The Cyberspace Administration of China (CAC) recently published a welcomed set of proposed rules that promote cross-border transfers of personal information. The proposed rules introduce important exemptions from the requirement to go through the mandatory transfer mechanisms (i.e., security assessment, personal information protection certification or standard contract clauses filing) under the PRC Personal Information Protection Law (PIPL) in order to transfer personal information to a recipient outside the territory of the PRC.*
The proposed rules signify an important shift in the CAC’s approach to cross-border data transfers and have the potential to significantly reduce the compliance burden for international financial institutions and further enhance the business environment for multinational companies operating in the PRC.
While it is unclear precisely when the CAC’s proposed rules will be finalised, some market participants anticipate that they could be finalised as soon as November 2023, before the end of transition period for making standard contractual clauses filings.
This article provides a high-level overview of key aspects of the CAC’s proposed rules and its practical implications.
Visual flowchart: A visual flowchart summary of the CAC’s proposed rules is set out at the end of this article.
1. A recap of the PIPL and the mandatory transfer mechanisms under the PIPL
The importance of the exemptions introduced by the CAC’s proposed rules is best understood by first taking a quick recap of the PIPL and the mandatory transfer mechanisms under the PIPL.
a) What is the PIPL?
The PIPL creates a comprehensive legal and regulatory framework for the protection of personal information of individuals in the PRC. “Personal information” is broadly defined in the PIPL as information related to an identified or identifiable natural person recorded electronically or by other means but excludes anonymized information. The PIPL is primarily administered by the CAC, a PRC government agency that is actively involved in coordinating the protection of personal information and related supervision.
The PIPL primarily regulates the “processing” of personal information, a term which includes the collection, storage, use, processing, transmission, provision, disclosure and deletion of personal information. The PIPL requires personal information processors to, among other things, abide by a number of overarching principles (including the principles of legality, necessity, openness and transparency), provide information notices to individuals, obtain consents from individuals, conduct personal information protection impact assessments (Assessments), maintain proper records and adopt policies, procedures and compliance systems for the purposes of protecting personal information.
b) How does the PIPL regulate cross-border data transfers?
The PIPL regulates the transfer of personal information to a recipient outside the territory of the PRC (cross-border transfer). Article 38 of the PIPL provides that if a personal information processor wishes to effect a cross-border transfer of personal information, it must go through one of the following three mandatory transfer mechanisms under the PIPL:
- passing a security assessment conducted by the central CAC;
- obtaining a personal information protection certification from a specialized institution approved by the central CAC; or
- entering into an agreement with the offshore data recipient containing standard contract clauses published by the central CAC and filing such agreement and an accompanying Assessments with the relevant provincial CAC.
While a personal information processor is generally free to choose between one of these three mandatory transfer mechanisms, a CAC security assessment is mandatory in any of the following circumstances:
- the personal information processor has been designated as a “critical information infrastructure operator”;
- the personal information processor proposes to transfer “important data”;
- the personal information processor handles personal information of more than 1 million individuals;
- the personal information processor has cumulatively transferred personal information of over 100,000 individuals since 1 January of the prior year; or
- the personal information processor has cumulatively transferred sensitive personal information of over 10,000 individuals since 1 January of the prior year.
Going through a CAC security assessment is time-consuming and onerous. In practice, the mechanism for obtaining personal information protection certifications is still being developed and is awaiting the publication of the list of approved specialized institutions. Accordingly, personal information processors generally choose to file their standard contract clauses with the relevant provincial CAC unless a CAC security assessment is required.
2. How do the CAC’s proposed rules relax regulatory requirements for cross-border transfers of personal information?
The CAC’s proposed rules introduce important exemptions from the requirement to go through the mandatory transfer mechanisms (i.e., security assessment, personal information protection certification or standard contract clauses filing) in order to effect a cross-border transfer of personal information.
The exemptions under the CAC’s proposed rules can be broadly categorised into full and partial exemptions.
If a full exemption applies, then the cross-border transfer would not need to comply with any mandatory transfer mechanism under the PIPL.
If the partial exemption applies, then the cross-border transfer would not need to go through a CAC security assessment but may still need to comply with one of the other two mandatory transfer mechanisms under the PIPL (i.e., personal information protection certification or standard contract clauses filing).
3. What are the full exemptions under the CAC’s proposed rules?
The following cross-border transfers would not need to comply with any mandatory transfer mechanisms under the PIPL:
a) Less than 10,000 individuals in a year
This full exemption applies where the personal information processor estimates that it will make cross-border transfers of less than 10,000 individuals’ personal information within the following one-year period.
This exemption appears to be based on the estimated number of individuals whose personal information will actually be transferred on a cross-border basis in the following one-year period, as opposed to the total number of individuals whose personal information are/will be held or processed by the personal information processor.
There remains some uncertainty regarding the precise methodology and timeframe for counting 10,000 individuals. For example, the CAC’s proposed rules do not provide whether individuals whose personal information falls within one of the other full exemptions (e.g., one of the necessity-based exemptions described below) will be counted towards the 10,000 number. A number of market participants believe that those individuals should not be counted towards the 10,000 number. The starting date for the one-year period is also not specified in the CAC’s proposed rules, although we expect it to be from 1 January to 31 December.
Which companies might benefit from this exemption? Although 10,000 individuals appears to be a rather low number, this exemption might be quite useful to financial institutions that primarily serve corporate (as opposed to retail) clients in the PRC. This is because these financial institutions would usually only transfer personal information belonging to a limited number of key employees and officers at their corporate clients.
b) Personal information not collected in the PRC
This full exemption applies in relation to personal information that is not collected in the PRC.
This exemption is potentially useful to a PRC-based personal information processor that receives and processes personal information originally collected outside of the PRC and then transfers such information on a cross-border basis.
c) No personal information and no important data
This full exemption applies in relation to data generated in the course of international trade, academic cooperation, cross-border production or manufacturing, marketing or other activities which does not contain any personal information or important data.
This exemption helpfully clarifies that the presence of personal information or important data in the data to be transferred on a cross-border basis is an important trigger for the potential application of the mandatory transfer mechanisms under the PIPL. In the absence of personal information or important data, the mandatory transfer mechanisms would not be triggered.
d) Three separate necessity-based exemptions
The CAC’s proposed rules contains three separate full exemptions where the cross-border transfer of personal information by a personal information processor:
- is “necessary” for concluding or performing under a contract to which an individual is a party, such as cross-border purchases, remittance, travel reservation or visa processing (necessary under contract exemption);
- belongs to its employees and is “necessary” for human resources management activities that are lawfully carried out in accordance with applicable labour regulations and collective labour contracts (necessary for HR management exemption); or
- is “necessary” in an emergency in order to protect the life and health of individuals or the safety of property (necessary in an emergency exemption).
These necessity-based exemptions mirror the situations set out in Articles 13(2) and 13(4) of the PIPL where an individual’s consent is not required to be obtained in order for their personal information to be processed because the relevant necessity-based test is satisfied. Therefore, we expect the key term “necessary” used in these proposed exemptions will be interpreted and applied in a similar manner as in the context of Articles 13(2) and 13(4) of the PIPL. In the context of Articles 13(2) and 13(4) of the PIPL, necessity-based test essentially requires that, without the personal information in question, the relevant contract or human resources management activity cannot be carried out at all or can only be carried out at a significant additional cost.
In terms of the ‘necessary under contract exemption’, the CAC’s proposed rules use the phrase “such as” and list cross-border purchases, remittance, travel reservation and visa processing as non-exhaustive examples. This means that the cross-border transfer of personal information that is necessary for concluding or performing under other types of contracts with an individual (such as contracts for the provision of financial services) may also qualify for this full exemption.
e) Not on a free trade zone negative list
The CAC’s proposed rules allow a free trade zone in the PRC to, subject to CAC approval, formulate its own “negative list” of cross-border transfers that will be subject to the mandatory transfer mechanisms under the PIPL. Cross-border transfers of personal information that fall outside the “negative list” would not need to comply with any mandatory transfer mechanisms.
There are currently over 20 free trade zones in the PRC, including in major cities such as Beijing and Shanghai and as well as in the Greater Bay Area. The precise parameters and scope of application of a free trade zone’s “negative list” remains to be seen. For example, it is presently unclear whether the proposed negative list-based exemption would apply to:
- personal information collected anywhere in the PRC as long as the personal information processor is established in the relevant free trade zone;
- personal information collected within the relevant free trade zone, regardless of where the personal information processor is established; or
- some other scope of application standard that connects the personal information and/or the personal information processor with the relevant free trade zone.
Previously, a number of free trade zones in the PRC have introduced pilot measures on cross-border data transfers that adopted a “positive list” model. The more user-friendly “negative list” model in the CAC’s proposed rules reflects a more flexible and open approach to cross-border transfers of personal information.
