CHINA: Cross-border data transfers – what are your options?

By Magda Zmorka on July 8, 2022

Posted in Data transfers, General Data Protection Regulation

Authors: Carolyn Bigg, Venus Cheung, Fangfang Song, Gwyneth To

We have all been waiting for a confirmed approach on legitimising overseas transfers. Finally, we have a clear answer on what organisations need to do to transfer or access for personal data and “important data” outside of Mainland China; and the message is clear – all organisations must determine the correct approach and take steps to get compliant by 1 March 2023.

Firstly, it is clear now that there is no one obvious approach, unlike other jurisdictions where organisations could simply sign SCCs to validate/legitimise overseas transfers. All organisations must assess – based on their data processing activities, volume and type of data, operations in Mainland China and other factors – which of the options, namely (A) CAC certification, (B) SCCs (see our recent alert on these here), (C) CAC security impact assessment or (D) other mechanisms, such as those for certain industries, is the right one for them to follow. Once that decision is made, data mapping, repapering of DPAs and engagement with the regulator (CAC) in one form or another is going to be critical.

To be clear, based on recent released guidance, regardless of which route an organisation opts for, there appears to be a need for each organisation to engage with the CAC to a lesser or greater extent.

Following hot on the heels of the draft SCCs, we now also have clearer guidance on two of the alternative routes to legitimise overseas data transfers – draft guidelines on getting organisation level CAC certification (route (A) above), and most recently – and it seems the most likely route for many multinational organisations – an approval from CAC upon satisfying the CAC-security impact assessment (route (C) above).

On this last option, the Measures for Security Assessment of Overseas Transfers were published by the CAC on 7 July, and will come in force on 1 September 2022, with a six-month grace period for organisations to obtain approval from the CAC. The CAC security assessment primarily assesses the impact of overseas transfers on national security, public interest, and the legitimate rights and interests of individuals or organisations, and details of the process is set out below:

Triggers for opting for CAC Approval against its Security Assessment

Organisations may choose this route to legitimise overseas data transfers if they:

transfer important data overseas;
are designated as a critical information infrastructure operator;
may process personal information of over 1 million data subjects and intend to conduct overseas transfers activities;
transferred personal information of 100,000 data subjects or sensitive personal information of 10,000 data subjects overseas from 1 January of the preceding year; or
are required by the CAC to conduct security assessment based on other relevant legislation.

Required Documentation and Process of Obtaining Approval from CAC

Prior to applying for an approval from the CAC, an organisation should conduct a self-security assessment. The self-security assessment report should then be submitted to the local CAC together with a completed application form and the relevant documents/contracts with the overseas recipient.

The local CAC will conduct a preliminary review of the submitted documentation, and submit them to the national CAC for next steps (i.e. the CAC security assessment, and issuance of an approval note). If the CAC security assessment has been passed, the organisation will be granted with a written approval. Such approval should be renewed every two years.

Highlights of the Approval Process

Organisations should:

Take into account the time required to obtain approval from the CAC when planning its overseas transfers processing activities. The approval process may take a few months, and although there is a grace period of six months for organisations to obtain the approval – it is anticipated that the regulators would expect organisations to hold off data transfers activities until an approval has been obtained.
Consider their current and future contracting methodology with third parties (including with their intra-group companies). There are specific requirements as to what content should be included in the data transfer agreements. Given the contracts will need to be submitted to the CAC for approval, organisations may consider to adopt the SCCs with overseas recipients.
Note that, subject to further clarification by the CAC, it is likely that approval can be obtained on a per-data controller basis, rather than a per-transfer/data set basis.
Note that, remote access of data from overseas will also be considered as overseas transfers.