Insight,

Data Security: CAC issues Procedures for Law Enforcement, further completing the legal regime of data protection in China

24 April 2023

Our People
US | EN
Current site :    US   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

In our last update, we described the Measures for the Standard Contract for Outbound Transfer of Personal Information (the Standard Contract Measures) newly issued by the Cyberspace Administration of China (CAC), which marks the finalization of all three main options for outbound data transfer under the PRC Personal Information Protection Law (the PIPL), i.e., security assessment, personal information protection certification, and standard contract.

On March 23, 2023, CAC further issued the Provisions on Administrative Law Enforcement Procedures of Cyberspace Administration (the Provisions) (to become effective on June 1, 2023), which specify the scope of administrative and legal enforcement by cyberspace administrations, case filing system and standards, case processing procedures and time limits, providing critical legal framework for law enforcement in the field of data compliance.

The promulgation of the Provisions shows that the cyberspace administrations are preparing for enforcement. In this update, we provide an overview and recap of the three main options for outbound transfer of personal information under the PIPL:

1. Security Assessment

  • Who should apply for security assessment? Security assessments are mandatory for critical information infrastructure operators and any personal information processor who (1) processes personal information of more than 1 million individuals, (2) has accumulatively transferred personal information of more than 100,000 individuals overseas since January 1 of the previous year, or (3) has accumulatively transferred sensitive personal information of more than 10,000 individuals overseas since January 1 of the previous year.
  • How the mechanism works. The above entities need to prepare and submit the required materials to the provincial cyberspace administrations for review, and obtain approval for outbound data transfer.
  • What is the current practice?  The Measures for the Security Assessment of Outbound Data Transfer have been in effect for over six months, and thus the six-month grace period for rectification has expired. Many companies have started to apply for security assessment, and there have been cases where such applications have been successfully approved.

2. Personal Information Protection Certification

  • Who can apply for personal information protection certification? For personal information processors who do not meet the above triggering conditions of security assessment, they may either voluntarily apply for personal information protection certification or use a standard contract to legally transfer data overseas. Between the two, personal information protection certification mainly applies to cross-border transfers of personal information within multinational companies (MNCs) or subsidiaries or affiliates of the same business entity with relatively stable business relationships.
  • How the mechanism works. CAC and the State Administration for Market Regulation issued the Implementing Rules for Personal Information Protection Certification on November 4, 2022, and designated the China Cybersecurity Review Technology and Certification Center (CCRC) as the certification body issuing the certificate. Specific certification procedures and materials are to be specified by CCRC.
  • What is the current practice? At present, the personal information protection certification has not been extensively carried out across the nation, and the significance of the certification approach is to be seen.

3. Standard Contract

  • Who can use standard contract? For personal information processors who do not meet the triggering conditions of security assessment, the standard contract is the most popular and convenient option in practice.
  • How the mechanism works. The personal information processor shall enter into a standard contract issued by CAC with the overseas recipient, and the executed contract shall be filed with the provincial cyberspace administration.
  • What is the current practice? When CAC was still requesting public comments on the Standard Contract Measures, some companies had already negotiated and executed contracts with the overseas recipients using the contract template attached to the draft Standard Contract Measures. The Standard Contract Measures will become effective from June 1, 2023 and it has a six-month rectification period similar to security assessment. For companies that use standard contract but do not meet the requirements, they should rectify and execute a satisfactory standard contract by November 30, 2023.

Considering the increasingly stringent regulatory trend in data security, it is recommended that companies establish and improve their internal data compliance system as soon as possible, choose the appropriate option for outbound data transfers, and ensure compliance with applicable legal requirements.

KEY CONTACTS

SHOW MORESHOW LESS
REGULATIONS AND LAWS IN CHINA

Our KWM International Center experts are closely watching the market and sharing our insights on selected PRC regulatory shifts and trends.

LATEST THINKING
Insight
Guangdong’s Capital Market Drive: New Measures Bring Opportunities
On January 12, 2025, the Guangdong Provincial Government introduced the Measures for High-Quality Development of Capital Markets to Support Guangdong’s Modernization (the “Measures”). These Measures lay out a detailed framework aimed at strengthening Guangdong’s multi-tiered capital markets, boosting tech-driven enterprises, and improving the overall quality of listed companies. The overarching goal is to position Guangdong as leading financial hub and embrace innovation to attract global investment.

07 March 2025

Insight
Shanghai Sets Sights on Digital Trade: Global Hub Plan Revealed
On January 16, 2025, the General Office of the Shanghai Municipal People’s Government released the Implementation Plan for Promoting the High-Quality Development of Digital Trade and Service Trade in Shanghai (the “Implementation Plan”). This strategic blueprint aims to establish Shanghai as a global hub for digital trade, which includes digital products, and technology-driven trade, as well as service trade, covering sectors such as finance, insurance, logistics, and cultural services. With a strong focus on reform, innovation, and the opening of key sectors, the Implementation Plan sets out a series of priorities and actionable steps to achieve these goals by 2029.

07 March 2025

Insight
FinCEN’s Beneficial Ownership Reporting Rule Suspended Again
On February 27, 2025, FinCEN announced that it will not issue any fines or penalties or take any other enforcement action against companies for failing to comply with the beneficial ownership information (“BOI”) reporting requirements under the Corporate Transparency Act. As such, reporting companies are no longer required to file BOI reports by the March 21, 2025 or other applicable deadline. However, FinCEN has indicated that it intends to issue an interim final rule no later than March 21, 2025, which will set new reporting deadlines and provide new guidance on the reporting requirements.

04 March 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies