China Data Protection Update and Deep Dive (1): Data sharing and cross-border data transfer rules under the Draft Personal Information Protection Law

Am I a (joint) personal information processor, or an entrusted party?

Before discussing the detailed requirements relating to data sharing and data transfer, it is important to first note some key concepts under the Draft PI Protection Law. In particular, the draft law differentiates the respective roles and responsibilities between a personal information processor ("PI Processor") and an entrusted party, which are respectively akin to the concepts of “data controller” and “data processor” under the General Data Protection Regulation ("GDPR") of the European Union. According to the Draft PI Protection Law:

• PI Processors refer to those who independently determine the purposes and means of the processing of personal information. PI Processors are required to agree the purposes, means, categories of personal information, security etc. of data processing with entrusted parties and supervise such entrusted processing; and

• Entrusted parties refer to those who process personal information on instructions of PI Processors, and are required to comply with certain obligations, e.g. processing in compliance with the processing agreement, and returning or deleting data upon the termination of the processing agreement. 

It is also interesting to note that the GDPR concept of joint controllership can also be found in the Draft PI Protection Law, which stipulates that joint PI Processors shall agree on their respective rights and obligations and assume joint liability toward data subjects. Data subjects may however exercise their rights under the Draft PI Law against any joint PI Processor.

How can I share personal information with other third parties?

According to Article 24 of the Draft PI Protection Law, PI Processors who share personal information with third parties are required to inform data subjects of the identity of the third party recipient, contact methods, categories of personal information and purposes and means of processing, and obtain separate consent. 

It is worth mentioning that this is the first time that the concept of "separate consent" is introduced under the draft law. No further elaboration is provided on the specific requirements relating to this "separate consent" but it appears that such consent will need to be separate from the consent required for other processing of personal information by a PI Processor. 

Despite the above, the Draft PI Law provides that consent would not be required in the case of any transfer of personal information in the context of merger or business separation of a PI Processor. Nevertheless, the PI Processor should still inform data subjects of the identity and contact methods of the third party recipient, who is required to continue with the original purposes and means of processing of personal information.

If the third party recipient intends to process the received data for other new purposes or by other means, it will be required to re-inform data subjects and obtain consent.  

Am I subject to the data localisation requirement in China?

The "data localisation" requirement under the current legal regime is set out in Article 37 of the CSL which applies to critical information infrastructure operators (“CIIOs”). In essence, CIIOs are required to store personal information and important data gathered and produced during operations within China. 

Under the new Draft PI Protection Law, in addition to CIIOs, organisations that process personal information reaching certain threshold amounts, as well as state organs processing personal information, are required to store the personal information within mainland China. Although the amount threshold is yet to be designated by the Cyberspace Administration of China ("CAC"), the previous draft Measures on Personal Information and Important Data Export Assessment released in 2017 proposed two types of threshold amounts that could potentially be of relevance in the current context, i.e. where the data involves personal information of over 500,000 individuals; or where the data volume exceeds 1,000GB. However, it remains to be seen whether other threshold amounts will be applied. Once this threshold is determined, this will give greater certainty to entities operating in China as to whether the data localisation requirement might apply to them. 

How can I transfer personal data outside China? 

Organisations subject to the data localisation requirement as elaborated above can only export personal information out of business necessity after passing the security assessment organised by the CAC. Although this appears to be consistent with existing requirements under the CSL and draft regulations and guidance on data export, it does not appear that data exporters may conduct a self-assessment, and the exact requirements of this security assessment would likely be set out in separate implementing rules and regulations. 

For other types of data export due to business necessity, the Draft PI Protection Law introduces three mechanisms that could be relied upon before a data exporter may export personal information out of China: 

(i) obtaining relevant personal information protection certification from professional certification bodies as designated by the CAC; 
(ii) entering into an appropriate agreement with its foreign data recipients to ensure foreign data recipients process personal information in accordance with the standards of the Draft PI Law; or 
(iii) other circumstances as may be provided by laws, regulations or other conditions as may be prescribed by the CAC. 

It is interesting to note that the proposed mechanisms for international data transfer are similar to, yet also different from, the approach under the GDPR. For example, although the "certification" mechanism under (i) appears to be similar to the approved certification mechanism under the GDPR, but the details are yet to be determined. For (ii), it does not appear that the contractual agreement with foreign data recipients will be prescribed by the CAC and this may therefore differ from the approach of "standard contractual clauses" under the GDPR.  Further, (iii) gives the CAC wide discretion to prescribe other mechanisms for data transfer in the future.

Apart from the above mechanisms for data export, all data exporters are required under the Draft PI Protection Law to: 

(i) notify data subjects of the circumstances of transfer and obtain separate consent; 
(ii) carry out risk assessment (akin to the data protection impact assessment under the GDPR);
(iii) maintain record of the relevant processing; and 
(iv) ensure that foreign recipients are not subject to the data export restricted/prohibited list as may be announced by the CAC. 

Similar to the Draft Data Security Law published in July 2020, the Draft PI Protection Law also stipulates that relevant approval should be obtained before exporting personal information for international judicial assistance or administrative law enforcement assistance.  

What to expect next?

Data localisation and cross-border transfer are key considerations for international companies operating in China. The current Draft PI Protection Law appears to introduce a number of positive mechanisms allowing for the cross-border transfer of personal information, as well as codifying principles under current non-binding national standards and adopting concepts and approaches from the GDPR in regulating data sharing activities. However, in the absence of further details on the procedure and implementation of the proposed mechanisms, further clarifications would be most welcome to enable companies operating in China to understand and comply with the new law.