China’s restrictions on cross-border data transfer

With the entry into effect of the Data Security Law (DSL) and the Regulations on the Security Protection of Critical Information Infrastructure (the CII Regulations) on 1 September 2021, as well as the recent passing of the Personal Information Protection Law (PIPL), which will come into effect on 1 November 2021, now is a good opportunity to review all of the non-sectoral restrictions on exports of data from China.

Critical information infrastructure operators

Article 37 of the Cyber Security Law (CSL) requires operators of critical information infrastructure (CIIOs) that collect either personal data or ‘important data’ in China to store that data within China. Neither type of data can be transferred overseas without prior regulatory approval having undergone a security assessment, and subject also to demonstrating a genuine business need. Article 37 provides that the rules for conducting the security assessment are to be jointly formulated by the Cyberspace Administration of China (CAC) and the “relevant departments of the State Council”. However, despite the CSL having been effective since June 2017, no procedure for obtaining approval and no standards for the security assessment have ever been implemented.

The CSL does not define critical information infrastructure (CII), and this category of information network has never been comprehensively detailed since. Indeed, until the recent promulgation of the CII Regulations there had been no definitive statement as to what constitutes CII. In the meantime, it is understood anecdotally that the various Chinese cyber security agencies and sectoral regulators have been advising CIIOs of their status for the past several years based on individual determinations (a practice confirmed by Article 20 of the Measures for Cybersecurity Review, which took effect in June 2020).

Article 31 of the CSL adopted the generalised description of CII from the CAC’s Cyberspace Security Strategy from December 2016; namely that CII is “information infrastructure that affects national security, the national economy and people’s livelihoods, such that, if data is leaked, damaged or loses its functionality, national security and public interests may be seriously harmed”.

From the National Information Security Standardisation Technical Committee[1] (TC 260)’s Method of Boundary Identification for Critical Information Infrastructure issued in August 2020 and Article 9 of the CII Regulations, among other sources, it is possible to extract a non-exhaustive list of industry sectors and business areas that may be liable to be categorised as CII:

• finance
• cloud computing, big data and other large-scale public information network services, including those provided over the Internet
• energy, transportation, water management, sanitation and healthcare, education, environmental protection and public utilities, etc
• scientific research and production in fields such as national defence, industrial equipment, industrial chemicals, food and drugs
• public telecommunications, radio and television stations and news agencies.

Article 2 of the CII Regulations states that if an incident affecting an information network within any of these industries and fields may “seriously endanger national security, the national economy, the people’s livelihood and the public interest” then that network could be deemed to be CII.

Article 9 of the CII Regulations provides that the following factors should be taken into account in the identification of CII:

• the importance of the network, etc., to the relevant industry and its key businesses
• the degree of harm that may be caused by the destruction of the network, or by a loss of functions or data
• the impact of an incident on other industries and fields.

The CII Regulations now formally delegate responsibility for formulating rules for the identification of CII and for making determinations of CIIO status to individual sectoral regulators and responsible government departments, acting under the supervision of the CAC (Articles 9 - 11). It nevertheless remains to be seen whether any precise classification system for CII will be made public any time in the near future.

Article 40 of the PIPL confirms the requirement in Article 37 of the CSL for CIIOs to store personal data inside of China and to undergo a security assessment organised by the CAC before transferring that data overseas. The PIPL leaves many questions unanswered in this respect, such as what the duration of any approval would be and how frequently, or in what circumstances, the security assessment would need to be repeated.

A June 2019 draft of the Security Assessment Measures (which was never brought into effect) would have provided that a security assessment is required every two years or when there is a change in the type of personal data being transferred, the purpose of processing or the retention period. A separate approval would be needed to transfer to different overseas recipients but not for a repeated transfer to the same recipient.

The CSL also did not define the concept of ‘important data’. However, this category of data has now been elaborated upon in the DSL (which will be discussed further below).

Other organisations

Under Article 38 of the PIPL, organisations that are not CIIOs will be permitted to transfer personal data out of the PRC where “necessary”, up to a certain threshold level (to be specified at a later date) by either: 

• entering into a standard form CAC data transfer agreement
• obtaining a personal data protection certification (likely to be akin to the GDPR’s ‘binding corporate rules’ - the CAC will publish regulations in due course)
• passing the same CAC security assessment that will apply to personal data transfers by CIIOs.

Article 38 of the PIPL does appear to indicate that the PRC authorities will give effect to cross-border data transfer mechanisms in international treaties and agreements that China is a signatory to. This would include the Cross-Border Privacy Rules (CBPR) system of data privacy certifications implementing the APEC privacy framework. However, this provision of the PIPL will need clarification. 

Organisations exporting personal data will also be responsible for taking all necessary measures to ensure that overseas recipients provide a standard of protection for the transferred personal data that is consistent with the requirements of the PIPL and to ensure that the data is only processed within the scope and for the purpose consented to (Articles 21, 23 and 38).

Transfers of personal data above the specified threshold will also be required to pass the same security assessment (Article 40). It remains to be seen whether the threshold will be a straight annual volume threshold or whether additional sub-thresholds will be applied to individual transfers or to transfers of data of a certain type, e.g. sensitive personal data.

