Late September last year, tech and other multinationals with operations in the world’s second largest economy breathed a sigh of relief when the highest lawmakers in China released proposals to ease the country’s stringent cross-border data transfer regime.
However, the deadline for the filing of China's equivalent of the standard contractual clauses passed at the end of November without a final form of these provisions, which would have exempted many businesses from the need to file these standard contracts. We have advised and spoken to numerous organisations whose compliance functions were not comfortable with the delay and potential for sanction under heavily scrutinized rules in such a key market.
Relief for cross-border activities
Tonight though, those that waited for the final form of the provisions can breathe a sigh of relief. As forecast (informally) by the Chinese authorities, the final form rules substantially reflect the key exemptions in last Autumn’s draft, and a number of key clarifications actually enhance them.
Clarifications that jump out:
- Low frequency exporters: Critical for the majority of B2B businesses, the threshold exemption for exporting less than 10,000 individuals’ personal data has been raised to 100,000 individuals’ personal information (exclusive of sensitive personal information – which is significant as explained below). We expect this should give a clearer buffer to the vast majority of foreign enterprises operating in mainland China – whether providing services or even running large manufacturing plants – since their employee headcounts and volumes of business contact information (where offshored to a centralised database) would likely remain below this higher threshold. In addition, the date to which this threshold is referenced back has also been clarified as being 1 January of the current year. A business’s calculations will be simplified as data volumes are not determined via a shifting 12-month period.
- Employee data: The utility for multinational corporations (MNCs) of the proposed HR management exemption seems to have been adjusted in the final rules by reference to "cross border human resource management”, which is now the exempt activity provided data exports are for a “genuine need”. This aligns with the same terms adopted in the Personal Information Protection Law (PIPL). It remains to be tested in practice whether this update also indicates the PRC regulator’s intention to make the exemption easier for MNCs adopting a centralised regional approach, or for global HR functions to apply to management of employee affairs. Again, organisations should revisit their HR data privacy packages if they intend to rely on this HR exemption.
- FTZs: There has been much interest in China’s free trade zones developing their own cross-border data transfer rules over the last few months. The final provisions make it clear that entities registered within an FTZ, which do not export data appearing on the “negative list” for that zone, should be able to freely transfer their data. In essence, once businesses sight the negative list for these economic areas – in Shanghai, Tianjin and elsewhere – they should easily be able to establish whether they can operate in those zones in the same way that they can in other global markets.
Sensitive personal information
One point of discussion from the draft rules was whether the 10,000-, 100,000- and 1,000,000- individual thresholds permitted the unrestricted export of sensitive personal information. The final rules remove any uncertainty by stating explicitly that sensitive personal information is excluded from these threshold-related exemptions.
This means that organisations exporting sensitive personal information, such as credit information, health data, or information on children under 14, will need to, where possible, rely on one of the other, narrower exemptions – such as HR management or FTZ rules (subject to the FTZ negative list).
This clarification might be most frustrating to financial institutions that often seek to leverage group KYC and other compliance functions to check company representatives’ passports or other IDs. Because the contract between the FI and the corporate/ institutional customer is not a contract with these representatives, the FI will technically not be able to rely on the contract exemption – this can conversely be hugely favourable to B2C businesses when exporting sensitive personal information.
Security assessments
Another business-friendly inclusion in the final rules is the extension of the period of validity of a completed cross-border data security assessment. These will now have a shelf life of 3 rather than 2 years. As such, multinationals and domestic businesses that export large amounts of personal data (or even important data) will not have to revisit the assessment process as often. This will be a welcome change given the burden generally felt by businesses required to gather and obtain clearance to disclose sometimes quite sensitive dossiers of operational and security-related information.
Incident reporting
Together with the December proposal of measures on reporting of network security incidents, the refinement of the provision on breach notifications in tonight’s final form rules illustrates that this issue will be a growing focus for the Chinese government.
Specifically, today’s final form rules are more explicit that security incidents involving data exported out of China must be reported to the Chinese authorities despite the incident occurring offshore. While this expectation was expressed in China’s standard contract, this was not clear under the PIPL, Data Security Law or Cybersecurity Law before it. Multinationals will need to revisit breach reporting procedures to check compliance.
What are your next steps?
The rules come into force with immediate effect – it is now time for MNCs to get on with compliance.
Following the various compliance burdens imposed on MNCs through the implementation of security assessments, standard contracts or certifications in the last 12 months, the green channels under today’s new rules will apparently streamline many multinationals’ data exports.
- For applications and filings already lodged with the CAC, applicants whose data exports are now exempted from such applications and filings can choose either to continue the original process, or to withdraw their paperwork from the local CACs.
- For organisations which have halted their China SCC filing or security assessment projects since September last year in anticipation of the finalised rules, they should now re-assess their projects in light of the applicable exemptions.
Reliance on any of the exemptions under the new rules only applies to the data export mechanisms. The new rules do not mean that an organisation does not need to comply with the general data protection obligations under the PIPL. These especially include providing necessary notices and obtaining consents (unless relying on an alternative legal basis); conducting personal information protection impact assessments; and affording equivalent personal information protection standards for exported data by way of putting in place necessary contractual terms with overseas recipients.
What is more, in light of the enhanced data security regime, compliance with the amended PRC Anti-Espionage Law will be vital in certain information gathering activities (both onshore and offshore) relating to China-based businesses and their activities.
Similarly, organisations must also consider industry-specific obligations, especially in the context where classified data governance and data export regulations remain top priorities for the various industry’s regulators – more to come on this next week!
If you are interested in an English translation of the final provisions, or would like to discuss your data compliance needs, feel free to reach out to us.