But keep an eye out for other current developments.
We have been tracking developments in China’s data compliance framework for a few years. One of the associated laws, mentioned in previous articles, is the Personal Information Protection Law (PIPL), which became effective on Monday, November 1. This milestone has sparked renewed interest both in China and abroad.
The Cyberspace Administration of China (CAC) also released an accompanying set of draft guidelines the Friday before, on October 29, called the Draft Measures on Security Assessment of Cross-Border Data Transfer (Draft Measures). While this is not the first time the authorities have released similar draft guidelines, we think it likely might represent nearly final language, considering that the PIPL is now in effect.
Due to these recent developments, we decided to address one of the key questions our clients ask: how do we handle cross-border data transfer?
PIPL Recap
The PIPL is widely seen as China’s answer to the EU’s GDPR. This is true in the sense that the PIPL is a comprehensive, almost all-encompassing law the applies to personal information collected in China. It includes extra-territorial jurisdiction in some cases. It confers a wide range of rights and obligations on both companies and individuals, many of which hinge on explicit consent of the individual for the use of their data. Internally created Personal Information Impact Assessment statements are also required. It is important to note briefly that there are circumstances under which explicit consent for collection and processing is not required, but for the purposes of this article we will not address those.
One of the primary obligations placed on data collectors under China’s data protection framework is data localization; the general rule is that personal information must be stored in China. Ongoing concerns include, of course, specific requirements surrounding if and when personal information may be transferred abroad.
Related to PIPL rules is the need for a “security assessment” prior to cross border transfer. What exactly this means, and under what specific conditions it must be performed, has been the subject of some speculation. As of October 29, though, just before the PIPL became effective on November 1, we received some additional guidance.
Draft Measures
The Draft Measures apply to both personal information and important data collected by critical information infrastructure operators (CIIO) as loosely defined elsewhere in China’s cybersecurity framework. Regarding security assessments, the Draft Measures indicate that a security assessment is required under the following circumstances:
• transfer of personal information and important data collected and generated by CIIO;
• transfer of personal information by a data collector/processor that handles over 1 million individuals’ personal information;
• cumulative transfer of personal information of more than 100,000 individuals;
• cumulative transfer of “sensitive” personal information of more than 10,000 individuals;
• other conditions as determined by the CAC.
*we think cumulative indicates multiple cross border data exchanges, perhaps over a certain period of time such as one year, though this does not yet appear entirely clear
A company subject to these rules must first conduct a self-assessment that addresses certain issues, including, but not limited to, the legality and necessity of the transfer, the rights of the individuals, the risk of data compromise, and whether there is a data transfer agreement that addresses data protection concerns.
Once the self-assessment is complete, the company would then submit an application and any required materials to the CAC, which then performs its own evaluation focusing on the above issues as well as any other criteria the CAC might impose. The Draft Measures indicate that the CAC would issue its response assessment within 45-60 business days, valid for two years.
It is important to note that some businesses might not be covered by these guidelines. However, we will not know until the authorities release further guidance on this, potentially on an industry by industry basis.
What’s next?
The Draft Measures are open for public comment until November 28. When the Draft Measures are finalized, they will provide further clarity for companies on how to comply with this central piece of China’s data security framework. While that clarity is helpful, it opens the door for further targeted enforcement actions against those deemed not in compliance. With that in mind, as we always say, it is important to be proactive on issues like this.
Our team at DaWo has been working with clients on these evolving issues since the first Cybersecurity Law became effective in 2017. We are ready to help you and your company prepare for upcoming developments in this arena. Please feel free to reach out if you have any questions.