China PIPL: Data Export Regime Starts to Take Form

China’s Personal Information Protection Law (个人信息保护法; the PIPL) lays out strict limitations on cross-border transfers of personal information (PI). Finally, after more than nine months after the PIPL came into effect, three new regulatory developments will provide guidance on the administrative procedures and detailed rules to implement the cross border transfer rules. The new regulatory developments include:

• the issuance of measures to govern the requirement for and conduct by the Cyberspace Administration of China (CAC) of data export security assessments, which will come into effect on September 1, 2022;
• CAC’s publication of a draft standard contract for PI exports and draft implementing regulations; and
• the promulgation of final standards for the conduct of PI security certifications.

This alert briefly reviews the key elements of PIPL’s regulation of PI exports and the implications of these significant developments.

PIPL PI Export Requirements – a Recap

PIPL permits the export of PI only if the PI handler (broadly akin to a “controller” under the EU General Data Protection Regulation (GDPR)) that is exporting the PI:

1. passes a security assessment undertaken by CAC;
2. concludes a contract with the overseas recipient in the standard form issued by CAC; or
3. undergoes a PI protection certification conducted by a specialized agency in accordance with the requirements of CAC.

New Developments

1. Security Assessment Measures

The Data Export Security Assessment Measures (数据出境安全评估办法; the Measures) were issued by CAC on July 7, 2022 and will come into force on September 1, 2022. Notably:

• The Measures confirm that a security assessment will be mandatory in the following circumstances:

(1)   the export of any quantity of PI by a critical information infrastructure operator or a PI handler that handles PI of more than one million individuals;

(2)   the export of PI by a PI handler that, since January 1 of the previous year, has already exported (a) PI of 100,000 or more individuals or (b) sensitive PI of 10,000 or more individuals;

(3)   the export of any “important data” pursuant to China’s Data Security Law (数据安全法). The Measures set out a novel, legally binding definition of that term.

• PI handlers have a six-month grace period—meaning, until February 28, 2023—to comply with the Measures concerning data exports that predate the September 1 effective date of the Measures.
• When applying for a security assessment, the exporting party must submit a copy of a contract with the overseas recipient that documents the parties’ responsibilities and obligations for data security protection. While the Measures do not expressly require that the contract follow the standard contract form (see below), it may be prudent to do so in order to minimize the risk of challenge during the security assessment.
• The Measures lay out the detailed procedures for completing a security assessment, which include timelines for CAC’s review of the application and a limited right of appeal.
• Security assessment results are valid for two years, subject to a requirement to complete a new assessment in certain circumstances.

2. Draft Standard Contract and Regulations

On June 30, 2022, CAC unveiled a draft of the long-awaited standard contract for use by PI handlers exporting PI, along with draft implementing regulations (个人信息出境标准合同规定（征求意见稿）). CAC has set a July 29, 2022 deadline for submission of comments on the draft. Notably:

• Use of the standard contract as the relevant PI export mechanism under PIPL is available only where the conditions for requiring a security assessment (see above) have not been triggered. In other words, use of the standard contract will not obviate the requirement for a security assessment if triggered.
• The PI handler would be required to file a copy of the executed standard contract, together with a self-administered PI protection impact assessment report, with the provincial counterpart of CAC within 10 working days after the contract comes into effect. However, completing this filing step would not be a pre-condition for the transfer.
• While the draft standard contract is similar in some respects to the standard contractual clauses (SCCs) under GDPR, there are a number of distinctions, for example:
  • SCCs provide for four distinct scenarios for cross-border transfers of personal data, including controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor. China’s draft standard contract would apply to controller‑to‑controller and controller-to-processor transfers only.
  • China’s draft standard contract imposes more stringent controls than SCCs on subsequent transfers of PI by the overseas recipient to its downstream recipients. In order to provide PI to another overseas party, the overseas recipient would need to (among other requirements) provide the data subjects with the third party’s name and contact information and, if required by applicable law, obtain separate consent.
• China’s draft standard contract proposes PRC law as the governing law.
• The standard contract form includes an appendix permitting the parties to insert supplementary provisions.

3. PI Security Certification

The Specifications for Security Certification of the Cross-Border Handling of Personal Information (个人信息跨境处理活动安全认证规范; the Specifications), a recommended national standard, were promulgated on June 24, 2022. These Specifications will apply where a PI handler relies on a “security certification” by a specialized agency in order to export PI under PIPL (see above).

The Specifications contemplate that a PI security certification is available where:

• a PI export involves intra-group or inter-company transfers among subsidiaries or affiliates of a multinational company or within a single enterprise; and
• the related PI handling outside of China is by a foreign PI handler subject to PIPL’s extra‑territorial jurisdiction.

The Specifications provide useful guidance on the security standards to be applied in the certification process. However, they leave key aspects of the certification export mechanism for future clarification by CAC, including the certification procedures and what agencies will be authorized to provide certification services.

As further explained in the Terms / Notices linked below, the information provided herein is not legal advice. Any information concerning the People’s Republic of China (“PRC”) is not an opinion on, determination on, or certification of the application of PRC law. We are not licensed to practice PRC law.