In a globalized digital world, cross-border data transfer is inevitable.  China adopts strict measures to regulate outbound data transfer.  The Cybersecurity Law of the People’s Republic of China /《中华人民共和国网络安全法》(“Cybersecurity Law") taking effective on June 1, 2017, the Data Security Law of the People’s Republic of China /《中华人民共和国数据安全法》(“Data Security Law") taking effective on September 1, 2021, and the Personal Information Protection Law of the People’s Republic of China /《中华人民共和国个人信息保护法》 (“PIPL") taking effective on November 1, 2021, are the three fundamental laws that formulate the regulatory framework of the outbound data transfer in China. 

This article summarizes the key requirements under Chinese laws with respect to the outbound transfer of personal information[1] and important data[2].

Part 1. Outbound Transfer of Personal Information

A. Three Basic Requirements for the Outbound Transfer of Personal Information

Depending on the nature of the data transferor (i.e., the domestic personal information processor) and the amount of personal information to be transferred out of China, there are different regulatory requirements and hence different options available to the data transferor for the outbound transfer of personal information (Please refer to Section B below for the details).  However, regardless of which option a transferor chooses, there are three basic requirements to be satisfied before the transfer of personal information:

1. Notification

The personal information processor must inform individuals of (i) the processor’s name and contact information, (ii) the purpose and method of processing, (iii) the type of personal information to be processed, (iv) the retention period, (v) the method and procedures for individuals to exercise their statutory rights under PIPL[3] and (vi) the aforesaid information of the overseas recipient.

2. Consent

Personal information processors should also obtain the consent from the individual for the processing of his/her personal information[4] (including, without limitation, his/her separate consent for the outbound of his/her personal information).

3. Personal Information Protection Impact Assessment (“PIPIA")

A prior PIPIA is mandatory for the outbound transfer of personal information. PIPIA reports and related records should be kept for at least three years[5].

B. Three Compliance Options for the Outbound Transfer of Personal Information

According to Article 38 of PIPL, there are three options available to a personal information processor for the outbound transfer of personal information: (i) passing the security assessment administrated by the Cyberspace Administration of China (“CAC" and such assessment is hereinafter referred to as the “CAC Security Assessment"), (ii) obtaining security certification from qualified certification institutions, and (iii) signing standard contracts with foreign recipients.

1. CAC Security Assessment

A critical information infrastructure operator (“CIIO") and a personal information processor who processes “statutory number" of individuals’ personal information must pass the CAC Security Assessment for their outbound transfer of personal information.

a. Who are CIIOs

CIIOs are operators of critical information infrastructures (“CII"), which refer to important network facilities and information systems in important industries and fields that are related to national security and public interests, such as public communication and information services, energy, transportation, water conservancy, finance, public facilities, e-government, and military defense, etc.  According to the Cybersecurity Law, CIIOs must adopt the special protection measures to ensure the safety of CII.

In practice, the government will notify a company if it is a CIIO.  Before being notified, the company may assume it is not a CIIO.

A CIIO’s outbound transfer of personal information must pass the CAC Security Assessment, regardless of the number of individuals involved. 

b. What is the “Statutory Number"

The Measures for Security Assessment of Outbound Data Transfer /《数据出境安全评估办法》(“Security Assessment Measures"), which took effect on September 1, 2022, clarifies what is the “statutory number" and provides more details about CAC Security Assessment.

According to the Security Assessment Measures, the “statutory number" refers to the number of individuals, whose personal information has been processed or transferred by a personal information processor, that reaches any one of the following thresholds:

(1) 1,000,000 individuals, whose personal information is processed by the personal information processor;

(2) 100,000 individuals, whose personal information has been transferred out of China by the personal information processor since January 1 of the previous year; and

(3) 10,000 individuals, whose sensitive personal information[6] has been transferred out of China by the personal information processor since January 1 of the previous year.

Personal information processors that process “statutory number" of individuals’ personal information must pass CAC Security Assessment for their outbound transfer of personal information. 

c. Risk Self-Assessment

To pass the CAC Security Assessment, the personal information processor must complete and submit a risk self-assessment for the outbound transfer of personal information to CAC for its review. 

d. Legal Documents

In addition to the risk self-assessment, the legal documents between the transferor and the overseas recipient should also be submitted to CAC for its review.

e. Application Procedures

According to the Guide to Applying for Security Assessment of Outbound Data Transfer (First Edition) /《数据出境安全评估申报指南（第一版）》 (“Security Assessment Guide"), CAC Security Assessment procedures are as follows:

(1) Applying for Assessment

The personal information processors should submit the application to CAC’s counterpart at provincial level that has the jurisdiction over the place where they are located, which will forward the application to CAC for its final review if the application documents have passed its preliminary review.  

(2) CAC’s Assessment

CAC will review and then determine whether to accept the application.  If CAC accepts the application, it will complete the CAC Security Assessment within 45 working days.  CAC has the discretion to extend the review period.

(3) Re-assessment

If the application has passed the CAC Security Assessment, the assessment result is valid for 2 years.  Upon expiration of the assessment result, the personal information processor needs to apply for a re-assessment.

Besides, if there is any new situation that affects the data security (e.g., change of the purpose, method, or scope of the outbound data transfer), re-assessment will also be required.

2. Security Certification

Personal information processors, who are neither CIIOs nor processors processing “statutory number" of individuals’ personal information, do not need to pass the CAC Security Assessment.  They may choose to obtain security certification from qualified certification institutions.

