(By Wang Hongliang) Many businesses are perplexed by the practical problem about outbound personal information transfer compliance, especially for foreign-inveested businesses that need to provide personal information abroad in many scenarios, for example when they have to provide personal information to their headquarters or affiliates.
Article 38 of the Personal Information Protection Law provides that in addition to other premises, security assessment, personal information protection certification and standard contract are approaches to outbound personal information transfer compliance. According to Article 4 of the Measures for Data Outbound Transfer Security Assessment (Exposure), the security assessment mainly applies to the situations when personal information is collected or generated by critical information infrastructure operators, personal information handlers processing personal information of one million people or more transfer personal information abroad or personal information of over 100 thousand people or sensitive personal information of over 10 thousand people is cumulatively transferred abroad.
Generally, businesses that do not need to perform the personal information security assessment should transfer personal information abroad by personal information protection certification or standard contract for compliance purpose. Last week the National Information Security Standardization Technical Committee (“NISSTC”) promulgated the Cyber Security Standard Practice Guidance – Security Certification Procedures for Cross-Border Handling Activities of Personal Information (“Security Certification Procedures”). Shortly afterwards the Cyber Administration of China (“CAC”) promulgated the Regulations on Standard Contract for Cross-Border Transfer of Personal Information (Exposure) (“Standard Contract Regulations”). The normative documents improve the approaches of personal information protection certification and standard contract execution.
I. Comments on Regulations on Standard Contract for Cross-Border Transfer of Personal Information
Article 4 of Standard Contract Regulations provides that personal information handlers may transfer personal information abroad by executing the standard contract if they meet all the following conditions: 1. Not critical informatior infrastructure operators; 2. Handling personal information of less than one million people; 3.Cumulatively transferring personal information of less than 100 thousand people abroad since 1 January of the previous year; 4. Cumulatively transferring sensitive personal information of less than 10 thousand people abroad since 1 January of the previous year.
Applications set out in the Standard Contract Regulations supplement Article 4 of the Measures for Data Outbound Transfer Security Assessmert (Exposure). In theory all personal information can be transferred abroad by the standard contraect in circumstances where security assessment is not necessary.
Compared with the security assessment, execluting the standard contract is less expensive and more convenient approach to outbound data transfer compliance, and has widest range of application scenarios so that it is expected to be applied extensively in the future.
(II) Details of impact evaluation of outbound personal information transfer
How to perform the security assessment of outbound personal information transfer under Article 36 of the Personal Information Protection Law was up in the air until Article 5 of the Standard Contract Regulations gives a preliminary answer that the security assessment should include:
1. the legality, justification and necessity of the purpose, scope, method, etc. of the person information handlers and the foreign recipients processing the personal information;
2. the amount, extent, type and sensitivity of the personal information to be transferred abroad and risks of transferring personal information abroad to the rights and interests of individuals;
3. responsibilities and obligations of the foreignrecipients and the management and technical measures, ability, etc. to perform such responsibilities and obligations to ensure the outbound personal information transfer security;
4. risks of the personal information being divulged, damaged, altered, misused, etc. after transferred abroad, the accessibility of the way individuals seek protection of their personal information, etc.;
5. the effect of personal information protection policies and laws of the countries or areas of the foreign recipients on the performance of the standard contract.
Please note that the impact evaluation is required, not optional. Article 7 of the Standard Contract Regulations provides that the personal information handlers should submit the standard contract and impact evaluation report of the personal information protection to file with the local provincial cyberspace authority within 10 working days after the execution date of the standard contract. After the standard contract becomes effective, the personal information handlers can transfer personal information abroad. To transfer the personal information abroad, the business should prepare a qualified impact evaluation report in addition to the standard contract. The Standard Contract Regulations is attached with a template of the standard contract, but without the impact evaluation report. Businesses need to seek professional advice on how to draft the standard contract and the impact evaluation report.
(III) After-fact contract updating and maintenance
The personal information handlers have not fulled their obligations when the personal information is transferred abroad based on the standard contract and the impact evaluation report. Article 8 of the Standard Contract Regulations provides that if the purpose, extent, type, sensitivity, amount, method of the personal information transferred abroad or storage period, storage place, or use or method of the foreignrecipients handling the personal information is changed, the period of time for which the personal information is kept abroad is extended, or personal information protection policies or lawsof the countries or areas of the foreign recipients are changed, possibly affecting rights and interests in the personal information, the personal information handlers should sign and file a new standard contract. These provisions are demanding for personal information handlers to comply with and in strict terms require them to keep well informed about the foreign recipients and local laws.
