Tag:corporate-mergers-and-acquisitions-corporate-compliance-system,digital-economy,telecommunications-media-entertainment-and-technology-data-protection-and-privacy
Introduction
In recent years, the rules on cross-border data transmission have been a constant concern of MNCs. The Measures for the Security Assessment of Cross-border Data Transmission, the Measures for the Standard Contract for the Cross-border Transmission of Personal Information, and other relevant regulations released during 2022 – 2023 provide MNCs with an outline as to how security assessments, filings of standard contract or personal information protection certification (“Three Mechanisms for Cross-border Data Transmission”) would be implemented. However, the Three Mechanisms for Cross-border Data Transmission also imposed a heavy compliance burden on MNCs.
Further clarifications have been issued on 22 March 2024, when the Cyberspace Administration of China (“CAC”) released the Provisions on Promoting and Regulating Cross-border Data Transmission (“New Regulation on Cross-border Data Transmission”), together with the Guidelines on Declaring for the Security Assessment of Cross-border Data Transmission (Second Version) and the Guidelines on Filing of the Standard Contract for the Cross-border Transmission of Personal Information (Second Version) (collectively, “New Guidelines on Cross-border Data Transmission”).
The New Regulation on Cross-border Data Transmission provides exemptions from some of the heaviest burden of the Three Mechanisms for Cross-border Data Transmission in respect of both under specific scenarios and also from a quantitative perspective. The New Guidelines on Cross-border Data Transmission clarifies and simplifies the methods, procedures and materials required for making an application for a security assessment and the filing of the standard contract.
The New Regulation on Cross-border Data Transmission provides an updated process that will facilitate cross-border data transmissions. This will, to certain extent, simplify matters for MNCs when they carry out cross-border data transmission activities in their daily operations.
The main issues MNCs need to be aware of under the New Regulation on Cross-border Data Transmission are as follows:
Understanding of Keywords
I. Keywords - Exemptions
The New Regulation on Cross-border Data Transmission specifies that the exemption from the Three Mechanisms for Cross-border Data Transmission can be sought under the following circumstances:
(1)Data that is transmitted does not contain personal information (“PI”) nor important data and was transmitted in the course of international trade, cross-border transport, academic cooperation, transnational manufacturing and marketing etc.[1]
This provision reaffirms China’s regulatory approach to cross-border data transmission. In addition to PI and important data (please refer to our explanation below at Point 6), data closely related to national security such as core data, state secrets, and data regulated under specific industry sectors will still fall under the framework of cross-border data transmission regulation and be off-limits. Such sensitive data is only allowed to be transmitted overseas if allowed under specific relevant laws and regulations.
(2)Data transmission without domestic PI or important data[2]
In this case if PI is collected and generated overseas and is transmitted into China for processing then such processing shall not include any domestic PI or important data. This exemption is beneficial for MNCs who operate data centers in China. Naturally, overseas jurisdictions may have concerns about their PI or important data being processed in China and such transmissions may well be subject to strict requirements.
(3)Scenario criteria for exemptions
The New Regulation on Cross-Border Data Transmission provides three specific scenarios where an exemption from the Three Mechanisms for Cross-border Data Transmission can be sought:
- The transmission of PI overseas is required to conclude or perform a contract in which an individual is a party. This may include cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket purchase, hotel reservation, visa handling and academic examination services;
- Transmission of employees’ PI overseas is required for cross-border HR management in accordance with the internal labor policies or collective contracts that are formulated or concluded in accordance with relevant laws;
- In case of emergency, it is necessary to transmit PI overseas to protect the life, health or property safety of a natural person[3].
(4)Quantitative criteria for the exemption
Data processors (a terminology under PRC law, similar to “data controller under GDPR”) which do not fall within the ambit of critical information infrastructure operators (CIIO) can transmit PI overseas provided the annual volume is less than 100,000 individuals[4] is granted with the exemption of the Three Mechanisms for Cross-border Data Transmission, provided that no any sensitive PI (“SPI”) is involved in such transmission.
2. Keywords - Human Resource Management
If a MNC has “internal labor policies formulated in accordance with laws and collective contracts concluded in accordance with relevant laws” which justify “transmitting employees’ PI overseas”, then such MNC are exempt from the Three Mechanisms for Cross-border Data Transmission.
In practice, MNCs commonly transmit PI around the world for HR management purposes. When applying for this exemption, MNCs need to keep in mind that formality requirements (i.e. internal labor policy) must be in place.
Article 3 of the Provisions on Promoting and Regulating Cross-Border Data Transmission.
Article 4 of the Provisions on Promoting and Regulating Cross-Border Data Transmission.
Paragraphs 1 to 3 of Article 5 of the Provisions on Promoting and Regulating Cross-Border Data Transmission.
Article 4 of the Provisions on Promoting and Regulating Cross-Border Data Transmission.
FAQ No.1 - How to interpret “"formulated in accordance with laws” and “concluded in accordance with laws”?
The labor policies formulated in accordance with laws refer to policies that have been discussed with the workforce and negotiated according to law.
According to Chinese labor laws, when a company formulates, amends, or decides on regulations or significant matters concerning employees’ interests, such matters shall be discussed with the employee congress or all employees so that employees can provide their opinion. This will be determined through equal negotiation between the company and trade union or employee representatives (but there is no need for approval of the trade union, employee representatives, or all employees)[5].
Collective contracts are contracts that have been discussed and approved by the employee congress or all employees and have become effective after approval by competent labor administrations[6].
In practice, most MNCs have internal labor policies (e.g. employee handbook) and such policies have undergone the required procedures. However, such polices may not have sufficient or sufficiently specific content to justify cross-border transmission of employees’ PI. Few MNCs have collective labor contracts in place.
As such, MNCs should review existing labor policies to confirm the formality requirements for the exemption have been met.
Article 4 of the Labor Contract Law.
Article 54 of the Labor Contract Law.
FAQ No.2 – whether the internal labor policies and collective labor contracts are concurrently required?
No.
In short, it is widely considered that data processors (including MNCs) may choose to incorporate the contents justifying cross-border transmission of employees’ PI either in the labor policies or the collective labor contracts.
FAQ No.3 – whether the labor policies can be retrospective?
Yes.
This question is of particular concern as many MNCs are worried that they have transmitted PI in past years without satisfying the formality requirements for an exemption.
Although not clarified by CAC in writing, our consultations with CAC indicated that past infringements are likely to be tolerated provided the policies are “rectified” now.
3. Keywords - Necessary for Contract Performance
Article 5 paragraph 1 of the New Regulation on Cross-border Data Transmission specifies scenarios where PI is transmitted overseas as part of an individual concluding or performing a contract. These include cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket purchase, hotel reservation, visa handling and academic examination services. In such scenarios data processors can be exempted from the Three Mechanisms for Cross-border Data Transmission[7].
It is worth noting that to apply for this exemption the purpose and ambit of PI transmitted overseas will be strictly necessary to perform the contract. For example in the case of a cross-border delivery relevant PI would include name, contact information and address as this would need to be collected by logistics companies to enable customs clearance and delivery. However, PI such as educational background, marriage status of the consignor/consignee etc. would not be.
4. Keywords - Sensitive Personal Information (SPI)
Compared to rules on cross-border data transmission that have been previously released, the New Regulation on Cross-border Data Transmission strengthen the administration of export of SPI.
If a MNC wishes to apply for a quantitative exemption, then such MNC would not be able to transmit any SPI (theoretically even one piece).
MNCs engaged in B2B usually upload contact information of customers, suppliers, partners, and other enterprises into globally deployed systems (such as a global CRM system).
In such cases, we recommend MNCs avoid transmitting SPI when seeking a quantitative exemption from the Three Mechanisms for Cross-border Data Transmission.
