In our latest update we share developments in two critically important areas: data security and regulatory oversight (including of financial services).
First, data security. This is one of the hottest legislative areas in China in recent years. Regulators are building strong guardrails around personal information to protect it from misuse and abuse. The latest regulatory shift clarifies and simplifies the process for personal information processors transferring relatively small amounts of personal data offshore (unless it relates to critical infrastructure). This is particularly relevant for multinational companies doing business in China, which should reassess personal information handling to stay compliant and avoid any mishaps.
Separately, the State Council has restructured several ministries and regulatory bodies as it works to modernize the country’s governance structure. This includes reshaping financial regulatory oversight, boosting self-reliance in science and technology, and the creation of a National Data Bureau. These changes will have far-reaching impacts on China's economic and social development.
Read on for further details. Our experts are closely watching the market and sharing our insights.
Data security: Another building block for the legal regime of outbound transfer of personal information from China is falling into place as China finalizes the “standard contract” option for certain entities
On February 24, 2023, the Cyberspace Administration of China (CAC) issued Measures for the Standard Contract for Overseas Transfer of Personal Information (the Measures). This sets out specific terms of a standard contract (the Standard Contract), as one of the permissible means of transferring personal information pertaining to Chinese individuals overseas, and will become effective from June 1, 2023.
The Standard Contract option effectively introduces a lower hurdle for eligible personal information processors transferring personal information offshore. The Standard Contract imposes only a filing requirement, as compared to the case-by-case and regulator-led “security assessment” required for critical information infrastructure operators and certain personal information processors handling a large volume of data (for example, those processing the data of more than 1 million Chinese individuals).
An information processor meeting the criteria below will only need to enter the Standard Contract with the overseas data recipients; conducting its own personal information protection impact assessment (PIPIA) and making required filing ex post facto. Key provisions of the Measures include:
1. Who can use the Standard Contract. A personal information processor qualifies to transfer personal information abroad by entering into the Standard Contract if it:
(a) is not an operator of critical information infrastructure
(b) processes personal information of fewer than 1 million individuals
(c) has accumulatively transferred personal information of less than 100,000 individuals overseas since January 1 of the previous year, and
(d) has accumulatively transferred sensitive personal information of fewer than 10,000 individuals overseas since January 1 of the previous year.
2. Key terms of the Standard Contract. A personal information processor which transfers personal information abroad may enter into other terms with the foreign recipient, but such other terms shall not conflict with the Standard Contract. The Standard Contract provides sample clauses to guide the personal information overseas transfer activities, including the obligations of the personal information processors and foreign recipients, the impact on the performance of the contract imposed by personal information protection regulations of the foreign recipient’s country, the rights of the individual to which the personal information is belonged, the choice of governing law and dispute resolution, termination, and remedies and recourses.
3. PIPIA and filing requirements. A personal information processor is required to conduct its own PIPIA before the cross-border transfer. An evaluation report, together with the executed Standard Contract must be filed with the provincial-level branch of the CAC within 10 business days after the Standard Contract’s execution and effectiveness.
4. Rectification period. Personal information processors conducting any cross-border transfer activities prior to the effective date of the Measures will be given a 6-month grace period to rectify and become fully compliant with the Measures.
As China continues to march towards digitalization of its economy, regulators are building strong guardrails around personal information to protect it from misuse and abuse, including those from abroad. Multinational companies doing business in China should stay vigilant of this legal development and reassess personal information handling processes to stay compliant and avoid any mishaps.
Regulatory overhaul: National People’s Congress approved major restructuring and shake-ups of China’s State Council institutions
On March 10, 2023, the first session of the 14th National People’s Congress approved a restructuring plan of State Council institutions (the Plan). The Plan aims to consolidate duties and responsibilities for various ministries while ensuring more efficient governance in key areas, such as science and technology, financial supervision, data management, rural revitalization, intellectual property rights protection and elderly care. The following are the highlights of the Plan:
1. Restructuring the Ministry of Science and Technology. Facing fierce international competition, the restructuring of the Ministry of Science and Technology is in line with the state’s priority to bolster self-reliance in science and technology and to make technological breakthroughs. The Ministry will focus on promoting science and technology innovation and application and optimizing resource allocation to better coordinate research with economic and social development. The Ministry’s functions in strategic planning, institutional reform and policy formulations will also be strengthened.
2. Reshaping the financial regulatory oversight.
(a) To enhance financial supervision, a National Financial Regulatory Administration (NFRA) will be set up directly under the State Council to regulate the financial industry except for securities regulations, which will remain under the jurisdiction of the China Securities Regulatory Commission (CSRC). The China Banking and Insurance Regulatory Commission (CBIRC) will be dissolved and absorbed into NFRA. The scope of NFRA’s regulatory jurisdiction will be expanded to incorporate some duties of the People's Bank of China (PBOC) and CSRC, such as financial holding company supervision, financial consumer protection, and investor protection. CSRC will also become directly managed and supervised by the State Council. Regulations of corporate bond issuance will be transferred to CSRC from the National Development and Reform Commission.
(b) PBOC’s local branches will also be restructured to provide its central office with a greater allocation of power. In accordance with the Plan, state funds will be managed by entrusted institutions authorized by the State Council.
3. Establishing a National Data Bureau. The newly formed National Data Bureau, administered by the National Development and Reform Commission, will be responsible for promoting development and utilization of digital infrastructure, digital resources and data-related economy. The Bureau will expand to cover responsibilities previously under the Office of the Central Cybersecurity Commission, such as coordinating the development and information sharing across different industries.
4. Improving the management mechanism for intellectual property rights. The China National Intellectual Property Administration (CNIPA), currently administered by the State Administration for Market Regulation, will shift to become an institution directly under the State Council. CNIPA will become a vice-ministerial-level state agency in order to enhance its duties on promotion of intellectual property rights creation, application, management and protection.
The Plan also touches upon certain key domestic social areas such as agriculture and rural affairs, elderly-care and public petitioning.
