Data Transfers in a Global Environment: Cross-Border Data Transfers from China | Denton

By on October 28, 2022 0

I. Preface

Along with the development of the digital market in the People’s Republic of China (PRC), cross-border data transfer activities have become increasingly common there in recent years, while the risks of such activities have also become significant. Adopted by the National People’s Congress on November 7, 2016, the PRC’s Cybersecurity Law stipulates for the first time that cross-border transfers of personal information and important data collected or generated by critical information infrastructure operators (CIIO) can only be performed after a security assessment of the CIIO by the Cyberspace Administration of China (CAC) and other relevant state departments. Since then, China has enacted the PRC Data Security Law, as the top-level legislation of the general data protection regime, and the PRC Personal Information Protection Law to protect information personal. To complement the details of data protection legislation, China has also formulated supporting regulations, such as Outbound Data Transfer Security Assessment Measures, etc., which clarify the various rules and procedures. that various types of data must follow for cross-border transfers.

II. Main types of protected data

Generally, data protection laws around the world, such as those in China, tend to focus on the protection of personal data/information and the rights of data subjects. However, unlike many other jurisdictions, in China’s data protection regime, there are other types of data that are considered sensitive for national security or social stability. These types of data also require protection and processing restrictions. Cross-border transfers of the following types of data must be handled in accordance with applicable laws and regulations:

a) Personal information

Personal information means any kind of information about identified or identifiable natural persons that is recorded by electronic or other means. This means that “personal information” does not only mean information directly relating to a natural person, but also information which, when combined with other information, could be linked to a natural person. It should be noted that purely anonymous information is excluded from the scope of personal information.

Certain types of personal information which, if disclosed or used unlawfully, would likely injure the personal dignity of any natural person or cause serious harm to personal safety or property are identified as “sensitive personal information”. This information includes biometric identification, religious beliefs, specially identified status, medical health, financial account data, and individual location tracking. Additionally, all personal information of minors under the age of 14 is considered sensitive personal information, which is rather atypical in other jurisdictions. Handling sensitive personal information generally requires a higher level of protection.

In accordance with the Personal Information Protection Law, in order to provide the personal information of an individual (data subject) to a foreign recipient outside China, the personal information controller shall (i) inform the data subject the name of the foreign recipient, the contact details, the purpose and method of processing, the type of personal information to be transferred as well as the method and the processing procedure if the data subject wishes to exercise his rights against the foreign recipient, and (ii) obtain the data subject’s explicit consent.

b) Important data

“Important data” is a concept unique to the PRC data protection regime. The big data was first proposed in the cybersecurity law published in November 2016; however, the definition of important data was not specifically defined, so the term was ambiguous for a time. With the release of the Outbound Data Transfer Security Assessment Measures, important data was clarified for the first time at a formal legislative level, as data which, once tampered with, destroyed, disclosed, obtained or used unlawfully , may endanger national security, economic functioning, social stability, public health and safety, etc.

This definition defines a very broad scope for what can be considered important data. It can cover geographic data, infrastructure data, energy sources related data, network and network security data, statistical analysis data, military and defense data, advanced technologies , industrial data, etc. According to the Data Security Law, the National Data Security Coordination Mechanism will coordinate relevant departments to formulate catalogs of important data, which will serve as a guide for more precise scope of important data for each industry.

c) Basic data

The Chinese concept of “master data” is also unique among data protection regimes. Master data was first proposed in the Data Security Act in 2021, which defines it as data concerning national security, lifelines of the national economy, important aspects of livelihoods persons, major public interests, etc. According to data security law, master data must be handled more strictly than important data. However, it should be clarified that at present, there are no other laws or regulations providing more details on the basic data, nor other rules governing the processing of this data. It is likely that such specifications will be offered in the foreseeable future.

d) State secrets (outside the data protection regime)

The Data Security Law clearly states that state secrets are mainly regulated by the PRC Law on the Protection of State Secrets, which means that they are different from important data and basic data and that they fall outside the data protection regime. Any processing or transfer of data or information classified as state secrets must comply with state secrets laws and regulations.

III. Cross-border data transfers: recent changes in laws and regulations

a) Security assessment for outbound data transfers

The recently enacted measures for the security assessment of outbound data transfers implements its higher-level laws, including the Data Security Act and the Personal Information Protection Act, by defining the standard situations in which outbound data transfers from China should be subject to a security assessment by the CVC and other government departments, and how the security assessment process works. In particular, the data controller must conduct a self-assessment and request a security assessment from the CAC through the local (provincial-level) cyberspace administration before making cross-border transfers of data in any of the following circumstances:

  1. The data processor transfers important data out of the RPC.
  2. A CIIO or processor processing the personal information of more than 100,000 individuals transfers personal information across borders.
  3. A data processor that has transferred the personal information of 100,000 individuals or the sensitive personal information of a total of 10,000 individuals overseas since January 1 of the previous year is transferring personal information overseas.
  4. The CAC may establish other circumstances that require a security assessment for cross-border transfers of personal information.

b) The model contract for the cross-border transfer of personal information

The CAC recently published an Exposure Draft on Standard Contract Provisions for Cross-Border Transfers of Personal Information, seeking public comment. Previously, the Personal Information Protection Law stipulated a few legal channels through which personal information collected in China could be transferred overseas, including the use of a model contract, to be prepared by the CAC. These draft provisions are therefore a good start. The exposure draft defines the situations applicable to cross-border transfers of personal information under a standard contract, which will generally be used in addition to the standard situation where the subcontractor must undergo a CAC security assessment before contracting. perform any data transfer out of China.

The provisions also provide that before resorting to a standard contract, a personal information impact study must first be carried out. However, neither the standard contract nor its provisions are yet in force. We suggest that data controllers start now to identify – taking into account the actual activities carried out by the parties involved – whether the model contract may be applicable, and also to keep abreast of the publication of subsequent exposure drafts. and the promulgation of the final version of the standard contract and its provisions.

IV. Take away food

Given the new requirements arising from recently enacted laws and regulations, as well as trends that can be seen through recent exposure drafts, we have created the table below to help you determine the steps to take before proceeding with cross-analysis. border transfer of data collected in China: