and effective manner,and whether they have ever received a request from a public authority in the country or region where they are located to provide PI,and how they responded to this reques
148、t;The current laws and regulations on PI protection in the country or region in which the overseas recipient is located,the generally applicable standards,and the differences between the relevant laws,regulations,and standards on PI protection in China;Any regional or global PI protection organizati
149、ons that the country or region in which the overseas recipient is located has joined and the binding international commitments it has made;and The mechanisms for PI protection that the country or region that the overseas recipient is located in have implemented,such as whether there are supervisory
150、and law enforcement agencies and relevant judicial agencies for PI protection.Other matters that may affect the security of cross-border PI processing activity.23PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKThe rights of the PI subjectsThe Security Certification Standards require PI process
151、ors and overseas recipients of PI to recognize the rights of the individual(the PI subject)with regard to the cross-border processing of their PI.It also requires them to provide the conditions and mechanisms for the PI subjects to exercise their rights.These rights are in line with the articles of
152、Chapter IV of the PIPL on“the rights of individuals in the processing of personal information”.They are as follows:The PI subject must be a third-party beneficiary in a legally binding document signed by the PI processor and the overseas recipient,and has the right to require the PI processor and th
153、e overseas recipient to provide a copy of the part of the legal text that involves their rights and interests,and assert their rights to the PI processors and overseas recipients;The PI subject has the right to know,decide,limit,or refuse others to process their PI,as well as the right to consult,co
154、py,correct,supplement,delete their PI and the right to withdraw consent to the cross-border processing of their PI;When the PI subject exercises the above rights,the PI subject may request the PI processor to take appropriate measures to realize it,or directly submit a request to the overseas recipi
155、ent.If the PI processor cannot realize it,it should notify and ask the overseas receiver to assist in realizing it.PI subjects have the right to request PI processors and overseas recipients to explain their rules for the cross-border processing of PI;The PI subject has the right to reject any decis
156、ion to engage in cross-border processing of their PI made by the PI processor through an automated decision-making process;The PI subject has the right to complain and report any illegal cross-border PI processing to the department responsible for protecting PI in China;When a PI subjects rights and
157、 interests are violated,they have the right to claim compensation from either the PI processor or the overseas recipient;PI subjects have the right to file judicial proceedings with a competent court against PI processors and overseas recipients who carry out cross-border PI processing activities in
158、 accordance with the Civil Procedure Law of the Peoples Republic of China;and Other rights stipulated by laws and administrative regulations.The impact of the Security Certification Standards on businesses The majority of the requirements and information outlined in the Security Certification Standa
159、rds are based upon existing requirements stipulated in previous laws and regulations.Most businesses that have been building up their PI and data compliance capabilities in China will therefore be familiar with many of these obligations.24PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKHowever
160、,the standards do provide a useful framework for companies when it comes to the specific obligations that they have specifically when engaged in the cross-border processing of PI,as opposed to other PI and data protection obligations(such as the processing of PI within China),as well as the responsi
161、bilities of all of their overseas partners.They also provide concrete guidelines for certification agencies and other stakeholders,helping to ensure that all parties are on the same page with regard to their respective obligations.At the same time,Chinas cybersecurity and market standards authoritie
162、s have not yet released a list of the certification agencies that are authorized to carry out certification procedures,nor have they issued specific guidelines for how the certification agencies are required to carry out the certification.More clarity is required on how the agencies will carry out t
163、he certification procedures to ensure that both the agencies and the target companies are compliant with all of the regulations.Dezan Shira&Associates professionals help companies throughout the technology lifecycle of their operations in Asia-from setting up a compliant and performance-optimized te
164、chnology environment,to supporting their operations,and ongoing changes and development.TECHNOLOGY SERVICES EXPLORE DETAILS25PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKSigning a standard contract is the third mechanism for cross-border data transfer stipulated by Article 38 of the PIPL,wh
165、ich is much simpler than the other options as it does not require an external audit.Effective from June 1,2023,the Measures on the Standard Contract for Outbound Transfer of Personal Information outline essential terms,encompassing the scope,types,sensitivity,quantity,retention period,and storage lo
