CHINA: new draft guidelines on data transfers abroad
China’s PIPL came into effect today, and to go along with it, China’s Cyberspace Administration (“CACThe key data regulator) has released for consultation draft guidelines to help organizations struggling with overseas data transfers with practical advice on some of the compliance actions that need to be taken.
Under the PIPL, certain organizations – or the transfer abroad of certain categories of data – require the controller to carry out a security impact assessment (“SIA”) In addition to the other overseas data transfer steps (including consent, DPIA / PIIA and fulfilling one of the four data transfer conditions, one of which uses the new Chinese SCCs and the other undertakes a SIA). The new draft guidelines define the thresholds and procedures for undertaking an AVS.
Our high-level comments on the draft guidelines and their impact on organizations’ PIPL compliance programs are as follows:
- This is only a draft for consultation at this stage. The consultation period runs until November 28.
- The draft is in many ways similar to the draft overseas remittances guidelines of 2017 and 2019, which have been the subject of intense lobbying. As such, we expect there will be significant lobbying – and a healthy response to the consultation process – and in turn (hopefully) further clarifications through a second draft before that these are not finalized.
- The key point to note for companies is that the draft guidelines define the thresholds that trigger a mandatory AIS for data transfers abroad, namely:
- the organization is a Critical Information Infrastructure (CIIO) operator collecting personal information and important data;
- the transferred data includes important data;
- the organization processes the data of more than one million data subjects and intends to transfer data abroad;
- the cumulative amount of transfers abroad of personal information exceeds 100,000 data subjects or sensitive personal information exceeds 10,000 data subjects; Where
- when otherwise required by the national CAC.
- The SIA is initially a self-assessment, which will need to be filed and approved by the local branches of the CAC. The draft guidelines define the scope and procedure, as well as the time limits. A key point to note is that a copy of the data processing agreement (“DPA“) with the recipient of the data abroad will have to be submitted with the SIA request, which means that it will have to be bilingual.
- Unfortunately, the following is not clear from the project:
- whether it covers internal transfers;
- whether it covers remote access from abroad;
- whether in practice this only covers bulk transfers (or whether cumulative transfers are taken into account);
- whether the AIS is to be conducted by handover or by data controller; and
- whether submitting a copy of the DPA compliant with the relevant PIPL with the assignee abroad is in itself sufficient, or whether this DPA must also include the new SCCs that have been mentioned in the PIPL.
- In addition, the volume threshold seems low, which means that it can be easily reached by many organizations. (That was the subject of most of the lobbying last time).
- Approval will need to be renewed every two years, or if the scope of treatment changes.