In good news, on 22 March 2024, the Cyberspace Administration of China (“CAC”) finalised long-awaited guidelines setting out exemptions to some of the more challenging cross-border data transfer (“CBDT”) compliance requirements (“Guidelines”). As well the exemptions, there are updated filing templates for those still falling outside the exemptions; and a reminder that consent and contractual/other measures remain a requirement for CBDTs.
New Exemptions for Certain CBDTs
As a recap, the relevant routes to legitimise CBDTs routes are: (1) CAC Security Assessment, (2) China SCCs Filing, and (3) CAC Certification (together, “Legitimising Routes”). Under the Guidelines, certain exemptions have been now introduced meaning the following CBDTs are exempted from having to follow any one of the Legitimising Routes (“Exempted Transfers”):
- Collection outside of Mainland China: the personal data being transferred outside of Mainland China was originally collected and generated outside of Mainland China and thereafter imported back into Mainland China, and the processing of such personal data within Mainland China does not involve any personal data or important data that is collected from or generated in Mainland China;
- Cross-border HR management: the transfer is necessary for implementing cross-border human resource management in accordance with legally formulated employment policies and procedures or legally executed collective contracts. This is subject to a “necessity” test (see below);
- Cross-border contract: the transfer is necessary for concluding or performing a contract between the data subject and the data controller (e.g. those contracts that relate to cross-border shipping, logistics, remittance, payments, bank account opening, flight and hotel booking, visa applications, examination services etc.). This is subject to a “necessity test” (see below);
- Emergency situation: the transfer is necessary for protecting the life, health or property security of any natural person under emergency circumstances; or
- Volume threshold: the transfer falls below a specified volume threshold (see below).
Do we still need to obtain separate consent and put in place other measures for CBDTs?
Yes, the exemptions only apply to the Legitimising Routes. The other requirements for CBDTs under the Mainland China data laws must still be complied with, namely:
- clearly describe the CBDT in the privacy notice, and obtain separate, explicit data subject consent to the cross-border data transfer (as well as the general consent to data processing etc.); and
- put in place appropriate contractual and other measures (e.g. due diligence, TOMs, DPIA) to protect the data to the appropriate standard when processed outside of Mainland China.
What is the “Necessity Test”?
Exempted Transfers 2 (cross-border HR management) and 3 (cross-border contracts) above rely on a “necessity” test. This means the organisation must prove that the CBDT is necessary in order for the exemption to apply. However, it remains unclear as to what would constitute a necessary basis for the cross-border transfer of personal data. For example:
- Will overseas transfers of personal data within global companies where IT services are procured at a group level be a satisfactory reason for the CAC?
- When it comes to the contractual necessity exemption, the Guidelines require the data subject and data controller to be direct contracting parties, but does not provide for situations where the contracting party is an organisation rather than an individual (e.g. in corporate customer situations).
What are the Volume Thresholds?
If the above Exempted Transfers are not applicable, or are only partly applicable (after deducting the number of data subjects in which any of the above Exempted Transfers would apply):
- CAC security assessment (i.e. full CAC approval) is required where:
- important data is processed – the list of important data examples will be published by the CAC in due course;
- non-sensitive personal data of 1 million data subjects or more is transferred overseas; or
- sensitive personal data of 10,000 data subjects or more is transferred overseas.
- important data is processed – the list of important data examples will be published by the CAC in due course;
- China SCCs filing is required where:
- non-sensitive personal data of between 100,000 and 1 million data subjects is transferred overseas; or
- sensitive personal data of fewer than 10,000 data subjects is transferred overseas.
- non-sensitive personal data of between 100,000 and 1 million data subjects is transferred overseas; or
- None of the three Legitimising Routes is required – i.e. it is an Exempted Transfer (see above) – where non-sensitive personal data of fewer than 100,000 data subjects is transferred overseas.
For the purposes of calculating the above volume thresholds, the relevant date for the calculation is a period of one year from 1 January of the year when the calculation is conducted.
For the third Legitimising Route – namely the CAC certification route – there remains uncertainty around its applicability. It was previously thought to cover largely CBDTs by non-China data controllers. However, it is not now mentioned in the Guidelines, and indeed the Guidelines seem to have covered most data processing scenarios and data volumes in any case. As such, further guidance is awaited on whether the CAC Certification is now just a voluntary compliance measure (e.g. for non-China data controllers), or an alternative to the other Legitimising Routes.
What about CIIOs?
The Exempted Transfers do not apply to organisations dedicated as a Critical Information Infrastructure Operator (“CIIOs”). CIIOs must in any case undergo a CAC Security Assessment to transfer or access data outside of Mainland China – regardless of the data category, data volume or data processing activity to be undertaken.
What if the Exempted Transfers do not Apply to My Organisation?
Along with the Guidelines, the CAC has also updated its template assessment and filing documents for the CAC security assessment and SCCs filing routes. In particular, these new templates reflect very specific requirements that the CAC expect in terms of drafting and formatting applications and filings. As such, any organisations that have drafted but not yet submitted their assessment application or PIIA or SCCs filing PIIA must now use the new templates.
In addition, a central submission platform has been set up. It is anticipated that only new submissions would need to submit via the platform. Organisations that have already submitted assessments or filings may continue to contact their designated case officer.
Practical Next Steps
- Reconsider your Legitimising Route or whether an Exempted Transfer applies, by:
- Checking internally whether your organisation has been informed by any authorities that it is designated as a CIIO, or if it processes important data (per the official list to be released in due course).
- Identifying any provincial (e.g. Greater Bay Area Standard Contract, or Free Trade Zone rules that may be published etc.) nuances or exceptions to the CBDT requirements that may apply to your organisation.
- Identifying whether your organisation’s CBDTs qualify as an Exempted Transfer. If so, this volume of data may be carved out from the overall volume calculation.
- Classify your data to map out the categories of non-sensitive personal data and sensitive personal data.
- Calculating in parallel the relevant volume of non-sensitive personal data and sensitive personal data being transferred overseas, and thereafter, identify the applicable Legitimising Route.
- Checking internally whether your organisation has been informed by any authorities that it is designated as a CIIO, or if it processes important data (per the official list to be released in due course).
- Organisations which have yet to make any submissions to the CAC should now consider internally whether they fall within any of the Exempted Transfers and those that cannot, or can only partially rely on the Exempted Transfers should determine whether it is transferring sensitive personal data, and if so, the necessity of doing so as this would impact the route chosen for legitmising CBDTs.
- For organisations whose submission (whether CAC security assessment or SCCs filings) is already with the CAC for review, it is recommended to consider getting in touch with your relevant designated case officer to understand the status of the assessment or filing and whether it may be withdrawn if the Exempted Transfers conditions are met.
Please contact Carolyn Bigg (Carolyn.Bigg@dlapiper.com), Amanda Ge (Amanda.Ge@dlapiper.com), or Venus Cheung (Venus.Cheung@dlapiper.com) if you would like to discuss what these latest developments mean for your organisation.