166、cation of exported personal information as well as measures to prevent data security risks.On May 30,2023,the CAC issued the Guidelines for Filing of Standard Contract for Outbound Transfer of Personal Information(First Edition),offering detailed procedures,timeframes,required materials,and outcome
167、details for standard contract filing.Provincial cyberspace administrations also issued comprehensive guidelines to support local companies in fulfilling standard contract filing obligations,such as Beijing,Zhejiang,and Liaoning.Who can apply the standard contract mechanism for CBDT?Similar to the PI
168、 protection certification mechanism,this mechanism is only applicable to companies that engage in the cross-border data transfer of a relatively small volume of PI and are not involved in scenarios where a data export security assessment with the CAC is required.That is to say,companies that meet al
169、l of the following criteria are eligible to export data through the standard contract mechanism:They are not a CIIO.Since January 1 of the current year,they have transferred the PI of between 100,000 and 1 million people(excluding sensitive PI).Since January 1 of the current year,they have transferr
170、ed the“sensitive”PI of less than 10,000 people out of China.The Standard Contract Measures also clarifies that PI processors cannot use means such as splitting up the PI that ought to undergo a security review into smaller batches in order to be eligible for the standard contract procedure.Pre-condi
171、tion:Conducting PIPIABefore transferring PI overseas using the standard contract method,companies must conduct a PIPIA.According to the Standard Contract Measures,the PIPIA must assess the following matters:CBDT mechanism III:Signing a standard contractDONFIL HUANGManagerBusiness Advisory ServiceGua
172、ngzhou OfficeDezan Shira&Associates“Businesses engaging in cross-border data transfer are advised to assess the scope of data that they are handling to understand whether they are eligible to use the standard contract method,a much simpler procedure than the other options.”26PIPL 2024:CROSS-BORDER D
173、ATA TRANSFER IN CHINA HANDBOOK The legality,legitimacy,and necessity of the purpose,scope,and processing method of the data processor in China and the overseas recipient.The scale,scope,type,and sensitivity level of the outbound PI being,and the potential risks that the export of the PI can pose to
174、the rights and interests of the PI subjects.The responsibilities and obligations that are undertaken by the overseas recipient,and whether the management and technical measures and capabilities for fulfilling these responsibilities and obligations can ensure the security of outbound PI.The risk of t
175、he PI being tampered with,destroyed,leaked,lost,or illegally used after being exported,and whether the channels for safeguarding the rights and interests of the PI subjects are unobstructed.The impact that the PI protection policies and regulations in the country or region where the overseas recipie
176、nt is located may have on the fulfillment of the standard contract.Other matters that may affect the security of the outbound PI.What must be stipulated in the standard contract?The standard contract that is signed with the overseas recipient must strictly adhere to the template that has been provid
177、ed along with the Standard Contract Measures.However,the CAC may sometimes adjust this template slightly according to the actual situation.The full template can be found along with the Standard Contract Measures on the CAC website.The PI processors can agree on other terms with overseas recipients,b
178、ut these cannot conflict with the requirements of the standard contract template.The export of PI can only be carried out after the standard contract takes effect.The information that is required to be included in the standard contract per the CAC template includes(but is not limited to):Basic infor
179、mation of the PI processor in China and the overseas recipient,including but not limited to the company names,addresses,contact persons names,and contact information.The length of the contract and mutual PI processing activity.Information on the technical and management measures that the overseas re
180、cipient will employ to fulfill the obligations of the contract to protect PI and minimize security risks,such as encryption,anonymization,de-identification,access control,and other technical and management measures.Agreed methods for arbitration and dispute resolution in the event of a dispute.The s
181、tandard contract template contains nine articles in total and includes clauses on matters such as the obligations of the PI processor and the overseas recipient,the impact that PI protection policies and regulations in the country or region where the overseas recipient is located may have on the ful
182、fillment of the contract,and the rights and interests of the PI subjects.27PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKFiling procedures for the standard contract Within 10 days of the standard contract taking effect,the PI processor must file requisite materials with the local provincial-
183、level cybersecurity office.The PI processor can begin cross-border data transfer activities after the contract takes effect.All the materials must be delivered in both physical and electronic form.The materials that need to be submitted are listed in the table below.Documents Required for Filing the
