Supervision on PI Outbound Transfer Taking Shape

Cyberspace Administration of China issued the draft Provisions on Standard Contracts for Cross-border Transfers of Personal Information (“Draft Provisions on Standard Contracts”) on June 30, 2022 to seek public opinion and formally issued the Measures for the Security Assessment of Cross-border  Data Transfer (“Measures for Security Assessment”, effective since September 1, 2022) on July 7, 2022. Combined with the Cross-Border Personal Information Processing Security Certification Specifications (“Certification Specifications”) issued by the Secretary of the National Information Security Standard Technology Committee on June 24, 2022, China’s supervision on personal information outbound transfer takes shape.

1. Basic provisions of personal information outbound transfer

The basic provisions of personal information outbound transfer are derived from the Personal Information Protection Law of China (“PIPL”), namely the personal information cross-border transfer shall meet one of the following conditions: 

(1) personal information processor shall pass the security assessment organized by the Cyberspace Administration of China if quantity of processing of personal information reaches that as prescribed by the Cyberspace Administration of China and the processor must provide the personal information to overseas (save where the laws, administrative regulations stipulate that security assessment is not required); 

(2) personal information processor  shall have been certified by a specialized agency for protection of personal information in accordance with the provisions of the Cyberspace Administration of China; 

(3) personal information processor shall enter into a contract with the overseas recipient under the standard contract formulated by the Cyberspace Administration of China, specifying the rights and obligations of both parties; or

(4) personal information processor shall meet other conditions prescribed by laws, administrative regulations or the Cyberspace Administration of China. 

In addition to the above item (4) which is a miscellaneous provision, PIPL substantially provides three approaches for personal information outbound transfer: (1) security assessment, (2) personal information protection certification and (3) to conclude a standard contract.

2. Security Assessment

A personal information processor shall declare security assessment for its personal information outbound transfer under any of the following circumstances: 

(1) where a critical information infrastructure operator or a personal information processor processing the personal information of more than one million individuals provides personal information abroad; or 

(2) where a personal information processor has provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals in total abroad since January 1 of the previous year.

The security assessment on the risks of the personal information outbound transfer involves two core parts, namely self-assessment and the security assessment. Self-assessment shall be conducted by the personal information processors themselves, with focus on the assessment of the following matters:

(1) the legality, legitimacy and necessity of the purpose, scope and method of the personal information outbound transfer and personal information processing by the overseas recipient; 

(2) the scale, scope, type and sensitivity of the personal information to be provided abroad, and the risks to national security, public interests or the legitimate rights and interests of individuals or organizations caused by the personal information outbound transfer;

(3) the responsibilities and obligations that the overseas recipient promises to undertake, and whether the overseas recipient’s management and technical measures and capabilities for performing its responsibilities and obligations can guarantee the security of the personal information outbound transfer; 

(4) risks of the personal information to be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the personal information outbound transfer; whether the channel for the maintenance of personal information rights and interests is smooth;

(5) whether the relevant contracts on the personal information to be concluded with the overseas recipient or other legally binding documents have fully agreed on the responsibilities and obligations to protect the personal information security; and

(6) other matters that may affect the security of the personal information outbound transfer.

After the completion of the self-assessment of personal information outbound transfer, the onshore personal information processor shall apply for the security assessment and submit the following documents at a least:

(1) an application letter;

(2) self-assessment report for personal information outbound transfer, and

(3) the legal documents including the personal information outbound transfer agreement to be concluded between the personal information processor and the overseas recipient. 

The security assessment for an outbound personal information transfer focuses on the assessment of the risks to national security, public interests, or the legitimate rights and interests of individuals or organizations that may be caused by the activity of the personal information outbound transfer, mainly including the following matters: 

(1) the legality, legitimacy and necessity of the purpose, scope, and method of the personal information outbound transfer; 

(2) the impact of the personal information security protection policies and regulations and the cybersecurity environment of the country or region where the overseas recipient is located on the security of personal information to be provided abroad, and whether the personal information protection level of the overseas recipient meets the requirements of the laws and administrative regulations of the People’s Republic of China and mandatory national standards;

(3) the size, scope, types and sensitivity of personal information to be provided abroad, and the risks that the personal information may be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the personal information is provided abroad; 

(4) whether personal information security and personal information rights and interests can be fully and effectively guaranteed; 

(5) whether the legal documents including the personal information outbound transfer agreement to be concluded by the personal information processor and the overseas recipient have fully agreed on the responsibilities and obligations of personal information security protection;

(6) compliance with Chinese laws, administrative regulations and departmental rules; and

(7) other matters that the Cyberspace Administration of China considers necessary to assess. The personal information processor shall be informed of the assessment results in writing, which is valid for 2 years.

A personal information processor shall re-apply for assessment if any of the following circumstances occurs: 

(1) the purpose, method, scope and type of the personal information outbound transfer, or the purpose and method of personal information processing by the overseas recipient have changed, affecting the security of the personal information provided abroad, or extending the period of storage of personal information abroad;

(2) the security of the personal information provided abroad is affected due to changes in the personal information security protection policies or regulations or the cybersecurity environment of the country or region where the overseas recipient is located, any other force majeure event, or any change in the actual control of the personal information processor or the overseas recipient, or any change in the legal documents between the personal information processor and the overseas recipient;

(3) any other circumstance affecting the security of the personal information provided abroad; or

(4) the period of validity will expire in 60 working days and the personal information processor intends to continue the personal information outbound transfer.

