Article 38 of the Personal Information Protection Law (PIPL) provides that most organisations will be permitted to transfer personal data out of China without having to first undertake a security assessment - up to a specified threshold. See here for our earlier briefing on this topic. Shortly before the PIPL came into force on 1 November 2021, the threshold was published.
It is:
- the cumulative transfer of the personal data of more than 100,000 persons
- the cumulative transfer of the sensitive personal data of more than 10,000 persons
- any transfer of personal data by an organisation that processes the personal data of one million or more persons (in China).
Cross-border transfers of personal data above these thresholds will first need the approval of the Cyberspace Administration of China (CAC) after undergoing a security assessment.
The thresholds are not stated to be annual. In the absence of further clarification, it will have to be assumed that they are cumulative.
Draft Measures for Security Assessment of Cross-border Transfer of Data
The draft Measures for Security Assessment of Cross-border Transfer of Data (the Draft Security Assessment Measures) were published on 29 October 2021. As well as laying down these thresholds (in Article 4), the Measures will also govern the conduct of security assessments and specify the minimum provisions in a data transfer agreement (DTA).
Passing a security assessment is also a requirement for any export of personal data by an operator of critical information infrastructure (a CIIO). The Measures further confirm that any transfer of ‘important data’ out of China will similarly need to pass a security assessment, which was left open by Article 31 of the Data Security Law (i.e. even where the transferor is not a CIIO).
The security assessment
Article 4 of the Draft Security Assessment Measures states that a self-assessment must be carried out before transferring any data overseas. The self-assessment report and a copy of the applicable DTA (see further below) must be submitted to the CAC for security assessment (Article 6). It is implied, but not expressly stated, that data cannot be transferred until approved.
The self-evaluation report will need to address the risks involved in transferring the data outside of China, taking into account:
- the legality, legitimacy and necessity of the purpose, scope and method of the transfer and the overseas recipient’s processing
- the volume, scope, type and sensitivity of the data
- the potential harm to national security, the public interest and the legitimate rights and interests of individuals or organisations (it is unclear what the latter refers to)
- the technical and organisational measures in place to prevent leakage or damage to data and the requisite obligations of the overseas recipient
- the risks of data leakage and other breaches when data is transferred out of China (or during any onward transfer)
- channels for data subjects to exercise their individual rights
- the terms of the DTA.
The CAC will review the application against the same criteria and, in addition, the personal data and cyber security law of the recipient country and whether the recipient protects personal data to the standard required by Chinese law.
The timings for a security assessment are as follows:
- Seven working days to accept the application (it is not clear whether reasons will be given for a rejection).
- 45 working days to complete the assessment (counted from the date of acceptance of the application).
- The period may be extended in complicated cases or if further information or materials are required but should generally be concluded within 60 days in total.
Several aspects of the security assessment are specific to the individual recipient. This indicates that a separate security assessment will be required for each individual recipient. There are no exceptions for transfers to an affiliate.
An approval will be valid for two years. The security assessment will also need to be re-applied for if, before the end of the two-year period, there are changes to:
- the composition of the data being transferred or how it is transferred
- how the data is processed by the overseas recipient, or for what purpose
- the data retention period
- the ownership/ control of the overseas data recipient
- the terms of the DTA
- the legal environment in the recipient country.
The same process will apply to transfers of (any amount of) important data out of China.
Data transfer agreement
Given that a copy of the DTA will need to be submitted with the application for security assessment, a DTA effectively becomes a mandatory requirement (and will, as a consequence, also need to be in Chinese).
Article 9 of the Draft Security Assessment Measures sets out the following required provisions:
- the purpose, scope and method for transferring the data
- the permitted processing purposes and method
- the location where the data will be stored overseas and the retention period
- how the data will be handled after expiry of the retention period or termination of the DTA
- restrictions on onward transfers of the data
- the security measures the recipient is required to implement
- liability for breach and dispute resolution clauses
- a data breach handling protocol.
In practice it is expected that many organisations will choose to adopt the CAC’s model clauses when these are published (see also Article 38, PIPL).
Conclusion
These relatively low thresholds the CAC intends to set will affect cross-border data transfers by a sizeable proportion of multi-national companies operating in China (and many China-origin companies as well).
Until the process has settled down, expected backlogs cleared and companies have a track record of experience in how their applications will be evaluated, many companies will be considering whether they need to either fully separate IT systems for their Chinese operations and store data locally, or minimise access from and transfer to offices and vendors overseas.
The consultation period ends on 28 November 2021.