A key deadline is approaching; have you obtained approval from the Chinese government for cross-border transfer of personal data?
The Measures for Cross-border Data Transfer Assessment (“Measures”) that took effect on 1 September 2022 give data exporters only 6 months to get their house in order: Companies that transfer large volumes of personal information outside of China must have completed a security assessment by 28 February 2023. The assessment process is complicated and time-consuming, and affects two types of international companies:
Multinationals with subsidiaries in China, who transfer large volumes of personal information from their subsidiary to HQ or other international affiliates;
Foreign companies that do not have an office in China, but that still collect and process large volumes of personal information coming from China.
Under the PRC Personal Information Protection Law (“PIPL”), the latter group must designate a representative or set up a special agency in China to declare its security assessment.
Large volumes are defined as data volumes reaching the following minimum thresholds:
100,000 individuals’ personal information or 10,000 individuals’ sensitive personal information transferred since 1 January of the previous year;
any personal data of more than 1,000,000 individuals transferred by a Critical Information Infrastructure Operator (“CIIO”) or a data processor; or
if the data transferred abroad is classified as Important Data (as defined in the PIPL).
Steps in the Security Assessment
The security assessment for outbound data transfer mainly includes two processes:
1）Internal Assessment and Application Material Preparation Process
To complete the assessment, the data exporter needs to (1) fully map internal data assets; (2) organize and assess data security management systems and technical measures; (3) check with data importers on how they process the transferred data; and (4) conduct due diligence on the legal and cyber security environment of the importer's country, etc. A self-assessment report as per the Cross-border Data Transfer Security Assessment Declaration Guidelines, along with an outbound data declaration form, contracts concluded with data importers, and a series of other declaration materials are the key components of the filing that need to be submitted to the Cyberspace Administration of China ("CAC") at the provincial level.
2）CAC Approval Process
Within 5 working days the CAC at the provincial level will then examine whether the materials are complete. If so, the application will be transferred to the CAC at the national level and once accepted, the CAC may engage other departments as necessary. Within 45 working days a decision on the security assessment should be issued. A re-assessment may be applied for once.
Passing the CAC’s security assessment is the prerequisite to compliantly transfer large volumes of personal information from China to recipients overseas. Failure to do so can have major repercussions for the business of the data exporter in China, and the ability to continue collecting personal information from China.
At the moment, many companies are still in the process of completing these processes and the general expectation is that the CAC will initially be lenient – as long as progress is being made towards the final goal of completing a full security assessment.
R&P’s data privacy team advises companies on how to remain compliant with China’s data privacy laws, and supports our clients with assessments and CAC filings. For more information on how we can support your business to be compliant, please reach out to [email protected] or [email protected], or to your usual contact at R&P.