For MNCs engaging in B2C, their business will likely involve the transmission of consumer PI. An example, in the automotive industry, is that the precise location information of users may be transmitted overseas for purposes of vehicle maintenance or remote diagnostics. Additionally, in the context of widespread application of autonomous driving functions, many SPI collected by internal and external sensors, such as facial and voice recognition data, may be transmitted to MNCs’ overseas research or testing centers for testing. In the cosmetics industry, consumers’ facial information and other SPI may be transmitted overseas for skin quality tests or virtual makeup trials to MNCs’ technical centers located outside China.
In such case, MNCs should first verify whether the cross-border data transmission could be avoided by adopting a technical solution within China. If it is indeed necessary to transmit data overseas, then MNCs need to carefully map the transmission activities (including the involved types of PI; categories of PI subjects and volume etc.) and analysis as to which of the Three Mechanisms for Cross-border Data Transmission is triggered.
5. Keywords - Extra-territorial Effect
Article 3 paragraph 2 of the Personal Information Protection Law (“PIPL”) is known as the “extra-territorial effect” clause. This clause intends to grant the Chinese government with a long-arm jurisdictional reach over the processing of PI of Chinese resident natural persons which occurs overseas.
The New Guidelines on Cross-border Data Transmission imply that cases which trigger extra-territorial effect under the PIPL will need to follow the cross-border data transmission rules.
However, it is still unclear as to how the Three Mechanisms for Cross-border Data Transmission could apply to the circumstances of extra-territorial effect. This is particularly in regard to the preparation of application documents (e.g. the data transmission agreement) under the Three Mechanisms for Cross-border Data Transmission.
6. Keywords - Important Data
Important data is a codified concept under PRC law which refers to data that, if tampered with, destroyed, leaked, illegally obtained, or illegally used, could endanger national security, economic operation, social stability, public health, and security, etc. The New Regulation on Cross-border Data Transmission does not provide any exemptions for the transmission of important data.
Based on our observations, MNCs, particularly those in specific industries such as automotive, pharmaceutical, and finance, are far more likely to handle important data in their business operations than others. Taking the automotive industry as an example, according to the Several Provisions on Automotive Data Security Management (for Trial Implementation), “PI involving more than 100,000 individuals”[8] constitutes important data. If a MNC transmits PI of more than 100,000 individuals (e.g. VIN codes under the automotive industry) overseas this would constitute a cross-border transmission of important data, and therefore the exemptions provided under the New Regulation on Cross-border Data Transmission would not apply.
The New Regulation on Cross-border Data Transmission clarifies that “if the data have not been informed or publicly announced as important data by relevant departments or regions, data processors are not required to conduct security assessment for transmitting important data”. This clarification to some extent alleviates the obligation to conduct a security assessment for cross-border transmission of important data. However, MNCs are strongly recommended to closely monitor developments as to how the PRC government classifies information as being important data.
7. Keywords - CIIO
Critical information infrastructure is a codified concept under PRC law which refers to important network facilities and information systems in key industries and fields such as public telecommunications, information services, energy, transportation, water conservancy, finance, public services, e-government and national defense science, technology and industry, and other important network facilities and information systems etc. This critical infrastructure if damaged, or experiences a loss of function or a leakage of data could result in serious damage to China’s national security, the national economy or people’s livelihood or the public interest[9]. Operators of such critical information infrastructure are referred to as being CIIOs.
According to the Security Protection Regulations for Critical Information Infrastructure, the relevant authorities will identify critical information infrastructure in specific industries and fields and notify the CIIOs[10]. Currently, “whether notified by the relevant authorities” is the main basis for a MNC to determine whether it has been categorized as a CIIO. CAC expressed a similar view in a press conference regarding the New Regulation on Cross-border Data Transmission.
According to the New Regulation on Cross-border Data Transmission, in principle, any cross-border Transmission of PI or important data by CIIO will require conducting security assessment. However, it is worth noting that the exemptions under the scenario criteria may still apply to CIIOs.