Similar to the CSL, Article 39 of the PIPL requires organisations transferring personal data out of China to inform individuals of:

• the type of personal data that will be transferred
• the name and contact information of the overseas recipient
• the reason for the transfer
• how the overseas recipient will process the data
• the channels for the individual to exercise his or her individual data subject rights as against the overseas recipient [2]. 

The individual’s specific consent must also be obtained to transfer their personal data out of China. And this consent must be explicit, voluntary and fully informed (Article 14). Fresh consent will need to be obtained if the purpose or method of processing is changed.

For other data processing activities, the PIPL departs from the solely consent-based approach of the CSL, enabling personal data to, for example, now also be processed where necessary for the conclusion or performance of a contract, or if the data is already in the public domain, in which case the data can be processed within a “reasonable scope” (Article 13).

The law does not elaborate on the minimum provisions of a data transfer agreement and the CAC has yet to release a draft of the standard form data export agreement referred to in Article 38. The requirements for data export agreements were, however, set out in some detail in the June 2019 draft of the Security Assessment Measures and followed at that time the outline of the EU’s standard contractual clauses.

There are no exceptions for transfers to an overseas affiliate. Moreover, in a set of draft guidelines issued in 2017 (the draft Guidelines for Cross-Border Data Transfer), cross-border transfers were defined to include remote access from overseas.

Under the PIPL, organisations will further be required to conduct a specific data protection impact assessment (DPIA) before undertaking a data export. The risk assessment should consider:

• whether the purpose and method of processing are legal, legitimate, and necessary
• the impact on individuals’ rights and interests
• the risk level and whether the security measures taken are commensurate to the level of risk.

The written DPIA will have to be kept for at least three years, but will not need to be submitted to the authorities.

Third party processors will be required to return or delete personal data after the engagement ends, and may not appoint sub-processors without approval (Article 21).

Important data 

Article 31 of DSL confirms the requirement laid down in Article 37 of the CSL for CIIOs to store ‘important data’ locally. Rules for exports of ‘important data’ by non-CIIOs will be formulated by the CAC and other authorities of the State Council at a later date.

The DSL does not, however, define ‘important data’. Article 21 of the DSL states only that regional and sectoral regulators will be tasked with formulating specific catalogues of ‘important data’ for their respective sectors in line with a yet-to-be-developed national classification system - “based on the importance of data in economic and social development and the degree of harm that would be caused by its destruction, divulgence, illegal acquisition or utilisation, or being tampered with, to national security, the public interest or the lawful rights and interests of individuals and organisations”.

Core national data that is significant for national security, the national economy, people’s livelihood or material public interests will be subject to a more stringent management system, the details of which are yet to be made public.

The draft Measures on the Management of Data Security issued in 2019 referred to ‘important data’ as data that would directly impact national security, economic security, social stability or public health and security if leaked. A catalogue contained in the draft Guidelines for Cross-Border Data Transfer in 2017 indicated that ‘important data’ could include statistical and other aggregated data sets of economic information. Neither of these drafts were ever brought into effect, however.

Review Measures

In early July 2021, the CAC announced cyber security inspections into Didi Chuxing, which operates the popular ride-hailing app ‘Didi’, Full Truck Alliance (FTA), which operates two truck-hailing apps, and Kanzhun, which operates the ‘Boss Zhipin’ recruiting app. The grounds for these investigations have not been made public but came within weeks (or days in the case of Didi Chuxing) of each of these companies having completed their initial public offerings in the United States.

Shortly afterwards, the CAC conducted on-site inspections together with seven other regulatory authorities, including the Ministry of Public Security and the State Administration for Market Regulation (SAMR) pursuant to the Measures for Cybersecurity Review issued in June 2020 by (the Review Measures). The Review Measures set out a procedure for national security review of CIIOs when purchasing network products and services that may impact national security. See earlier briefing here. 

On 10 July 2021, the CAC published a consultation draft of a revision to the Review Measures that proposed to expand the ambit of the review to encompass, in addition to CIIOs, organisations that hold the personal data of more than a million users and which intend to pursue an overseas listing (anywhere other than in Hong Kong), among other new grounds. The potential security risks to be assessed are also proposed to be expanded to include the risk that: (i) ‘core data’ or “large amounts of personal data” may be illegally exported or used; and that (ii) after an overseas listing, ‘core data’, ‘important data’, or large amounts of personal data could become controlled or used maliciously by a foreign government.

Provision of data to overseas regulatory authorities

Both the PIPL (Article 41) and DSL (Article 36) provide that organisations in the PRC may not disclose to a foreign judicial or law enforcement body any information (personal data in the case of the PIPL, and any data in the case of the DSL) that is stored in China without approval from the competent authorities. The assessment of requests for cooperation by overseas judicial and law enforcement bodies is to be based on “principles of equality and reciprocity” (Article 36, DSL).

[1] TC260 is jointly operated by the CAC and the Standardisation Administration of China.  

[2] Namely the right to object to processing, right of access and correction, right of data portability and right of erasure (Chapter IV, PIPL).