184、 Standard ContractDocument Requirement 1Photocopy of the unified social credit code certificate(the certificate of the 18-digit number assigned to all companies in China)Photocopy with company chop 2Photocopy of the legal representatives ID cardPhotocopy with company chop 3Photocopy of the ID card o
185、f the person in chargePhotocopy with company chop 4Power of Attorney Original copy 5Letter of commitmentOriginal copy 6Standard Contract Original copy 7PIPIAOriginal copy Note:Templates for documents 4 to 7 above are provided in the Standard Contract Guidelines.The provincial cybersecurity authoriti
186、es will review the materials and notify the company of the result of the review within 15 days of their submission.If the review is successful,the authorities will issue the PI processor with a filing number.If it is unsuccessful,the PI processor will be sent a notice stating that it didnt pass the
187、review,including the reasons for this.The company will be notified of whether it has passed or failed the review process in writing,and whether it may be required to provide supplementary materials.If the PI processor is required to supplement or make up for any missing materials,then it must resubm
188、it them within 10 working days of receiving the notice.In certain circumstances,the PI processor may have to redo the PIPIA,re-sign and re-file the standard contract,and complete other relevant filing procedures before the contract has expired.These circumstances are:28PIPL 2024:CROSS-BORDER DATA TR
189、ANSFER IN CHINA HANDBOOK There is a change to the purpose,scope,category,degree of sensitivity,processing method,or storage location of the PI provided overseas,a change to the purpose and method of processing the PI by the overseas recipients,or the period for overseas storage of the PI is extended
190、.There are changes in the overseas PI protection policies and regulations that could affect the rights and interests of the PI subjects.Other circumstances that may affect the rights and interests of the PI subjects.Resubmitted materials will be reviewed by the local authorities within 15 days of re
191、ceiving them.Violations of the Standard Contract Measures will be punishable in accordance with the PIPL and other relevant regulations.New Standard Contract Guidelines Streamline in the GBAIn December 2023,the CAC released a new set of guidelines for companies in the Guangdong-Hong Kong-Macao Great
192、er Bay Area(GBA)to sign a standard contract to engage in CBDT activities between the mainland portion of the GBA and Hong Kong.The GBA guidelines,titled the GBA(Mainland,Hong Kong)Implementation Guidelines for the Standard Contract for Cross-border Flow of Personal Information,make it significantly
193、easier for companies located in one of the nine mainland cities of the GBA to transfer PI to Hong Kong by expanding the scope of companies permitted to use the standard contract procedure,as well as simplifying filing procedures.The GBA guidelines stipulate that PI processors and the PI recipients i
194、n the GBA may conduct CBDT between the Chinese mainland and Hong Kong by voluntarily entering into a standard contract in accordance with the GBA guidelines.However,any data that has been identified as“important data”by the government is excluded from the scope of data that can be transferred under
195、these guidelines.It means that companies transferring PI between the mainland portion of the GBA and Hong Kong will not to be subject to the same thresholds for PI volume that are stipulated in the national standard contract measures.Another difference is that the filing procedures for the standard
196、contract in the GBA are simpler than for the rest of the country.To file a standard contract to transfer PI from one of the nine mainland GBA cities to Hong Kong,companies only need to provide three documents.Companies located elsewhere in the Chinese mainland wishing to export PI to Hong Kong,or co
197、mpanies located anywhere in the Chinese mainland exporting PI overseas,will be required to provide seven documents,including a copy of the PIPIA and Power of Attorney.29PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKRecent developments&trends:Easing CBDT requirements for foreign companiesThe
198、CAC has released the final version of a set of regulations aimed at facilitating CBDT for companies based in China.The new regulations,titled the Regulations to Promote and Standardize Cross-Border Data Flows,came into force on March 22,2024.In September 2023,the CAC released a draft version of the
199、regulations for public comment.The final version has been altered only slightly from the draft,retaining the majority of the original proposals.The new regulations provide several measures that will facilitate cross-border data flows for companies in China,greatly easing compliance burdens and allow
200、ing for the free flow of data in certain scenarios.Increased data volume thresholds for CBDT compliance proceduresA major change in the new regulations is an increase in the data volume thresholds that trigger one of the compliance procedures from the ones stipulated in the PIPL and related regulati
201、ons.This means that companies will be able to handle a higher volume of data than was previously allowed before they are required to undergo one of the compliance procedures.Among others,the new regulations increase the data volume thresholds that trigger a compliance procedure.For the security asse