8. Keywords - Free Trade Zones
The New Regulation on Cross-border Data Transmission allows free trade zones to develop a “negative list” for data that must follow one of the Three Mechanisms for Cross-border Data Transmission within the framework of the national data classification and grading system. This negative list will need to be approved by the provincial cybersecurity and information technology commission and filed with the CAC and the national data management department before implementation[11].
The New Regulation on Cross-border Data Transmission specifies that the preferential policies for cross-border data Transmission in free trade zones only apply to data processors within free trade zones. In the future, MNCs outside of free trade zones which wish to enjoy similar policies may consider setting up legal entities in free trade zones which can then serve as data transmission centers.
At present, no cross-border negative list has been published for cross-border data Transmission. However, MNCs would be wise to follow progress in this regard.
Our Recommendations
The New Regulation on Cross-border Data Transmission do provide advantages, certainty and flexibility for MNCs and their data in China and abroad. We believe this is now an appropriate time for MNCs to move forward with compliance policies and programs in respect of cross-border data transmission.
In particular, MNCs are recommended to:
1. Optimize cross-border data transmission strategies. The New Regulation on Cross-border Data Transmission provides multiple possibilities for exemptions from the Three Mechanisms for Cross-border Data Transmission. MNCs should carefully assess current scenarios in which they wish to engage in cross-border data transmission and analyze to what extent exemptions could be sought. MNCs may need to reduce the volume of PI transmission or exclude SPI from transmissions in order to obtain an exemption.
2. MNCs that have not yet initiated the Three Mechanisms for Cross-border Data Transmission should assess applicable mechanisms and initiate ASAP. Many MNCs were waiting for new regulations before conducting data mapping or updating their previous data mapping results. Now is the time to conduct such exercises but also to consider whether under the New Regulation on Cross-border Data Transmission, there is a possibility for an exemption from the most onerous of the Three Mechanisms for Cross-border Data Transmission’s obligations. If an exemption is not possible, MNCs will need to assess which mechanism applies and fulfill their corresponding obligations. MNCs will need to retain internal written materials for future reference to evidence why an exemption applied. The New Guidelines on Cross-border Data Transmission have simplified procedures for security assessment and use of a standard contract. Even if MNCs need to conduct a security assessment or filing of the standard contract for cross-border transmission of PI, with professional guidance and adequate preparation, MNCs may still work out how to undergo such government procedures.
3. MNCs currently conducting the Three Mechanisms for Cross-border Data Transmission need to assess whether to adjust their mechanism. MNCs that are in the process of undergoing one of the Three Mechanisms for Cross-border Data Transmission can decide whether to adjust or withdraw their application based on their actual situation, such as switching from security assessment to filing of standard contract/PI protection certification or withdrawing their application altogether.
4. Fulfill necessary compliance obligations. Regardless of whether MNCs are exempted from the Three Mechanisms for Cross-border Data Transmission under the New Regulation on Cross-border Data Transmission, MNCs would still need to fulfill their general compliance obligations for cross-border transmission of PI in accordance with the PIPL. This will include notification and obtaining relevant consents, conducting PI protection impact assessments, implementing security measures, and signing data processing agreements etc.
Thanks to Shan Wenyu, Mi Hualin, Xu Hongyu and interns Ye Ying and Meng Zexuan for their contributions to this article.
Scan the QR code to subscribe to "King & Wood Mallesons" for more information
Article 5 of the Provisions on Promoting and Regulating Cross-Border Data Transmission.
Article 3 of the Several Provisions on Automotive Data Security Management (for Trial Implementation).
Article 2 of the Security Protection Regulations for Critical Information Infrastructure.
Article 10 of the Security Protection Regulations for Critical Information Infrastructure.
Article 6 of the Provisions on Promoting and Regulating Cross-Border Data Transmission.
