China simplify international data exchange

The regulations provide six cases where a data processor is exempt from the obligation to conduct a security assessment for cross-border personal data transfer, conclude a standard contract for outbound transfer of personal information, or perform a personal information protection certification. However, a Personal Information Protection Impact Assessment Report (PIPIA) is still required before cross-border transfer of personal information.

In two specific cases, a data processor must undergo a security assessment by the CAC. The security assessment result is valid for three years and can be extended if the data processing circumstances for cross-border data transfer remain unchanged.

Pilot free trade zones may develop their own negative lists for data transfer, setting out the data which are subject to cross-border security assessment, conclusion of standard contract for outbound transfer of personal information, or personal information protection certification.

The regulations also repeat that a data processor shall identify and report “important data” according to the relevant regulations. But if there are no regulations which define certain data as important data, a data processor need not conduct a security assessment for cross-border data transfer.

The regulations will push the relevant departments or regions to accelerate the process for identification and defining of important data.

The updated security assessment guide and standard contract guide stipulate an official online channel for security assessment and standard contract filing.

Overseas entities processing personal information of Chinese domestic natural persons are also regarded as conducting cross-border transfer of personal information. In this case, overseas entities must establish a special agency or designate a representative in China to fulfil the personal information protection compliance requirements under Chinese laws and regulations.

With the implementation of the eased compliance requirements under the regulations, many foreign invested enterprises are released from filing and review formalities with CAC. However, they must continue to observe other relevant obligations when providing personal information or other data to abroad.

To enjoy the eased requirements, foreign invested enterprises should avoid transferring sensitive personal data overseas. The CAC may strengthen the supervision before, during or after the cross-border transfer of data. In case of refusal to correct or in case of severe consequences, the authorities may pursue corresponding legal liabilities for the enterprise concerned or the responsible person(s) based on Chinese laws and regulations.

Companies operating in China should now commence a more detailed data protection related “health check” to identify at an early convenience whether and if yes, which actions are recommendable in their individual case.