How to Read CAC's New Draft on Data Export
Started by the enactment of the Data Export Security Assessment Measures in July 2022 (the “Security Assessment Measures”) and followed by the enactment of the Personal Information Export Standard Contract Measures (the “SCC Measures”) and the Implementation Rules on Personal Information Protection Certification (the “Certification Rules”), China has built up the framework of its legal regulatory mechanism over data and personal information export with “Security Assessment”, “Standard Contract” and “Protection Certification” being the three corner stones.
However, the legal regulatory mechanism remains unclear on some very important concepts and there were concerns about the implementation of the system in practice. In order to further clarify the vagueness and the boundaries of the mechanism, the CAC (Cyberspace Administration Cyberspace Administration of China) released the draft of Measures on the Regulation and Promotion of Cross Border Data Flow (the “Draft”) to hear public comments (Readers may refer to our previous article CAC Released Its Rules to Ease Restriction on Cross Border Data Transfer to Hear Public Comments for more details of the Draft).
I. The Confusion and the Dilemma
Since the enactment of the Security Assessment Measures and the SCC Measures, we have been hearing our client’s concerns and enquiries with respect to how to comply with the data and personal information export regulation, especially in the following circumstances.
1. When the quantity of exported personal information is relatively small.
Because the Personal Information Protection Law (the “PIPL”) and the SCC Measures do not set a quantitative threshold as to when to enter the standard contract and make the filing with relevant authority, theoretically speaking, so long as there is an export of data o r personal information, a standard contract should be entered and filed.
In practice, most of the foreign invested companies in China are sharing data and personal information with its overseas parent company or associated companies. However, in most cases, the quantity of the data and personal information exported are of very small quantity with limited types of information. For those companies which are only engaged in B2B business, exported personal information are usually limited to employee’s personal information and personal information of business partners’ liaisons. Therefore, many companies are confused as whether it is really necessary to sign standard contract when exporting only a small quantity of personal information.
2. When exporting personal information with special nature.
Another question is whether it is absolutely mandatory to sign standard contract for exporting any and all kinds of personal information.
For example, there are many companies that are sharing business telephone numbers and email addresses of the liaison personnels of its business partners to its overseas associated companies merely for business purposes. We have also received enquiry from one client asking whether it is necessary to sign standard contract if its subsidiary in China shares the scanned copies of business cards that has been collected in exhibitions or other business occasions.
It is clear that in accordance with the definition of the PIPL, telephone numbers, email addresses and other information contained in business card are personal information. But these information has clear social characteristic. And information contained in a business card are, to some extent, prepared to be circulated. Is it still necessary to sign standard contract just to export these types of personal information?
3. When personal information subjects directly export personal information.
The key issue here is how to define the action of “export personal information”. In accordance with the Security Assessment Measures, “this Measures is applicable when data processor provide important data and personal information collected and generated from its operation in China”. Also, according to the Guideline on Filing of Personal Information Export Standard Contract (First Version), “export of personal information” includes “when personal information processor transfer and store the personal information collected and generated from its domestic operation” and “personal information processor stored the personal information domestically but available for overseas organizations or persons to search, review, download and export”.
In accordance with the above definitions, in addition to the action of export, the export of data and personal information shall be conducted by a “processor”. When a personal information subject directly provides his or her personal information to an overseas entity without detouring by a third party, literally speaking, it is possible to say such an action does not constitute an “export of data and personal information”, thus will not be regulated accordingly.
These confusions and vagueness, together with the six-month time limit posed by the Standard Contract Measures, became dilemma of many foreign invested companies as whether to take all the efforts to meet the regulatory requirements or to bear legal compliance risks.
II. The Draft’s Position
The Draft released on 28 September 2023 does provide answers to some of the concerns mentioned above.
1. The Quantitative Threshold
Most importantly, the Draft sets out a clear quantitative threshold. It says “if it is predicted to export no more than 10,000 persons’ personal information within one year, then there is no need to apply for data export security assessment, sign personal information export standard contract or pass personal information protection certification”. Such a “10,000 threshold” would render most of the export of data and personal information out of the application scope of the “security assessment, standard contract and protection certification” regulation.
In addition to that, the Draft further says “if it is predicted to export more than 10,000 but less than 1 million persons’ personal information and a standard contract has been signed with overseas recipient and filed with provincial cyberspace administration or has passed personal information protection certification, then there is no need to apply for data export security assessment ” which has lowered the “100,000 threshold” posed by the Security Assessment Measures.