3. Personal Information Protection Certification

The approach of personal information protection certification applies to the following two circumstances: 

(1) personal information outbound activities between multinational companies or subsidiaries or affiliated companies of the same economic or business entity. In such circumstance, the onshore personal information processor shall apply for the certification, and

(2) overseas personal information processors process personal information of natural persons in China for the purpose of providing products or services to natural persons in China or for the purpose of analyzing and evaluating the behavior of natural persons in China. In such circumstance, the specialized agency or the designated representative set up in China by the overseas personal information processors shall apply for the certification.

The basic requirements for personal information protection certification include:

(1) there is an agreement on the transmission and protection of personal information between the personal information processor and the overseas recipient;

(2) the personal information processor and the overseas recipient clearly designate their respective person in charge of personal information protection and assume relevant responsibilities;

(3) both the personal information processor and the overseas recipient set up personal information protection agencies and undertake responsibilities including but not limited to formulating and implementing plans for cross-border processing of personal information, organizing and conducting personal information protection impact assessments, and supervising and ensuring that personal information processors and overseas recipient process personal information as agreed, and accepting and handling personal information subjects’ requests and complaints;

(4) the personal information processor and the overseas recipient abide by unified cross-border personal information processing rules;

(5) the personal information processor should evaluate in advance whether the provision of personal information to overseas recipients is legal, legitimate, and necessary, and whether the protective measures taken are appropriate and effective for the degree of risk.

The framework of personal information protection certification also specifically requires personal information processors and overseas recipients to protect the rights of personal information subjects, and clarifies the responsibilities and obligations of personal information processors and overseas recipients.

It is worth noting that personal information processor or overseas recipient may apply for certification on a voluntary basis. The validity period of a certification and the certification body have yet to be clarified by the relevant authority.

4. To Conclude Standard Contract

The premise of realizing the compliance of personal information outbound transfer through the conclusion of standard contracts is the limited outbound transfer of personal information, namely the personal information processors which are non-critical information infrastructure operators should meet the following requirements:

(1) where it processes not more than one million persons’ personal information; 

(2) where it has provided the personal information of not more than 100,000 persons accumulatively overseas since January 1 of the previous year; and

(3) where it has provided sensitive personal information of not more than 10,000 persons accumulatively overseas since January 1 of the previous year.. If the quantity of any personal information exceeds the above threshold, the personal information processor cannot achieve personal information outbound transfer compliance by entering into a standard contract. Instead, it should seek the aforementioned “security assessment‘ or “personal information protection certification”.

It can be seen that when the quantity of personal information involved is controllable, the authority intends to simplify the relevant regulatory requirements for the personal information outbound transfer by entering into a standard contract, so as to achieve the purpose of “less risk less control”. Under the approach of entering into a standard contract, personal information outbound transfer compliance mainly includes three core parts: contracting of its own, self-assessment and filing.

“Contracting of its own” means the onshore personal information processor concludes a written agreement with the overseas recipient, namely entering into a standard contract. A standard contract shall include:

(1) basic information on the personal information processor and the overseas recipient, including but not limited to the name, address, name and contact information of the contact person, etc.;

(2) the purpose, scope, type, sensitivity, quantity, method, storage period, storage place, etc. of outbound personal information;

(3) the responsibilities and obligations of the personal information processor and overseas recipient to protect personal information, as well as the technical and management measures adopted to prevent the possible security risks arising from cross-border transfer of personal information;

(4) the impacts of the policies and regulations on personal information protection of the country or region where the overseas recipient is located on the compliance with the terms of the contract;

(5) the rights of the subjects of personal information, as well as the channels and methods for protection of the rights of the subjects of personal information; and

(6) remedy, contract termination, liability for breach of contract and dispute resolution, etc.

The key assessment content of the self-assessment is not substantially different from the self-assessment requirements under the “Security Assessment” approach, and will not be repeated herein.

After the completion the contracting of its own and self-assessment, the onshore personal information processor should file with the provincial-level cyberspace administration within 10 working days from the date when the standard contract takes effect.

The Cyberspace Administration of China has attached the standard contract template for personal information outbound transfer to the Draft Provisions on Standard Contracts. This template covers all the requirements of the above standard contract. Therefore, from a regulatory perspective, directly concluding the template can minimize the risk of personal information outbound transfer. And it can greatly reduce the censorship pressure of the cyberspace administration, so that the purpose of “less risk less control” can be effectively achieved. There is no need to worry that while signing and submitting this form of “standard contract” template, personal information processors and overseas recipients can still sign other agreements and legal documents related to the personal information outbound transfer to further clarify and refine the relevant commercial terms and the rights and obligations of the parties, provided that these other agreements and legal documents do not conflict with the standard contract.

5. Practical Issues

In practice, only one approach shall be taken from the three compliance approaches for personal information outbound transfer. Onshore personal information processors should choose and process them according to the actual situation. In particular, it seems more reasonable and efficient to carry out personal information outbound transfer through “personal information protection certification” approach between affiliates of multinational companies. However, as the validity period of the certification and the certification body have not yet been clarified, it may be necessary to judge whether to adopt one of the other two approaches based on the quantity of the personal information outbound transfer.

In addition, to conclude the standard contract is not a must under the approaches of security assessment and personal information protection certification, which can also maintain more flexible business arrangements and related rights and obligations between the parties.

However, since the Draft Provisions on Standard Contracts is still in the draft stage, it is still worth watching whether there will be more changes in the future.