202、ssment procedure,the threshold for accumulated non-sensitive PI has been increased from that of 100,000 people to that of one million people.For the Standard Contract and PI protection certification procedures,the threshold has been increased from the non-sensitive PI of less than 100,000 people to
203、that of between 100,000 and one million people.In addition,the time frame has also been shortened from the accumulated PI from January 1 of the previous year to January 1 of the current year.This effectively cuts the maximum period for accumulated PI that is considered for compliance procedures from
204、 two years to just one year and allows the companys accumulated volume to be reset to zero at the start of every year,making it less likely they will exceed the limits.Finally,if a company has processed the PI of less than 100,000 people since January 1 of the current year,it will not be required to
205、 undergo any compliance procedures.Previous regulations did not have any exemptions for lower volumes of PI.30PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKNote that the above changes do not apply to companies that are CIIOs,which will still be required to undergo a security assessment regar
206、dless of the volume or type of data they export,nor does it apply to companies that are exporting important data.However,the new regulations also outline several additional circumstances in which a company may be exempt from undergoing compliance procedures even if they exceed the new thresholds.The
207、se exceptions are outlined in the section below.Easing requirements for the export of“important data”As mentioned above,companies that wish to export important data out of China must undergo a data export security assessment by the CAC,the most cumbersome of the three options.However,what data is co
208、nsidered“important”has not been clearly defined in relevant regulations,leaving many companies uncertain of whether they must apply for the security assessment.The new regulations state that companies are required to identify and declare important data in accordance with relevant regulations.They al
209、so provide an important caveat that will help to reduce uncertainty in many cases.If relevant government departments or regions have not publicly identified certain data as“important”,then the company will not be required to apply for the data export security assessment to export the data.This means
210、 that if the data has not explicitly been defined as important by national or local authorities,then it will be deemed not to be for the time being.Change in PI Export Volume Thresholds for CBDT Compliance ProceduresRequired compliance procedurePrevious regulationsNew regulationsNo procedures requir
211、edN/ACumulative since January 1 of the current year:100,000(normal PI)PI protection certification or Standard Contract signingCumulative since January 1 of the previous year:100,000(normal PI);or 10,000(sensitive PI)Cumulative since January 1 of the current year:100,000(normal PI)1,000,000(normal PI
212、);or 10,000(sensitive PI)Security assessment by CACCumulative since January 1 of the previous year:100,000(normal PI);or 10,000(sensitive PI)Cumulative since January 1 of the current year:1,000,000(normal PI);or 10,000(sensitive PI)The changes in data volume limits are summarized in the table below.
213、31PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKExemptions for certain cross-border data transactionsUnder the new regulations,there are several scenarios in which a company will be exempted from undergoing any of the three compliance procedures to export data out of China.First,if a company
214、 collects and generates data through activities such as international trade,cross-border transportation,academic cooperation,transnational manufacturing,and marketing,and it wishes to provide this data overseas,then it is not required to undergo any of the three compliance procedures,provided the da
215、ta does not contain any PI or important data.Second,if the PI collected and generated by a company outside of China is transferred to China for processing and then retransferred abroad,then the company is exempted from the compliance procedures,provided no domestic PI or important data is introduced
216、 during the processing.Finally,the regulations outline cases in which the company may be exempted from the compliance procedures,if it meets certain conditions.These conditions are as follows:It is necessary to export PI to enter into and perform a contract to which an individual is a party,such as
217、cross-border e-commerce,postal services,remittances,and payments,opening accounts,air ticket and hotel booking,visa processing,and examination services;It is necessary to export the PI of employees must be exported in order to implement human resources management in accordance with the labor rules a
218、nd regulations and the collective contract signed with employees;It is necessary to export PI overseas in order to protect the life,health,and property of natural persons in an emergency;and If a company other than a CIIO has provided PI of less than 100,000 people(excluding sensitive PI)overseas si
219、nce January 1 of that year.Note that important data is not included in the above scenarios,and a company will still need to undergo a security review to export it.Facilitated data flows in FTZsThe new regulations allow Chinas FTZs to independently implement their own negative list of data that must
