Cross-Border Data Transfer
From September 1, 2022, the rule of Cross-Border Data Transfer will be implemented with specific requirements and descriptions of procedures. It was announced as a draft in 2021. The rule defines that Data Processors should request an assessment from the Cyberspace Administration of China (CAC). Two bodies are responsible for this: the police with MLPS and the CAC with Cross-Border Data Transfer. This is a subordinate rule under the Data Security Law (DSL), with relevant laws such as the Personal Information Protection Law (PIPL). The DSL is different from the GDPR, as it only defines Data Processors, but the goal is similar: to protect personal and important/sensitive information.
Overview of Global Data Security Laws
Data Security Terms
Who should concern?
(1) a data processor who transfers Important Data abroad;
(2) a critical information infrastructure operator (CIIO), or a data processor processing the personal information of more than 1 million individuals, who, in either case, transfers personal information abroad;
(3) a data processor who has, since January 1 of the previous year (2021 here) cumulatively transferred abroad the personal information of more than 100,000 individuals, or the sensitive personal information2 of more than 10,000 individuals, or
(4) other circumstances where the security assessment for the outbound data transfer is required by the State Cyberspace Administration.
E.g. companies have global webserver, HR system, CRM/supply chain/OA system, fileshare etc should concern.
FAQ
Q:
Is the data collected from China?
A:
- data processor is not restricted to entities registered in China. It applies to anyone who provide service to China that collects data from China.
- Intermediate data, not processed in China is not applied
Q:
Define Cross-Border Transfer
A:
- Incl. :
- Server hosted outside of China and company in China input data via client or browser
- Data are stored in China and sending/synchronized to Headquarter, or HQ can read/access the data on demand, but data still hosted in China.
- Hongkong, Macao and Taiwan where required Exit & Entry Administration are all considered to be out of China
- Data Transfer to Rep. Office of foreign companies also apply
Q:
What should companies do? Assessment @CAC OR/AND Personal Information Standard Contract?
A:
The rule presents two options, one being “Assessment,” if all the criteria are met, while the other is the standard contract for personal information. However, the standard contract alone is insufficient for compliance with cross-border data transfer; it only applies when companies transfer personal information and do not meet the conditions of the “Assessment.” On the other hand, the “Assessment” alone is also insufficient; companies must also conclude the standard contract when transferring personal information.
Q:
Who can use standard contract?
A:
(1) a data processor who transfers Important Data abroad;
(2) NOT a critical information infrastructure operator, or a data processor processing the personal information of more than 1 million individuals, who, in either case, transfers personal information abroad;
(3) NOT a data processor who has, since January 1 of the previous year cumulatively transferred abroad the personal information of more than 100,000 individuals, or the sensitive personal information of more than 10,000 individuals, or
(4) other circumstances where the security assessment for the outbound data transfer is required by the State Cyberspace Administration.
Summarize: Data processor who do NOT meet the requirement of assessment.
Q:
Is the standard contract enough without the assessment @CAC?
A:
- NO, the rule means not the standard contract is the only necessary part of the cross-border data transfer. The assessment should still be done if the data processor meets the requirement of the “rule”.
- Vice versa.
- Therefore, we recommend to take both.
Workflow for the assessment process at CAC
Would you like to learn more about our cross-border data transfer service?
You can make an appointment with us for an on-site discussion, or we can come to your company for an on-site inspection, to jointly explore your security needs.