4. What is the partial exemption under the CAC’s proposed rules?
Under the partial exemption, cross-border transfers that meet each of the conditions described in (a) and (b) below would not need to go through a CAC security assessment.
a) Not declared by the PRC government as “important data”
The data subject to the cross-border transfer has not been publicly declared or notified by a relevant PRC government department or region as “important data”.
Under existing personal information / data protection rules in the PRC, the concept of “important data” is broadly defined to include, among other things, data the leakage, tampering, sabotage, unlawful possession or use of which may endanger national security or public interest of the PRC. This definition is difficult to apply in practice and has created much uncertainty for personal information processors because of the requirement that all cross-border transfers of “important data” must go through a CAC security assessment.
Against this backdrop, the CAC’s proposed rules helpfully clarify that, for the purpose of the CAC security assessment requirement, “important data” is limited to data that has been publicly declared or notified by a relevant PRC government department or region as “important data”. In practice, it means that in the absence of an applicable declaration or notification, the personal information processor can safely assume that the information proposed to be transferred on a cross-border basis does not contain “important data”.
AND
b) Less than 1 million individuals in a year
The personal information processor estimates that personal information of less than 1 million (but more than 10,000) individuals will be transferred on a cross-border basis within the following one-year period.
Having being exempted from the CAC security assessment, where the personal information processor chooses the mandatory transfer mechanism which involves filing standard contract clauses with the CAC, it can make the filing with the relevant provincial CAC instead of the central CAC.
As with the ‘less than 10,000 individuals in a year’ exemption described above, the 1 million number appears to be based on the estimated number of individuals whose personal information will actually be transferred on a cross-border basis in the following one-year period, as opposed to the total number of individuals whose personal information are/will be held, handled or processed by the personal information processor. In contrast, under existing rules, if a personal information processor handles personal information of more than 1 million individuals, it must go through a CAC security assessment.
The CAC’s proposed rules do not distinguish between sensitive personal information and other types of personal information, unlike the existing rules (described above) which set a lower threshold for transfers of sensitive personal information of a large number of individuals.
As with the ‘less than 10,000 individuals in a year’ exemption described above, there remains some uncertainty regarding the precise methodology and timeframe for counting 1 million individuals. For example, the CAC’s proposed rules do not expressly state whether individuals whose personal information falls within one of the other full exemptions will be counted towards the 1 million number. A number of market participants believe that those individuals should not be counted towards the 1 million number. The starting date for the one-year period is not specified in the CAC’s proposed rules, although we expect it to be from 1 January to 31 December.
Which companies might benefit from the partial exemption?
Although 1 million individuals appears to be quite a low number in the context of a country that has a population of over 1.4 billion people, the partial exemption might still be quite useful to financial institutions that have a substantial but not extremely large retail presence in the PRC. This is because these financial institutions might not actually transfer on a cross-border basis “important data” that has been designated by the PRC government as such or personal information of more than 1 million individuals during a one-year period. By relying on the partial exemption, these financial institutions would not need to go through a CAC security assessment, which is time-consuming and onerous.
5. Do other requirements in the PIPL still apply?
The CAC’s proposed rules are focused on full and partial exemptions from the mandatory transfer mechanisms under the PIPL. The proposed rules would not relax compliance with other requirements in the PIPL, such as providing information notices, obtaining consents from individuals, conducting Assessments, maintaining proper records and adopting policies, procedures and compliance systems for the purposes of protecting personal information. The data protection, cybersecurity and related legal obligations under other PRC laws and regulations are also not relaxed by the CAC’s proposed rules.
6. Visual flowchart
The following flowchart provides a high-level visual overview of key aspects of the CAC’s proposed rules.
Flowchart: CAC's proposed rules on promoting cross-border data transfers
7. Where can we learn more about the CAC’s proposed rules and the PIPL?
We at KWM are here to help you. KWM’s cross-border and multi-disciplinary team of bilingual partners and lawyers regularly assists global financial institutions and corporates on a wide range of privacy, cybersecurity and data protection-related issues in the regulatory, advisory and transactional contexts.
We are familiar with the rules and practices relating to privacy, cybersecurity and data protection in the PRC, Hong Kong and other major jurisdictions and would be pleased to share our insights with you.
In particular, we would be delighted to discuss with you how your existing PIPL compliance strategy might be impacted by the CAC’s proposed rules.
Please feel free to contact our core team members below.
* For purposes of this document, “Hong Kong” means “Hong Kong Special Administrative Region of the People's Republic of China”, and any reference made to “Chinese Mainland”, “onshore” or “PRC” shall be construed as excluding Hong Kong, Macau Special Administrative Region and Taiwan.