An important aspect of the CSL is that it introduces the concept of critical information infrastructure operators (the “CIIOs") and imposes data localization requirement upon CIIOs, under which any personal data and important data collected and/or generated during the business operation of CIIOs within China shall be stored in China and not transferred abroad.  Where it is of business necessity, CIIOs can transfer personal data and important data outside China, provided that CIIOs shall conduct a security assessment in accordance with relevant rules issued by the PRC cyberspace administration authority (the “Cyberspace Authority") and other competent authorities of China.

Under the CSL, the critical information infrastructure (or the CII) is broadly defined and expressly covers a wide range of sectors including energy, transportation, electricity, water, gas, financial institutions, telecom and social security.  In addition, the CSL also includes a broad catch-all for the CII so as to cover other infrastructure that, in the event of damage thereto, loss of function thereof or leak of data therefrom, could seriously jeopardize national security, national economy, people’s livelihood or public interest.

The CSL imposes the data localization requirement  only to CIIOs; however, with the implementation of the PIPL, it imposes further responsibilities upon any personal data processors (including non-CIIOs) when they intend to transfer or provide personal data outside China. 

Under the PIPL, any personal data collected by CIIOs or any personal data processors who process personal data reaching a threshold amount to be stipulated by the Cyberspace Authority shall be stored in China.  If CIIOs or personal data processors who process personal data reaching the threshold amount intend to transfer personal data outside China, they shall pass the security assessment organized by the Cyberspace Authority; where any other personal data processors intend to transfer personal data outside China, at least one of the following conditions shall be satisfied before transferring such personal data to a recipient outside China: (a) passing the security assessment organized by the Cyberspace Authority; (b) obtaining the personal information protection certificate issued by a qualified certificate agent in accordance with the relevant rules published by the Cyberspace Authority; (c) entering into a standard contract published by the Cyberspace Authority with the overseas personal data recipient.

Personal data processor is defined under the PIPL as any entity or individual who is able to independently determine processing purposes and processing methods in personal data processing activities, which is akin to the concept of data controller under the General Data Protection Regulation (“GDPR").  Therefore, any entities (including multinational companies) in China could be viewed as a data processor when they collect and process personal data and would be further subject to the data cross-border transfer requirements under the PIPL mentioned above when they intend to transfer such personal data outside China.  

The PIPL as a national law is drafted in relatively general terms.  Although it provides certain requirements/conditions in the scenario of personal data cross-border transfer, it is silent on the specific procedures and standards as to the security assessment, the personal information protection certificate, etc.  To fill the information gap, the relevant PRC authorities have released a number of draft rules for public comments, such as the Measures for the Security Assessment of Data Cross-Border Transfer (the “Draft Security Assessment Measures") released by the Cyberspace Administration of China on 29 October 2021, the Network Data Security Administration Regulation (the “Draft Network Data Security Regulation") released by the same authority on 14 November 2021, and the Network Security Standards Practice Guideline – the Certification Specification for Personal Information Cross-Border Processing Activities (the “Draft Certification Specification")  released by the National Information Security Standardization Technical Committee on 29 April 2022. 

The Draft Security Assessment Measures not only echo the requirement under the CSL and the PIPL that any CIIOs and personal data processors who process personal data reaching a threshold amount shall pass the security assessment with the Cyberspace Authority if they plan to transfer personal data outside China, but also provide further clarification on the standards for the “threshold amount" and the specific procedure and requirements of the security assessment.

Under the Draft Security Assessment Measures, the following two scenarios would be viewed as reaching the threshold amount and the relevant personal data processors would be required to pass the security assessment: (a) any data processor who processes personal data from one million data subjects; (b) any data processor who provides personal data of more than 100,000 data subjects or sensitive personal data[2] of more than 10,000 data subjects outside China. 

With respect to the specific procedure and requirements, before any CIIOs or personal data processors who process personal data reaching the threshold amount specified above can transfer any personal data outside China, they shall first conduct a security risk self-assessment, which, among others, largely focuses on the impact of such personal data export on China’s national security, public interest, as well as such data processors’ capacity to secure personal data against any data leakage, damage and other risks. 

Upon the completion of the self-assessment, data processors can initiate the security assessment procedure by submitting the self-assessment report, the application form, the data transfer agreement between the data processor and the overseas data recipient, etc. to the Cyberspace Authority.  The Cyberspace Authority will have 7 business days to determine whether to accept a data processor’s application and will have, after making the acceptance decision, no more than 60 business days to review and make a final answer to the applicant. 

The assessment process would heavily focus on the risk of data cross-border transfer on national security, public interest, as well as individual’s or entity’s legitimate rights.  The approval of the security assessment can only be valid for a period of 2 years, and before the expiration date, a re-application of the security assessment would be required if, among others, the purpose, method, scope, or type in data cross-border transfer is changed, the overseas retention period is extended, the legal environment of the country or region where the overseas recipient locates is changed, or the controlling power of the data processor or the overseas recipient is shifted. 

For non-CIIOs who process personal data not reaching the threshold amount specified under the Draft Security Assessment Measures, the security assessment above is not the only way to legally provide personal data outside China.  As introduced by the PIPL, they could choose (a) obtaining the personal information protection certificate, or (b) entering into a standard contract issued by the Cyberspace Authority with overseas data recipient.