220、be subject to compliance procedures when exported.These lists will be applicable to companies established in the FTZs.Companies based in the FTZs exporting data that is not included in the negative lists will be exempted from undergoing the compliance procedures,thus greatly facilitating cross-borde
221、r data flows in and out of the zone.The criteria for being considered to be based in the zone will presumably depend on the FTZs own standards for business presence,as is the case for qualifying for preferential tax treatment within the zones,although the regulations do not specify this.32PIPL 2024:
222、CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKEnabling the FTZs to implement their own data negative lists will greatly enhance the attractiveness and competitiveness of these zones,providing yet another benefit to establishing a business within these areas.The FTZs are still in the process of develop
223、ing these negative lists.In January 2024,the Lingang New Area of the Shanghai Pilot FTZ revealed a set of trial measures that will divide data for cross-border transfer into“core”,“important”,and“general”data categories,depending on their risk level.The local government also stated that it will rele
224、ase a“general data”catalogue,which will include types of data that can be transferred freely out of the area,and an“important data”catalogue,which will be subject to restrictions.The full trial measures have not yet been released to the public.Extension of security assessment validity periodThe new
225、regulations extend the validity of a security assessment from two years to three years,from the date of issuance of the assessment result,thus decreasing the frequency with which a company will be required to undergo assessments.The new regulations also simplify the procedures for the extension of a
226、 security assessment.If a company needs to continue its data export activities after its assessment has expired,it can apply for an extension through the local provincial cybersecurity and informatization department within 60 working days of the assessments expiration date.In this instance,the compa
227、ny wont need to conduct another data export security assessment.If the application is successful,the assessment can be extended for another three years.Implications of the new regulations for foreign companies in China The new regulations are a major step forward in reducing barriers to cross-border
228、 data flows and clarify issues that impede the normal business operations of foreign companies in China.The increase in the data volume thresholds for the compliance procedures will make it easier particularly for smaller companies,which have fewer resources to handle the additional compliance burde
229、n,to follow with data transfer rules.The various exemptions given will also greatly facilitate business operations in fields such as cross-border trade,e-commerce,and HR.Meanwhile,the new regulation on important data removes a considerable regulatory headache for companies by acknowledging that the
230、current regulations are insufficiently clear for companies to follow and places the onus on government authorities to specify which data is considered important.It may also allow companies whose applications for data export have been denied due to their inclusion of undefined important data to have
231、these decisions overturned,at least until the authorities provide a clear definition.This will help to alleviate uncertainty and greatly facilitate companies normal operations in the interim.33PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKIts nonetheless important to note that the compliance
232、 procedures remain in place for larger volumes of data,as well as for all important data and CIIOs.Larger multinationals,in particular in consumer-facing industries,are still likely to reach the thresholds for compliance procedures on a regular basis and will have to continue to allocate time and re
233、sources toward compliance.Large companies in particular are advised to closely monitor the regulatory bodies of their respective industries for news on the definition of important data to ensure that they remain compliant.Companies located in FTZs are also advised to carefully monitor news from loca
234、l authorities regarding the release of data negative lists and to maintain open lines of communication with local authorities to ensure the correct understanding and implementation of the regulations.34PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOK2024 outlook for cybersecurity and data prot
235、ection regulationsMore clarity on legal definitions One of the main sticking points of Chinas growing cybersecurity and data protection regulation is the lack of clarity of certain legal terms.Chief among them is the specific definition of important data,which underpins requirements to undergo speci
236、al CBDT mechanisms(as companies deemed to export important data are required to undergo a CAC security assessment under current rules).While the recent new regulations and the technical standards guiding the classification of important data offered more clarifies,foreign companies are advised to clo
237、sely monitoring the developments and implementation of these measures throughout the year.They are also are advised to carry out the necessary data classification and grading work in order to assess if any data they hold might fall into the“important”scope.Implementation of trials for“green channels
238、”and“general data”lists for free CBDTThe opinions on measures to attract foreign investment released in August 2023 propose the establishment of so-called“green channels”for qualified foreign-invested enterprises(FIEs),to facilitate CBDT procedures.They also propose to run a pilot program with loose