Another point worth paying attention to is that the Draft did not mention the “processing quantity”. According to the Security Assessment Measures, when the data processor is a critical information infrastructure operator or a data processor that processes personal information of at least one million persons, then a security assessment is required to be conducted before exporting any quantity of data or personal information. But such “processing quantity” is not mentioned in the Draft. Literally speaking, it seems permittable to conclude that, according to the Draft, export of data or personal information by any processor is not required to conduct security assessment if the quantity threshold is not met.
2. Safe Harbor for Special Exporting Scenarios
The Draft also sets out safe harbor provisions with respect to some special scenarios of personal information export. It says (1) when it is necessary to export personal information for the purpose of form or perform contracts to which the person is a party, such like cross border shopping, cross border payment, flight and hotel booking, visa application, (2) when it is necessary to export internal employee’s personal information for human resource management purpose in accordance with the rightfully stipulated employment regulations or collective employment contract, or (3) when it is necessary to export personal information to protect natural persons’ safe, health and safety of properties, application for security assessment, signing of standard contract and passing personal information protection certification are not required.
In practice, direct export of personal information by personal information subject most frequently happens in the scenarios like flight booking and online shopping. So the safe harbor provision will screen out quite a big proportion of direct export of personal information.
3. Further Clarify the Scope of Important Data
The vagueness of the scope of “important data” is one of the biggest concern regarding the data export regulation. The Data Security Law only sets out a very rough definition of the concept of “important data”. Currently, the government is in the process of producing more detailed lists of important data, industry by industry, in the form of national standard or industry standard. But as this process takes time and sometimes there will emerge new types of data, such vagueness of the scope “important data” poses great uncertainties to those companies that are engaged in data-involved business.
This time, the Draft clearly says “for those data which has not been published or informed by relevant authorities and areas, the data processor does not need to apply for data export security assessment as important data”. It provides a very clear guide to judge whether a certain type of data will fall into the scope of “important data”.
III. Correct Reading of the Draft
After the release of the Draft, many people interpreted the Draft as “free to export personal information if less than 10,000 persons a year”. It is true that the Draft eased the legal compliance burden upon companies with respect to data export to some extent, but we still need to interpret the Draft in a more careful manner.
1. Is it still necessary to conduct PIA?
The main reason for many companies being hesitated as whether to sign the standard contract was not the contract itself but the filing procedure and the privacy impact assessment (the “PIA”). Therefore, someone reaches the conclusion that according to the Draft, so long as the quantity of personal information exported is less than 10,000 there is no need to conduct the PIA also.
However, this is a misunderstanding. According to Article 55 of the PIPL, data processor shall conduct a PIA so long as the processor is going to export personal data. It is not the signing of standard contract that imposes the obligation of PIA, on the contrary, it is because the Article 55 requires a PIA for any personal information export that the standard contract need to be filed with a report of PIA. The Draft does not say that PIA would no longer be necessary if the standard contract is not required.
2. Is it still necessary to sign a contract with overseas recipient?
Even, according to the Draft, a standard contract is no longer required, there still must be some arrangement between the provider and the recipient of the exported data.
According to Article 55 of the PIPL, personal information processor shall take necessary measures to insure that the overseas recipient’s processing of the personal information would reach the protection standard as required by the PIPL. An agreement or arrangement between the provider and recipient is clearly a part of such “necessary measures”. Also, according to the template of personal information protection impact assessment report issued by CAC on 30 May 2023, when conducting the PIA, the processor shall evaluate “the obligations undertook by the overseas recipient”. Therefore, the provider and the recipient still need to reach an agreement or agree on certain arrangement as how to allocate the responsibility.
But it is true that if the standard contract is not mandated, the parties can have more freedom when negotiating the agreement. And if the export happens between different entities of same company group, a set of binding corporate rules can also be used to replace the agreement.
3. No change of the applicability of the PIPL to overseas processor.
As mentioned above, the Draft sets out safe harbor provisions to some scenarios of direct export of personal data by personal data subject.
But it is worth reminding that according to the PIPL, the PIPL is applicable to overseas processors if they process China’s domestic natural persons’ personal information in overseas areas for the purpose providing products and services to such natural persons. Therefore, even there is no need to conduct security assessment or enter into standard contract, overseas processor shall still comply with the PIPL in general.
The Draft does clarify some vagueness of the legal regulatory mechanism of data and personal information export, adjust the current system to make it more reasonable and ease the compliance burden of data processor to some extent. But it is not the Draft’s intention to completely free the cross border transfer of data and personal information. And, after all, the Draft is still in the process of collecting public comments.