For the full text of the Outbound Personal Information Transfer Standard Contract (Exposure), click the QR code below.
II. Comments on Cyber Security Standard Practice Guidance – Security Certification of Cross-Border Handling Activities of Personal Information
(I) What is security certification?
It is another approach to transferring personal information abroad legally. After the outbound transfer of personal information passes the security certification, unless the certified matters change, the business can transfer personal information abroad for certain times with the certification result with no need to perform the impact evaluation and file the standard contract every time it is transferred abroad.
The Security Certification Procedures does not stipulate the certification institution or the period of time for which the certification result is valid. It is crucial to clarify them further in future rules.
(II) The security certification is voluntary.
The Security Certification Procedures explicitly states that the certification of cross-border personal information handling activities is recommended by the government and voluntary. Eligible personal information handlers and foreign recipients are encouraged to voluntarily apply for the certification of cross-border personal information handling activities in order to strengthen personal information protection and increase the efficiency of cross-border personal information handling.
Unlike the security assessment and the standard contract which are compulsory, the security certification is voluntary and accents on efficiency.
As stated above, security certification is voluntary, not compulsory and has limited application scenarios. According to the Security CertificationProcedures, it applies in the events below: Event A: multinationals or subsidiaries or affiliates of an economic entity or a public service do cross-border personal information handling activities between each other. Event B: a foreign entity analyzes or evaluates acts of domestic natural people. (Article 3.2 of Personal Information Protection Law)
Event A is easy to understand. In this event persconal information is transferred internally so that it is more likely that personal information handlers and foreign recipients agree on agreements, organizational structure and uniform data handling rules required for the certification. In Event B there is no cross-border provision of personal information under Chapter Ⅲ of the Personal Information Protection Law or domestic personal information handlers. It is reasonable to believe that the Security Certification Procedures broadens the meaning of cross-border personal information handling.
(IV) Responsible People
Responsible people are also different in the two events under the Security Certification Procedures. In cross-border personal information handling activities between multinationals or subsidiaries or affiliates of an economic entity or a public service, the domestic side may apply for the certification and assume the legal responsibilities. In the event that a foreign entity analyzes or evaluates domestic natural people, its domestic organization or designated representative may apply for the certification and assume the legal responsibilities.
(V) Agreements and cross-border handling rules required
An agreement between the personal information handlers and the foreign recipients similar to the standard contract for transferring personal information abroad is required for the security certification to fully protect the rights and interests of the subject of the personal information. The content of the agreement required by the Security Certification Procedures is not very different from the standard contract for transferlring personal information abroad. As the security certification is supervised by the certification institution, the Security Certification Procedures requires the agreement shall specify that the foreign recipients undertake to accept supervision by the certification institution.
In addition, the agreement requires a set of cross-border personal information handling rules between the personal information handlers and the foreign recipients. My understanding is that the rules may be more specific than the agreenent and constitute a detailed document related to the agreement, and become basic rules that both the handling and receiving parties should abide by.
(VI) Organization and Management
In addition to special provisions relating to security certification, the Security Certification Procedures made by reference to the Personal Information Protection Law requires people and organizations designated to protect personal information, evaluation of factors that may affect personal information protection, etc. for organization and management purposes., which businesses should also pay attention to when preparing for the security certification.
In conclusion, the approaches of the standard contract and security certification are becoming clearer. The Standard Contract Regulations is an exposure version at present. The force of the Security Certification Procedures is even weaker than recommended national standards. The security certification should also meet requirements of GB/T 35273 Information Security Technology Personal Information Security Rules. Relevant normative documents need to and may be revised. I advise businesses to choose an appropriate approach to transferring personal information abroad in a specific scenario. By executing the standard contract or undergoing the security certification, businesses can not only meeet regulatory requirements, but also fully review personal information protection matters.
1 Article 38 of Personal Information Protection Law: to transfer personal information outside the territory of the People’s Republic of China for business or other purposes, personal information handlers shall:
(1) pass the security assessment organized by the national cyberspace department as set out in Article 40 hereof;
(2) pass personalinformation protection certification conducted by a professional organization as stipulated by the national cyberspace department;
(3) conclude a contract with the foreign receiving party, setting out each party’s rights and obligations according to the standard contract formulated by the national cyberspace department; or
(4) meet other conditions stipulated by law, administrative law or the national cyberspace department.
2 Article 4 of the Measures for Data Outbound Transfer SecurityAssessment (Exposure): in one of the following events, to transfer data abroad, data handlers shall apply for the outbound data tralnsfer security assessment to the national cyberspace department through the local provincial cyberspace department.
5 See footnote 2