239、r data export restrictions and identify a list of“general data”that can be freely transferred in specific regions,such as Beijing,Tianjin,Shanghai,and the Guangdong-Hong Kong-Macao Greater Bay Area(GBA).This idea was not included in the new regulations released in March 2024.This could mean that pol
240、icymakers may still be formulating measures.The developments on this aspect is worth attention.Further adjustments to align with DEPA and CPTPP benchmarks Another dimension to Chinas developing cybersecurity and data protection regime is its application to join the Digital Economy Partnership Agreem
241、ent(DEPA)and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership(CPTPP).The CPTPP is a free trade agreement comprising seven countries in the Regional Comprehensive Economic Partnership(RCEP),along with Canada,Mexico,Chile,and Peru.China officially applied to join in October 20
242、21.35PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKThe DEPA has been described as“the first trade agreement to target the digital economy”,and is currently made up of New Zealand,Singapore,and Chile.The trade agreement aims to facilitate digital trade,enable cross-border data flow,and create
243、 a system of trust in which data is shared equitably and personal and online consumer data is protected.China formally applied to join the DEPA in November 2021.However,Chinas accession to both of these agreements remains uncertain as it would require significant amendments to its current data prote
244、ction regulations,in particular those related to local data storage and CBDT.For instance,the CPTPP promotes free cross-border data flows among member states,while the DEPA requires that all parties to the agreement allow the cross-border transfer of information by electronic means,including PI,when
245、 this activity is for the conduct of the business of a covered person,and prohibits parties from requiring a covered person to use or locate computing facilities in that partys territory as a condition for conducting business in that territory.These requirements run directly counter to Chinas curren
246、t data regulations,which require companies to store data collected in China domestically and have limitations on the volume of data and PI that can be exported freely.While little development was made on Chinas accession to the CPTPP and DEPA in 2023,recent comments from the Chinese authorities sugg
247、est that the country is still pursuing these goals.A brief statement from Chinas Ministry of Commerce(MOFCOM)stated that China had held exchanges with the three DEPA member countries in August“on issues such as the treatment of digital products,data issues,the broader trust environment,business,and
248、consumer trust,as well as the digitization of trade documents and other cooperation to be carried out under the DEPA framework”.Meanwhile,an opinion piece by the Chinese Ambassador to New Zealand published in the New Zealand Herald in August outlines steps that China is taking to meet the CPTPPs ben
249、chmarks for trade openness.These include launching trial measures in Chinas pilot free trade zones(FTZs)and the Hainan Free Trade Port,which includes measures such as ensuring equal treatment for both domestic and foreign financial institutions,prohibiting the requirement of transferring or acquirin
250、g software source code as a condition for the importation and sale of mass-market software,and so on.The Ambassador stated that the measures“will be rolled out in other areas nationwide in the future”.This move is similar to the proposal to test the easing of CBDT requirements in select areas of Chi
251、na,namely FTZs,in the draft regulations released in September.While we do not expect Chinas cybersecurity regulator to implement any drastic measures to ease requirements,it is likely we will see easing measures implemented on a trial basis in FTZs and other special economic areas in 2024,with the p
252、ossibility that they will be rolled out nationwide at a later time.36PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKConclusion:How businesses can deal with Chinas evolving cross-border data transfer regimes Multinational companies must remain vigilant about data export compliance in their day
253、-to-day operations and stay abreast of legislative and regulatory developments in China.It is crucial for foreign businesses and multinationals to track the evolution of relevant systems and seek guidance from their advisors and pertinent authorities for compliance-related inquiries.While unresolved
254、 issues persist,and further changes are anticipated,Chinas cybersecurity and data protection regime has already undergone substantial evolution in recent years.The existing framework delineates the types of data and activities that companies must address as part of their corporate cybersecurity and
255、data protection compliance policies.In many instances,it also outlines the methods required to fulfill these obligations.Certain sectors and activities pose a higher likelihood of exposure for companies,particularly multinationals and foreign entities with significant operations in China.These inclu
256、de companies with a large number of employees,partners,members,or clients,as well as technology or medical device manufacturers,internet,telecom,network,data,and information services providers,energy or public services,software developers,and various service providers in financial,healthcare,educati