With respect to the personal information protection certificate, the PIPL per se is silent on any specific procedure or standards of the certificate process.  The recently released Draft Certification Specification aims to provide certain standards and requirements to both support qualified certificate agents in their certification process and provide guidance to data processors in their personal data cross-border transfer activities.  However, certain issues, such as what standards/requirements need to be met in order to act as a qualified certificate agent, what specific procedure should be followed in this certification process, how long the validity period would be after obtaining the certificate, etc., remain unclear and need to be answered by forthcoming rules.

Under the Draft Certification Specification, personal data processors (or their branch offices or representatives as the case may be) located in China are required to apply for the certificate should they intend to transfer personal data outside China, which seems to be different to the relevant requirement under the Draft Network Data Security Regulation where both personal data processors and the relevant overseas data recipients are required to obtain the certificate issued by a qualified certificate agent.  Further clarification needs to be made by the competent PRC authorities especially if an overseas recipient has no representative located in China. 

In order to successfully obtain the certificate, the Draft Certification Specification introduces a number of requirements alongside detailed criteria for each requirement.  To put it in a nutshell, a binding agreement shall be signed between data processors and the relevant overseas recipients in order to protect data subjects’ legitimate rights, the relevant parties in data cross-border transfer activities shall appoint their respective person to be responsible for personal data protection (we understand that a company’s data protection officer could assume such responsibility), the relevant parties shall set personal data protection department to secure personal data against any unauthorized access, data leakage, falsification or loss, the relevant parties shall comply with consistent rules regarding personal data cross-border processing, the relevant parties shall estimate in advance that whether such data cross-border transfer activities are based on the principles of legality, legitimacy and necessity and whether the adopted protective measures are on par with the level of the risks, etc.

Alternatively, non-CIIOs who process personal data not reaching the threshold amount can enter into a standard contract with overseas recipient in order to legally transfer personal data outside China.  However, as of the publication of this article, no standard contract has been published by any competent Chinese authorities. 

Having said the above, the following items are likely to be included in the standard contract considering the relevant requirements under the Draft Security Assessment Measures: (a) the purpose and method for data transfer, and the scope of data being transferred; (b) the purpose of and the method adopted by the overseas recipient in processing personal data; (c) the data storage location, retention period, and the measures to be taken upon the expiration date, or the termination of the agreement, or after achieving the processing purpose; (d) the restriction arrangement for overseas recipient to re-transfer personal data to other persons; (e) security measures to be taken when the safety of personal data cannot be secured due to the change of overseas recipient’s controlling power, its business scope, or the change of legal environment of the country or region where the overseas recipient locates; (f) the liabilities in breach of the data security obligation and dispute resolution mechanism; (g) the emergency plan for data breach incidents and the channel to secure data subjects’ legitimate rights over their personal data. 

Besides the major paths to legally transfer personal data outside China, the following requirements/issues are also worthy to note.  The PIPL reiterates the principle set forth in the CSL that data subjects shall be notified by data processors of purpose, method and scope for data collection and processing and their consent shall be obtained before any data processors can legally collect and process such data subjects’ personal data.  The PIPL further requires that under the scenario of personal data cross-border transfer, data subjects shall be notified of the name, contact information of the overseas recipient, the purpose and method of data processing, the scope of personal data to be processed and the method and procedure for data subjects to exercise their rights to the overseas recipients; moreover, data subjects’ separate consent is required.  The Draft Network Data Security Regulation further provides that if such separate consent has been obtained at the time of data collection, a separate consent needs not to be re-obtained at the time of data cross-border transfer so long as such data transfer arrangement does not exceed the scope of the prior consent at the time of data collection. 

With respect to the threshold amount for mandatory security assessment with the Cyberspace Authority, even with the scenarios set forth under the Draft Security Assessment Measures, one should bear in mind that specific industrial authorities may issue their own requirement to set higher standards.  For example, under a regulation titled the Several Provisions on Vehicle Data Security Management (for Trial Implementation) issued by the Ministry of Industry and Information Technology, the Ministry of Transport, the Cyberspace Administration of China and several other governmental bodies on 16 August 2021, a group of data that involves more than 100,000 data subjects’ personal data would be viewed as important data and then would be further subject to the data localization requirement, which requires vehicle data processors to pass the security assessment if they intend to transfer such data outside China.  

It is also worthy to note that PRC authorities have set special restriction on the scenario where any personal data would be provided to foreign judicial bodies.  Under the PIPL and certain other rules, personal data processors shall not provide any personal data stored within China to any foreign judicial or law enforcement bodies without the approval of the PRC competent authorities.  Other requirements, such as the retention period of relevant log and governmental approval records, the annual data cross-border transfer security report obligation, etc., also need to be observed in order to fully comply with the relevant PRC rules. 

China’s data legal regime is still in a fast development process, and the violation cost has been raised dramatically specially with the implementation of the PIPL[3].  In order to be compliant with the relevant data rules, multinational companies in China may need to strictly observe the binding laws and regulations and closely watch any new rules and their developments. 

Well-developed internal data management policies and regularly training scheme are of significance for multinational companies in China to comply with the relevant Chinese laws.  In addition, it is also important to establish a communication mechanism with the relevant authorities in order to seek their opinions especially when certain rules are not very clear and no further clarification or precedent can be found openly.