The National Information Security Standardization Technical Committee (“NISSC") released the Practice Guideline for Cybersecurity Standards-Security Certification Specifications for Cross-border Personal Information Processing Activities / 《网络安全标准实践指南—个人信息跨境处理活动安全认证规范》 on June 24, 2022 (“Certification Specifications 1.0") for security certification. 

Less than 6 months later, NISSC released the updated version of the Practice Guideline for Cybersecurity Standards-Security Certification Specifications for Cross-border Personal Information Processing Activities V2.0 / 《网络安全标准实践指南—个人信息跨境处理活动安全认证规范V2.0》 (“Certification Specifications 2.0") on December 16, 2022.

a. Application Scope of Security Certification

The Certification Specifications 1.0 only applies to limited scenarios, while the Certification Specifications 2.0 expands the application scope to cover any “personal information processor who carries out cross-border personal information processing activities". 

b. Legal Documents

Similar to the Security Assessment Guide, the Certification Specifications 2.0 requires personal information processors to sign enforceable and binding legal documents with overseas recipients.

3. Standard Contract

a. What is a Standard Contract

According to the PIPL, personal information processors who are neither CIIOs nor processors processing “statutory number" of individuals’ personal information can choose to execute a contract with an overseas recipient in accordance with the standard contract formulated by CAC in lieu of the security certification.

On June 30, 2022, CAC issued the Provisions on the Standard Contract for Outbound Transfer of Personal Information (Comment-soliciting Draft)/《个人信息出境标准合同规定（征求意见稿）》, which includes a template of the Standard Contract for the Outbound Transfer of Personal Information.  This approach is very similar to the Standard Contractual Clauses (“SCC") under the EU GDPR. Therefore, it is also referred to as the “China SCC".

b. Standard Contracts vs. Legal Documents Required under the other Two Options

The China SCC contains detailed clauses regarding (i) the rights and obligations of personal information processors, (ii) the rights and obligations of overseas recipients, (iii) the impact of overseas recipient’s country/region’s personal information protection laws and regulations on the China SCC, (iv) individuals’ rights, (v) remedies, (vi) liability for breach of contract, and (vii) applicable laws and dispute resolution.  More detailed introduction of China SCC can be found in our previous article: “Ins and Outs of China's SCC".

The Security Assessment Measures and the Certification Specifications 2.0 both require legal documents with the overseas recipients, but they do not mandate such legal documents must be in the form of China SCC.  China SCC, in fact, contains the most extensive and comprehensive contents.  Therefore, signing China SCC can likely meet the requirements for legal documents under the Security Assessment Measures and the Certification Specifications 2.0.

Part 2. Outbound Transfer of Important Data

A. CAC Security Assessment

According to the Security Assessment Measures, the outbound transfer of important data must pass the CAC Security Assessment and there is no exception.  The assessment process is the same as it for the outbound transfer of personal information (Please refer to Section B.1.e of Part 1 for the details). 

B. Identification of Important Data

The current regulations are unclear on how to identify important data, and there are two major issues that have yet to be clarified:

1. Important Data Catalogue

The Data Security Law requires that: (i) the central government should formulate an important data catalog on the basis of the national data classification and hierarchical protection system; and (ii) the competent authorities of each region, industry, or field should formulate specific catalogs of important data applicable to their respective regions, industries, or fields. 

To date, the government has only formulated the important data catalogue for only a few industries, such as the automobile industry[7] and basic telecommunication industry[8], while most of the other industries are still lack of their own important data catalogues.

In 2022, NISSC released the Information Security Technology - Guidelines for Important Data Identification (Draft for Comments)/《信息安全技术 重要数据识别指南（征求意见稿）》, which sets out the key principles for important data identification.  However, on one hand, it is too simple and hence lack of detailed guidance for practice, and, on the other hand, it is still a draft and has yet to be officially adopted.

2. Important Data and Personal Information

Article 37 of the Cybersecurity Law mentions personal information and important data simultaneously, which seemingly implies that “personal information" and “important data" belong to two separate categories that do not overlap. However, the important data catalogue for the automobile industry includes “personal information involving more than 100,000 individuals" as one type of important data[9].

Without a clear guidance, there seems no black-and-white line between personal information and important data. 

Part 3. CAC’s Grace Period and Future Outlook

CAC’s Security Assessment Measures took effect on September 1, 2022 and provides a 6-month grace period for companies to take necessary measures to meet the compliance requirements for their outbound data transfer.  The grace period will end on February 28, 2023. 

As the deadline is approaching and also with more and more detailed implementation rules being released, the Chinese government may take more aggressive approaches to regulate outbound data transfer.  Companies need to act quickly.   

[Note] 

[1] “Personal information" refers to information related to an identified or identifiable natural person, regardless whether it is recorded by electronic or other means, such as paper documents.

[2] Please refer to Section B of Part II for the identification of important data.

[3] See Article 17 of PIPL.

[4] See Items 2 to 7, paragraph 1, Article 13 of PIPL.

[5] See Article 55 of PIPL.

[6] “Sensitive personal information" refers to the personal information that, once leaked or used illegally, can easily lead to the infringement of the personal dignity of the natural person or the harm to the personal and property safety.  Typical sensitive personal information includes information that relates to someone’s biometrics data, religious beliefs, specific identities, medical and health care data, financial accounts and whereabouts, etc.

[7] See the Automotive Data Security Management Regulations (Trial)/ 《汽车数据安全管理若干规定（试行）》.

[8] See YD/T 3867-2021 Identification Guide of Key Data for Telecom Operators/《YD/T 3867-2021 基础电信企业重要数据识别指南》.

[9] See Article 3 of the Automotive Data Security Management Regulations (Trial)/ 《汽车数据安全管理若干规定（试行）》.