257、on,hospitality,travel,human capital,marketing,and other domains.Despite the ongoing evolution of Chinas frameworks,making it challenging for companies to precisely determine applicable requirements,there are established measures to reduce exposure to non-compliance with current laws.Taking proactive
258、 steps is crucial for foreign companies to position themselves in accordance with Chinas relevant data laws.For companies lacking internal compliance teams with expertise in Chinas local cybersecurity and data protection,Dezan Shira&Associates cybersecurity and data protection professionals can prov
259、ide support.We can assist companies by:Assessing a companys basic data protection and cross-border data transfer exposure.Evaluating whether proposed data transfers necessitate mandatory CAC security assessments.Enlisting professional help to prepare essential documentation,such as cross-border data
260、 transfer agreements and self-assessment reports.Developing consent mechanisms,privacy notices,and consent forms for proper data collection and processing.Appointing a qualified data protection personnel in China and conducting internal training for compliance understanding.Formulating strategies to
261、 mitigate and report data breaches and potential risks.As Chinas cybersecurity and data protection regime continues to evolve,we will monitor forthcoming changes,including compliance-related interpretations,thresholds,requirements,and more.Read our latest updates here.For further assistance with you
262、r businesss cybersecurity and data protection compliance assessment,planning,and necessary measures,please contact the contributors of this report:Adam Livermore,Partner and Head of Technology Services-Dezan Shira&Associates Phoebe Yan,Partner and Head of Information Services-Dezan Shira&AssociatesC
263、ONTACT US37PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKAppendix I:Regulatory framework for CBDT in ChinaChina first put limits on the export of certain types of data in the Cybersecurity Law(CSL),released in 2017.Later,the Data Security Law(DSL)and the Personal Information Protection Law(P
264、IPL),both of which took effect on 2021,set out principles for cross-border data transfer within their respective regime.Article 37 of the CSL stipulates that:The operator of a critical information infrastructure shall store within the territory of the Peoples Republic of China personal information a
265、nd important data collected and generated during its operation within the territory of the Peoples Republic of China.Where such information and data have to be provided abroad for business purpose,security assessment shall be conducted pursuant to the measures developed by the CAC together with comp
266、etent departments of the State Council,unless otherwise provided for in laws and administrative regulations,in which such laws and administrative regulations shall prevail.The Cyber Security Law of the Peoples Republic of China shall apply to the security management for the cross-border transfer of
267、important data collected and produced during operation by critical information infrastructure operators within the territory of the Peoples Republic of China;and the administrative measures for the security management for the cross-border transfer of important data collected and produced during oper
268、ation by other data processors within the territory of the Peoples Republic of China shall be formulated by the state cyberspace administration in concert with the relevant departments under the State Council.Where a personal information handler really needs to provide personal information outside t
269、he territory of the Peoples Republic of China due to business or other needs,it shall meet any of the following conditions:(I)it shall pass the security evaluation organized by the Cyberspace Administration of China in accordance with the provisions of Article 40 hereof;(II)it shall have been certif
270、ied by a specialized agency for protection of personal information in accordance with the provisions of the Cyberspace Administration of China;(III)it shall enter into a contract with the overseas recipient under the standard contract formulated by the Cyberspace Administration of China,specifying t
271、he rights and obligations of both parties;and(IV)it shall meet other conditions prescribed by laws,administrative regulations or the Cyberspace Administration of China.Article 31 of the DSL stipulates that:Article 38 of the PIPL stipulates that:38PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOO
272、KWhere the international treaties or agreements concluded or acceded to by the Peoples Republic of China contain provisions on the conditions for provision of personal information outside the territory of the Peoples Republic of China,such provisions may prevail.The personal information handler shal
273、l take necessary measures to ensure that the activities of handling personal information by the overseas recipient meet the standards for protection of personal information as prescribed herein.From 2021 to 2023,Chinas cybersecurity authorities have been making continuous refinement of legal require
274、ments governing the procedures to export important data and personal information(PI),bringing further clarity to the responsibilities and accountabilities of companies:On November 14,2021 the Cyberspace Administration of China(CAC)released the Network Data Security Management Regulation(Exposure Dra
