CHINA: new draft guidance on overseas data transfers

China’s PIPL came into force today, and to accompany this, the Cyberspace Administration of China (“CAC”, the key data regulator) has published for consultation draft guidelines to assist organisations grappling with overseas data transfers with some practical guidance on some of the compliance steps that must be taken.

Under the PIPL, certain organisations – or the overseas transfer of certain data categories – require the data controller to undertake a security impact assessment (“SIA”) in addition to the other overseas data transfer steps (notably consent, DPIA/PIIA and meeting one of four conditions for data transfer, one of which is using the new China SCCs and another is undertaking an SIA). The new draft guidelines set out the thresholds and procedures for undertaking an SIA.

Our high level comments on the draft guidelines, and their impact on organisations’ PIPL compliance programmes, are as follows:

  • This is just a draft for consultation at this point. The consultation period runs until 28 November.

  • The draft is in many ways similar to the 2017 and 2019 draft overseas transfer guidelines, which were the subject of intense lobbying. As such, we expect there will be significant lobbying – and a healthy response to the consultation process – and in turn (hopefully) further clarifications by way of a second draft before these are finalised.

  • The key point for businesses to note is that the draft guidelines set out the thresholds which trigger a mandatory SIA for overseas data transfers, namely:

    • the organisation is a critical information infrastructure operator (CIIO) collecting personal information and important data;
    • the transferred data includes important data;
    • the organisation is processing data of over 1 million data subjects and intends to transfer data overseas;
    • the accumulated overseas transfer amount of personal information exceeds 100,000 data subjects or sensitive personal information exceeds 10,000 data subjects; or
    • where otherwise required by the national CAC.

  • The SIA is initially a self-assessment, which will need to be lodged with, and approved by, the local CAC branches. The draft guidelines set out the scope and procedure, as well as timescales. One key point to note is that a copy of the data processing agreement (“DPA”) with the overseas data recipient will need to be submitted with the SIA application, meaning it will need to be bilingual.

  • Unfortunately the following is not clear in the draft:

    • whether it covers internal transfers;
    • whether it covers remote access from overseas;
    • whether in practice it only covers bulk transfers (or whether cumulative transfers are caught);
    • whether the SIA needs to be conducted on a per-transfer basis or per-data controller basis; and
    • whether submitting a copy of the relevant PIPL-compliant DPA with the overseas transferee is by itself sufficient, or whether that DPA also needs to include the new SCCs that were mentioned in the PIPL.

  • Further, the volume threshold seems low, meaning it can easily be reached by many organisations. (This was the subject of most of the lobbying last time).

  • The approval will need to be renewed every two years, or if the scope of the processing changes.