Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
Developing a unique culture, which blends traditional client care with modern technology and working practices since 1851.
Stay up to date on the latest news and legal insights.
News & Insights
Authored by: Dora Si and Andy Yu
Complex data security regime
At a time when the digital economy is booming, and cross-border data activities are growing, China’s complex data protection and cybersecurity rules can be a challenge for businesses. The export of personal data from China needs to be considered in the context of China’s 3 underlying data protection laws: The Cybersecurity Law, The Data Security Law and the Personal Information Protection Law (PIPL).
According to Article 38 of the PIPL, a business wishing to carry out cross-border transfers of the personal information of China-based subjects, due to business needs, should satisfy at least one of the following conditions:
Major updates
The details for implementation of these conditions have been unclear until the recent release of a number of major updates by the Chinese Regulators that have shed light on the requirements of Article 38. In particular, the release of the long-awaited final version of the Measures for Security Assessment of Cross-border Data Transfer (the Measures) has elicited much discussion. However, businesses should take note of all the latest developments summarised below:
No. |
Name of document |
Status |
Criteria / eligibility |
(1) |
“Measures for security assessment of cross-border data transfer” (数据出境安全评估办法) |
Effective from 1 September 2022, but with retrospective effect: personal information processors should rectify their cross-border transfer practice within 6 months after implementation. |
A personal information processor who satisfies one of the following criteria is required to pass an official security assessment conducted by the CAC (“official assessment”):
|
(2) |
“Guideline on security certification for cross-border transfer of personal information activities” (Guideline) (个人信息跨境处理活动安全认证规范) |
Effective from 24 June 2022 |
This avenue of obtaining certification is available to intra-group company transfers of personal information, and personal information processors who are outside Mainland China, but are subject to the extra-territorial application of the PIPL. Further clarification on a number of issues is required, for instance, whether intra-group companies that meet one of the above prescribed criteria set out in the Measures, can be exempted from official assessment if they have already obtained a certification pursuant to this Guideline. |
(3) |
Consultation draft “Regulations for standard contract for cross-border transfer of personal information” (个人信息出境标准合同规定) and “Standard contract template” (个人信息出境标准合同) |
Under consultation |
A personal information processor who satisfies all of the following criteria may rely on a standard contract in the prescribed form to facilitate the transfer:
|
Practical steps for businesses
Although certain aspects of these latest developments may resemble the regulatory landscape concerning cross-border data transfer in other jurisdictions, such as the GDPR, there are key differences. Businesses that are GDPR compliant should still check that they comply with the PIPL. Therefore, it is important for businesses to review their practices as soon as possible. This is particularly given the retrospective effect of the Measures for Security Assessment of Cross-border Data Transfer and the relatively short time frame for rectification of 6 months.
Whether a data exporter or data recipient, businesses should review their personal information protection practices, as well as their contractual obligations under any standard contract. As the regulations for cross-border data transfer continue to evolve, businesses will need to be proactive to remain compliant with the latest requirements.
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.
Media Contact
For media enquiries please contact us at media.relations@deacons.com.
Tel: +852 2825 9211