275、ft),which unifies data security rules introduced by the CSL,the DSL,and PIPL and rolled out review requirements for companies pursing IPOs in Hong Kong.On December 28,2021 the CAC released the revised Cybersecurity Review Measures,after seeking public comments in July 2021.It stipulates that any Chi
276、nese companies that hold the personal information of one million or more users would need to seek a government cybersecurity review before listing abroad.The new Measures took effect on February 15,2022.On July 7,2022 the CAC released the Measures for Data Export Security Assessment,following the re
277、lease of the draft version for public comment in October 2021.The document details specific requirements for security reviews for cross-border data transfer and clarifies what procedures companies must undergo to get clearance to transfer data overseas.The Measures took effect on September 1,2022.On
278、 August 31,2022 the CAC released the Guidelines for Data Exit Security Assessment and Declaration(First Edition),which explain the procedures and processes for companies to apply for permission to export data out of China and include complete lists of required documents,templates for documents such
279、as security assessment declarations,and application forms.On December 13,2022 the Ministry of Industry and Information Technology(MIIT)released the Management Measures for Data Security in the Field of Industrial and Information Technology Sectors(for Trial Implementation).One of the more important
280、developments of the Trial Measures is the classification of different types of“industrial and telecom data”as“industrial data”,“telecoms data”,and“radio data”.Under the Trial Measures,businesses are obliged to sort and classify these three types of industrial and telecoms data into three different r
281、isk categories:“core”,“important”,and“ordinary”data.They must then submit a catalog of the“important”and“core”data to the local branch of the MIIT.The Measures took effect on January 1,2023.39PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOK On February 22,2023 the CAS released the Standard Con
282、tract Measures for the Export of Personal Information(“Standard Contract Measures”),following the release of the draft version for public comment in June 2022.The Standard Contract Measures clarify how companies can transfer PI outside of China through the standard contract mechanism,in which the co
283、mpany signs a contract with the overseas recipient of the data.The Standard Contract Measures came into effect on June 1,2023.On March 16,2023 the National Information Security Standardization Technical Committee(NISSTC)released the Certification requirements for cross-border transmission of persona
284、l information(the“draft certification requirements”).This draft document,which was released for public comment until May 15,2023,outlines the standards for the third-party certification of companies engaged in the cross-border transfer of PI.At the time of writing,no update has been provided on the
285、public feedback on the draft certification standards,and they have therefore not yet been officially adopted.This means that the rules for the certification method have not yet been finalized.On May 30,2023 the CAC also released the Guidelines for the Filing of Standard Contracts for Exporting Perso
286、nal Information Abroad(First Edition)(the“Standard Contract Guidelines”),a supplementary document that acts as a guide for companies that choose to use the standard contract mechanism.On September 28,2023 the CAC released the Regulations on Standardizing and Promoting Cross-Border Data Flows(Draft f
287、or Comment),which provide several allowances for the export of“important data”and PI in certain scenarios.If passed,the regulations would greatly alleviate uncertainties and compliance burdens for many companies.On March 15,2024 the SAMR and SAC released a new technical standards,titled Data securit
288、y technology Rules for data classification and grading GB/T 43697-2024,which stipulates the rules for classifying three different types of data.On March 22,2024 the CAC the Regulations to Promote and Standardize Cross-Border Data Flows,which provide several measures that will facilitate cross-border
289、 data flows for companies in China,greatly easing compliance burdens and allowing for the free flow of data in certain scenarios.40PIPL 2024:CROSS-BORDER DATA TRANSFER IN CHINA HANDBOOKMeet Our Technology Advisory TeamAdam LivermorePartner DalianNathaniel RushforthSenior Data Security&Compliance Con
290、sultantGroup IT&IS ShanghaiRoy WangAssistant ManagerIT Service ShanghaiPhoebe YanPartnerHead of Group IT&IS DalianKathy WangAssistant ManagerBusiness Advisory Services SuzhouKali WangManagerIT Service ShenzhenScan this QR codeVisit our mobile page andget the latest updates investors news and resourc
291、es with Asiapedia is a collection of resources based on what we have learned about doing business in Asia.Are you making changes to your operations in Asia?Get started by speaking to our professionals todayChina.Hong Kong SAR.Australia.Bangladesh.Dubai UAE.Germany.India.Indonesia.Italy.Japan.Malaysi
292、a Mongolia.Nepal.Singapore.South Korea.Sri Lanka.Thailand.Turkiye.The Philippines.United States.VietnamOur Offices in ChinaBHong Kong SARDDGNHHSQSZSTAccounting|Audit and Financial Review|Business Advisory|Business IntelligenceCorporate Establishment and Governance|Due Diligence|HR and Payroll|Mergers and Acquisitions|Outbound Direct Investment|Risk Management|Tax|Technology
全部分类
免费下载资料库
10000份+资源包
千万vip文档畅享下载
下载文档文件编辑即用
网站精选百万好案
百万工程地产工作者都在用
微信扫一扫登录
