Among the three cross-border transfer mechanisms set out under the Chinese data protection regime：

• The CAC Security Assessment is mandatorily required once the triggering conditions stipulated by the laws are met.

   

• The Certification is by nature a voluntary mechanism recommended by the State which mainly applies to cross-border transfers of personal information (“PI")[2] within multinational companies or subsidiaries or affiliates of the same business entity with relatively stable management or business relationships. The Certification can be deemed as a relatively long-term mechanism, that is, once certified, companies can resort to such a mechanism for continuous cross-border transferring within the certified scope unless any material change.  

   

• The CN SCCs, due to its flexibility and wide range of application scenarios for various processing activities, is deemed as the most commonly-used mechanism for regular data cross-border transfers.

The key points of each mechanism are illustrated respectively as below.

Triggering conditions.

• Cross-border transfer of Important Data[4] by data processors;

• Cross-border transfer of PI by Critical Information Infrastructure Operators (“CIIOs")[5] or by data processors processing PI over 1 million individuals;

• Cross-border transfer of PI of 100,000 individuals or sensitive PI of 10,000 individuals accumulatively since January 1 of the previous year; or

• Other circumstances prescribed by the CAC. (Art.4, the Measures)

Filing obligations

• Self-assessment prior to applying for the Assessment; (Art.5, the Measures)

• Submission of the following materials: 1) declaration form; 2) self- assessment report; 3) legal documents to be concluded by the data processor and the overseas recipient; and 4) any other materials necessary for the Assessment. (Art.6, the Measures)

• Continuous monitoring and re-filing if any changes affecting data cross-border transfer security, etc. as stipulated by the laws. (Art.14, the Measures)

Assessment and process. Assessment criteria with particular focuses on third country legislation, potential risks during cross-border transfer and onward transfer, data subject rights, binding instruments concluded between the data processor and the overseas recipient, etc. (Art. 8, the Measures) The validity lasts for 2 years unless any re-application is required. Please refer to Chart 1 for detailed process of the Assessment.

*The Assessment would normally take 5 (Materials Check) +7(Acceptance decision) +45(Assessment)=57 working days.

Applicable scope. PI processors shall meet all of the followings: Not CIIOs; processing PI of less than 1 million individuals; and not reaching PI of 100,000 individuals or sensitive PI of 10,000 individuals accumulatively for cross-border transfers since January 1 of the previous year. (Art.4, the Provisions)

Nature. The contractual instrument has a binding and enforceable nature in accordance with Chinese laws and should also be binding and enforceable by data subjects as third-party beneficiaries.

Aim. Substantial protection, to ensure PI processing activities by the overseas recipients meet the standards for PI protection as prescribed by the PIPL.

Filing requirements. PI processors shall, within ten working days after the effective date of the standard contract, file with the cyberspace administration at the provincial level: the standard contract concluded; PIA report. (Art.7, the Provisions)

Key contents of the CN SCCs. The CN SCCs contains key sections including contact details of the parties, description of the processing, obligations of the parties particularly with respect to potential risks during cross-border transfer and onward transfer, third country legislation, data subject rights, redress, liabilities, etc. (Art.6, the Provisions)

Comparison with EU SCCs. The CN SCCs:

• Do not distinguish processing relationships (e.g., C-C, C-P) in the text;

• Specify that the SCCs shall be concluded between a PI Processor[7] (substantially equivalent to “controller" under the GDPR) and the overseas recipient.

Applicable scope

• Intra-group cross-border transfer of PI among MNCs, subsidiaries or affiliates of the same business entity; or

• Extra-territorial application of the PIPL pursuant to Art.3.2 of the Law. (Art.1, the Specification)

Certified entity

• The Chinese entity of the MNCs, etc.; or

• Specialized agencies or designated representatives established in China for entities subject to the PIPL pursuant to Art.3.2 of the Law (Art.2, the Specification)

Basic requirements

Legally binding agreements; organizational management (DPO or relevant organizations); rules for cross-border transfers (e.g., retention, disposal after expiration, onward transfers, liabilities, etc.); PIA; etc. (Art.4, the Specification)

Data subject rights

Substantial protection, including third-party beneficiary rights, claims against overseas recipients, complaints to authorities or legal proceedings before courts by data subjects, commitments of compliances of laws and response to competent authorities by PI processors and overseas recipients. (Art.5, the Specification)

The following flowchart provides guidance in a concise manner for companies to nail down the cross-border transfer mechanism suitable for various cases in basically three steps, that is, subject determination (whether constitute a CIIO), data identification (whether involve Important Data or PI) and the suitable mechanism.

Chart 2. Flowchart of data cross-border transfer mechanisms

The frequently asked questions highlighted below further respond to the issues mostly concerned by companies, so as to effectively assist companies to understand the three cross-border transfer mechanisms.

What is “cross-border transfer"? 

