We are a foreign company operating in China, how should we deal with the cross-border provision of personal information in accordance with the Personal Information Protection Act?

Answer: Many businesses now have close communication with offshore customers, suppliers or parent companies. The manager of a business may talk to the parent company about an employee who is ill and calls in sick, or he may report a client’s personal issue. This potentially involves the cross-border provision of personal information. The Personal Information Protection Act requires that companies in China should follow one of the three pathways when providing personal information outside of China.

 

The first pathway of data outbound transfer is the security assessment route. This is the route for large personal information processors. According to the Data Outbound Transferring Security Assessment Approach, this approach applies to information processors that provide important data (data related to national security) abroad,12022 State Internet Information Office Decree No. 11 Measures on Data Outbound Transferring Security Assessment, Article 19 The important data referred to in these measures refers to data that may endanger national security, economic operation, social stability, public health and safety once it is tampered with, destroyed, leaked or illegally accessed or illegally used.

operators of critical information infrastructures, information processors that process more than one million personal information, or information processors that have cumulatively provided more than 100,000 personal information or more than 10,000 sensitive personal information abroad from 2021 to date.  2Article 4 of the “Measures for Security Assessment of Data Outbound Transfer” stipulates that if a data processor provides data to overseas entities and falls under any of the following circumstances, they shall submit a data outbound-transfer security assessment to the provincial-level cyberspace administration and report it to the national cyberspace administration:  (1) The data processor provides significant data to overseas entities. (2) Operators of critical information infrastructure and data processors handling personal information of more than one million individuals provide personal information to overseas entities. (3) Data processors who have provided personal information to overseas entities totaling 100,000 individuals or sensitive personal information to 10,000 individuals since January 1 of the previous year. (4) Other circumstances specified by the national cyberspace administration that require the submission of a data outbound-transfer security assessment. These information processors must file an information security assessment with a Chinese cyber security department. The specific application methods and review criteria are set out in the Data Outbound Transferring Security Assessment Method.

 

Compliance with this pathway must be completed by the end of February 2023 in accordance with Article 20 of the Data Outbound Transferring Security Assessment Methodology.

 

The second pathway is the standard contractual route for personal information. This is the route suitable for the vast majority of SMEs. According to the State Internet Information Office Decree No. 13 of 2022 The Standard Contractual pathway for Personal Information outbound transfer applies to the vast majority of foreign companies in China as well as domestic companies. These companies are all other processors of personal information other than those in the first security assessment route. They are all processors of information that provide non-critical data outside of China, non-critical information infrastructure operators, processors of information that handle less than 1 million personal information, processors of information that have provided less than 100,000 personal information or less than 10,000 sensitive personal information outside of China in aggregate from 2021 to date.

 

Article 3 of the Rules of Standard Contract for the Export of Personal Information states that “the principle of combining independent contracting and record management shall be adhered to”, but Article 6 clearly states that “the export of personal information shall not be carried out until after the standard contract has entered into force”. Therefore, it appears that all companies including foreign companies that need to provide personal information outside of China must enter into a standard form contract provided by the Chinese government with overseas data recipients or a contract modified from that standard contract. For details, see How should we, as a company doing business with foreign countries, enter into and conduct registration for a standard contract for personal information?

 

The third pathway is the personal information protection certification pathway. According to the Implementation Rules for Personal Information Protection Certification attached to the Announcement on the Implementation of Personal Information Protection Certification issued by the State Administration of Market Supervision and Administration and the State Internet Information Office No. 37 of 2022, the government encourages all personal information processors (i.e. all foreign and domestic enterprises) to apply for personal information protection certification. This certification management model includes technical verification, on-site audits and post-issuance monitoring. This pathway is clearly voluntary in nature.

 

At the moment the Act is just starting to be implemented and there are still some questions that need to be clarified through further rule making or concrete implementation. For example, what is unclear is whether this third pathway can replace the second pathway? Article 38 of the Personal Information Protection Act apparently considers that there is an optional parallel pathway between this pathway and the first and second pathways, but the second pathway, the Standard Contract pathway for outbound transfer of Personal Information, provides that the conclusion of a standard contract for the outbound transfer is mandatory. This requires a follow-up observation. 3Zhang Jinping, “On the Relationship between Outbound Certification of Personal Information and Security Assessment and Standard Contracts”, Associate Professor, Central University of Finance and Economics, China Information Security Magazine, Issue 12, 2022, The relationship between the security certification of cross-border

  • 1
    2022 State Internet Information Office Decree No. 11 Measures on Data Outbound Transferring Security Assessment, Article 19 The important data referred to in these measures refers to data that may endanger national security, economic operation, social stability, public health and safety once it is tampered with, destroyed, leaked or illegally accessed or illegally used.
  • 2
    Article 4 of the “Measures for Security Assessment of Data Outbound Transfer” stipulates that if a data processor provides data to overseas entities and falls under any of the following circumstances, they shall submit a data outbound-transfer security assessment to the provincial-level cyberspace administration and report it to the national cyberspace administration:  (1) The data processor provides significant data to overseas entities. (2) Operators of critical information infrastructure and data processors handling personal information of more than one million individuals provide personal information to overseas entities. (3) Data processors who have provided personal information to overseas entities totaling 100,000 individuals or sensitive personal information to 10,000 individuals since January 1 of the previous year. (4) Other circumstances specified by the national cyberspace administration that require the submission of a data outbound-transfer security assessment.
  • 3
    Zhang Jinping, “On the Relationship between Outbound Certification of Personal Information and Security Assessment and Standard Contracts”, Associate Professor, Central University of Finance and Economics, China Information Security Magazine, Issue 12, 2022, The relationship between the security certification of cross-border