Home
Internal
Data protection and security compliance remains a major challenge for the majority of foreign-invested enterprises operating in China in 2023. The reasons for this are manifold and range from ignorance of the relevant regulations and unclear or incomplete rules to a lack of practical experience in applying the relevant provisions. To make matters worse, while the Chinese approach to data protection is quite similar to the regulatory system under the European Union's General Data Protection Regulation (“GDPR”) in some respects, it differs significantly in other important ones.
This is particularly evident in the area of cross-border transfers of personal data. A comparative look at the corresponding regulations in the GDPR (Chapter V, Articles 44-50) and China's Personal Information Protection Law (“PIPL”, Chapter 3, Articles 38-43) reveals clear differences. One of the most striking is certainly that the state in China takes a much more active role in the respective transmission processes, which can also and above all be explained by its strongly pronounced striving for security. This preventive state control concerns not only the security assessment required under certain circumstances, but even data transfers on the basis of a so-called standard contract according to Article 38(1)(3) PIPL.
In a previous article, we presented in detail the relevant draft of Provisions on the Standard Contract for Outbound Cross-Border Transfer of Personal Information (“Provisions”). The Cyberspace Administration of China (“CAC”) has now finalised the Provisions and promulgated them on 22 February 2023. Effective 1 June 2023, the Provisions will bindingly regulate the cross-border transfer of personal information based on the standard contract prescribed by the CAC. As the final Provisions are essentially the same as the previous draft, we would like to draw the attention of affected companies to the aspects we consider particularly important.
A first important point concerns the applicability of the standard contract as a legal basis for data transfers abroad. Indeed, the standard contract can only be used insofar as the transfer does not have to go through a prior security assessment by CAC. Therefore, it must be thoroughly checked in advance whether the thresholds mentioned in the Provisions are fulfilled and also not circumvented by artificially splitting the amounts of data transferred.
The conclusion of a standard contract alone is not sufficient to transfer personal information from China abroad in a legally compliant manner. A comprehensive data protection impact assessment must always be carried out, documented and kept for at least three years. Regarding the required minimum content of the impact assessment, companies should primarily follow the Provisions. In addition, the (non-binding) standard GB/T 39335-2020 Information Security Technology – Guidance for Personal Information Security Impact Assessment can be consulted.
As indicated above, there are significant differences between European and Chinese data protection regarding the involvement of public authorities in the transfer of data abroad. Unlike in the EU, every (!) standard contract concluded must be submitted to the locally competent department of the CAC together with the associated impact assessment within ten working days of the contract coming into force. This does not constitute an approval procedure, but merely serves to enable the CAC to identify transfer scenarios with a relatively high risk of damage at an early stage and to request the responsible data processors to take corrective action before damage occurs. Many foreign companies will be only partially reassured by the fact that CACs and their employees are also themselves bound by confidentiality obligations under the PIPL and the Provisions. By carefully drafting the data protection impact assessment and using the most general wording possible when completing Annex 1 (“Description of cross-border transfer of personal information”), the risk of unlawful appropriation, use, disclosure, etc. of sensitive data and information can be minimised to a certain extent.
Data processors based in China should have a comprehensive overview of all aspects of the data transfer relationship with the recipient abroad before entering into the standard contract. It is advisable to consider not only the current circumstances in the contract, but also to anticipate possible future changes that are highly likely to occur in the near future. These can be developments within (e.g. changes in the type or scope of the transferred data, the purpose of processing by the recipient or the storage location abroad) as well as outside the respective contractual relationship (e.g. upcoming changes in the law in the recipient state, security risks that have recently become known in a certain industry or region). This can save company resources that would otherwise be needed to re-conduct the impact assessment, amend or re-enter the contract, and re-submit with the CAC.
It is important to note that the standard contract is designed as an instrument to comprehensively regulate the data protection relationship between the data processor in China and the recipient abroad in accordance with Chinese law. As a result, the parties are not free to modify, replace or delete individual clauses of the contract. Such individual agreements are only permissible to the extent that they do not conflict with the binding clauses in the standard contract. Thus, the parties are well advised to take a close look at the indispensable content of the standard contract in order to understand which obligations and liability risks result from it for the respective party and where they still have room for individual case-specific arrangements. However, we do not believe that the mandatory nature of the clauses in the standard contract precludes the extension of the mutual obligations if this results in a higher level of protection for the personal information transferred.
The Provisions allow companies to transfer personal information to the contracting partner abroad only from the time the standard contract becomes effective. This rule should be seen in the context of another requirement in the Provisions, according to which affected companies are granted a transitional period of six months if they are already transferring personal information abroad in violation of the requirements of the Provisions at the time the Provisions enter into force on 1 June 2023. This means that while affected companies can choose an early effective date, the Chinese government will allow them some time in the first six months (i.e. until 31 November 2023) to implement all measures required under the Provisions.
Individuals whose personal information is to be transferred abroad from China must in any case have given their prior consent to the transfer. This consent must be given in addition to a general consent to processing of their personal information. If the separate consent is missing, this generally leads to the unlawfulness of the cross-border transfer. In particular, the lack of consent cannot be replaced by the conclusion of the standard contract. Here, another significant difference between PIPL and the GDPR becomes apparent, as the latter requires the consent of the data subject specifically for the cross-border transfer only in exceptional cases, should there be no adequacy decision of the EU Commission or appropriate safeguards (which also include the EU standard contractual clauses).
In contrast, in the case of a cross-border transfer based on a standard contract under Chinese law, similar to the GDPR, the general requirements for data processing must also be fulfilled, such as compliance with the general processing principles, the information of data subjects or the adoption of technical and organisational protection measures. However, the requirements known from the GDPR should not be transposed blindly, as there are indeed substantive differences to the legal situation in China, for example with regard to the permissible grounds for data processing.
The strict application of the standard contract between the parties, as described above, is particularly relevant with regard to the question of liability. This is because according to the standard contract, the parties are liable to damaged data subjects as joint and several debtors with the possibility of internal recourse. Thus, it cannot be agreed that one party is initially liable exclusively to the inured person in every or in certain cases, as the latter has a right of choice in this respect. However, it should be permissible to define the subsequent internal compensation in more detail according to the parties' specific situation.
Finally, we would like to point out that although Chinese law is mandatory for the standard contract, the parties have some flexibility in choosing the form of dispute resolution. Indeed, the standard contract grants the parties the choice between proceedings before Chinese People's Courts or, alternatively, arbitration before the China International Economic and Trade Arbitration Commission (CIETAC), the China Maritime Arbitration Commission (CMAC), the Beijing Arbitration Commission (BAC), the Shanghai International Arbitration Center (SHIAC) or another arbitral institution of a member state of the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards. Among the general reasons of the pros and cons of judicial dispute resolution vs. arbitration, the relative freedom of the parties in appointing an arbitral tribunal could be particularly advantageous here. This is because it allows the parties to appoint arbitrators who are familiar with the data protection regulations and conditions in the recipient country, especially in the EU. Chinese courts, on the other hand, will usually have to obtain costly expert opinions in order to provide a sufficient basis for a decision on the dispute. This is very likely in the case of disputes arising from the standard contract, as the latter contains explicit rules on the impact of personal data protection regulations in the country or region of the foreign recipient on the performance of the standard contract.
Newsletter China
Li Wang
Associate Partner
Send inquiry
Rödl & Partner in China