Data cross-border transfer refers to Important Data or PI collected and generated by a data processor during operation within the territory of China being transferred overseas or being accessed by overseas institutions, organizations or individuals. Key points of the notion include: 1) Data type: Important Data or PI collected and generated in domestic operations;2) Method: physical transfer and remote access; 3) “Overseas": other countries/regions outside the Chinese mainland, including Hong Kong SAR, Macao SAR and Taiwan; 4) Parties: Data exporter discloses by transmission or otherwise makes the data, subject to this processing, available to data importer.

How to understand the “threshold"?

• 1 million- “data processors processing PI over 1 million individuals": the overall volume of data processed by the data processor, including whole volume of data subjects such as customers, users, employees, etc. For corporate groups, it is understood to be calculated separately for various entities, except for scenarios of data mixing or fusion which is to be analyzed on a case-by-case basis.

• 100,000 & 10,000- “cross-border transfer of PI of 100,000 individuals or sensitive PI of 10,000 individuals accumulatively since January 1 of the previous year": it is believed that if the same data processor provides PI to different recipients, the volume of data subjects involved should be calculated cumulatively.

About localization.

• CIIOs with PI and Important Data collected and generated during its operation within the territory of the People's Republic of China are subject to localization requirements and shall pass the CAC Security Assessment when it is truly necessary to provide such data overseas for business purposes.

• In accordance with Art. 4 of the Measures and Art. 40 of the PIPL, it is understood that PI processors meeting the numerical threshold of “1 million" are subject to the localization requirement and shall go pass the Assessment, though there remains uncertainty with respect to whether the cumulative threshold of PI of 100,000 individuals and sensitive PI of 10,000 individuals would fall within the localization requirement under the PIPL.

• Processing of Important Data by data processors do not necessarily fall within the localization requirement, unless as otherwise stipulated by laws and regulations.

Relationship between binding legal documents and the SCCs.

The binding legal documents required under the CAC Security Assessment and the Certification, from legal nature, differ from the SCCs, as the SCCs is one of the cross-border transfer regulatory mechanism under the PIPL. Though in the context of data cross-border transfer, the SCCs may overlap with abovesaid legal documents on the value orientation and certain contents for protecting the rights and interests of data subjects, etc. It shall be noted that legal documents under the Assessment may entail Important Data protection which cannot be found in the text of the SCCs.

Whether the SCCs or the Certification?

The Certification is a relatively long-term mechanism for regular data transfers for scenarios especially of intra-group processing activities and can be considered as a relatively stable and continuous mechanism. The Certification mechanism to certain extent is similar to the binding corporate rules (“BCRs") under the GDPR which shares similar requirements such as legally binding agreements, organizational management, rules for cross-border transfers, etc.

The SCCs, as opposed to the Certification, is a more flexible transfer tool, suitable for relatively short-term, temporary cross-border transfers or continuous transfers with various kinds of business partners based on relatively simple and clear processing purposes, etc.

Along with the release of the implementing rules of the three Chinese data cross-border transfer mechanisms, it is now the time for companies to determine the overall strategy for data cross-border transfers. For ongoing cross-border transfers, companies with ongoing data cross-border transfers which is truly necessary for business purposes at the moment shall conduct the risk self-assessment and if the CAC Security Assessment is triggered, companies shall complete the Assessment as required during the 6-month transition period or choose the appropriate cross-border transfer mechanism as stipulated by the laws.

In general, it is recommended that companies take the following steps to better respond to the compliance requirements for various data cross-border transfer mechanisms:

1. Overall strategy for data cross-border transfers. Data cross-border transfer regulation will be the continuous supervision focus. Time for companies to develop overall strategy has come as the fundamental laws as well as the supplemental implementing rules have mostly been settled, which outlines the three clear mechanisms of the CAC Security Assessment, the CN SCCs as well as the Certification.

    

2. Data mapping. Carry out data stocking taking in combination with various business scenarios, e.g., with respect to volume, scope, type, sensitivity, etc. of PI transferred, purpose, method of cross-border transfers, overseas systems, etc. Conduct self-check with respect to high-risk points such as identification of Important Data, CII determination, etc., put prior focus on business lines with over 1 million users, or Important Data, etc.

    

3. Risk self-assessment. Self-assessment with respect to risks of cross-border transfers is required for all cross-border transfer mechanisms.

    

4. Choose cross-border transfer mechanism. Choose the appropriate cross-border transfer mechanism as stipulated by the laws closely based on the factual situations of the processing at question and company operations. Also, it is recommended that companies keep tuned to any legislative developments, enforcement trends and industrial practice.

    

5. Implementation of the cross-border transfer mechanism selected. Companies shall start related preparation based on its Mechanism selected. For effective implementation of such mechanism, companies can first start to prepare the self- assessment work and the legally binding agreements to be concluded, etc.