Understand the impact on multinational enterprises since the recent Chinese data privacy law updates

As one of the world’s largest and most dynamic markets, China’s stance toward personal data protection is always at the center of multinational companies’ interests and concerns. In this article, we share the results of our research and learning to help corporate legal counsel teams and entrepreneurs navigate the updates on the China data protection laws. 

The three principal regulations, including the Cybersecurity Law, the Data Security Law, and the China Personal Information Protection Law (“PIPL”), have become essential for businesses with a local presence and therefore deal with Chinese data.

February 2023 Cyberspace Administration of China final version overview

‍

In February 2023, the Cyberspace Administration of China (“CAC”) issued the final version of the Standard Contract and the Measures for the Standard Contract for the Outbound Cross-Border Transfer of Personal Information (“Measures”), and later the Guidance on Filing for the Standard Contract for Cross-border Transfer of Personal Information (“Guidance”).

‍

Summary of the recent Measures and Guidance

The issuance of the Measures and Guidance gives businesses a clear direction on implementing the Standard Contractual Clauses mechanism when transferring data across borders, which companies mostly use since it offers flexibility and rapid results. However, to adopt the SCC, the data exporter must satisfy all conditions relating to the type of processed data and the number of the concerned data subjects. After fulfilling all conditions, the data exporter needs to conduct a Personal Information Protection Impact Assessment (“PIPIA”) following the Guidance for Personal Information Security Impact Assessment (GB/T 39335 – 2020), which has taken effect since 2021. Subsequently, the data exporter must file the PIPIA and the executed SCCs to the provincial CAC before the transference.

February 2023 China Data Privacy Law updates key takeaways :

• Although there is not an explicit approval process, companies have to file the SCCs with local Chinese authorities and the authorities retain the right to review or assess the filed SCCs. 
• Compared to the GDPR SCCs, where parties can use their own form of data transfer agreement provided that the SCCS are incorporated into such agreement, the China SCCs are more stringent. Parties cannot change the SCCs; however, they can add supplementary terms that do not conflict with the standard terms in an appendix.
• Chinese law, especially the China Personal Information Protection Law, must be the governing law of the SCCs, unlike the GDPR SCCs, where parties can choose the governing law themselves.
• The overseas data recipients are also subject to the jurisdiction of the CAC. It specifies that the data recipient must agree to be subjected to supervision and management by the CAC, including but not limited to responding to inquiries, cooperating with inspections, following actions and decisions made by the CAC, and providing written proof when required.

China Data Privacy law update impact on compliance for foreign ISP and Multinational companies

Despite these new regulations, multinational companies still need help to ensure compliance with the Chinese market. Especially, foreign Internet Service Providers (ISPs) need to navigate through comprehensive and time-consuming processes to operate in China, including, but not limited to, finding the right local Internet provider to partner with, obtaining the necessary Internet Content Provider (ICP) licenses, setting up websites, handling VPNs, dealing with Chinese internet censorship system known as The Great Firewall while ensuring their compliance with strict China data privacy laws. For more information on the impacts on ISPs, feel free to read my follow-up article.

Some multinational companies, like Denton, a business-centered law firm, even decided to stop their operations in China to avoid these struggles from the China data privacy laws altogether. Denton got into China by partnering with Dacheng Law in 2015; it decided to make Dacheng fully independent last year. Meanwhile, global enterprises like Apple, Ford, Hyundai, Samsung, and the chip manufacturer TSMC all announced their plans to remove their manufacturing hubs from China. After the new Measures and Guidance, only one China SCC filing case has been made public. It is a Beijing-based company that transfers personal data related to credit references to Hong Kong.

China outbound data transfer Data exemptions overview:

Aiming to ease these stringent requirements under the China data privacy laws, the CAC issued the highly anticipated Regulations on Promoting and Regulating Cross-Border Data Flows (“Regulation”) in 2024. The Regulation introduced exemptions for outbound data transfers, which means that data exporters do not need to go through any mechanism to conduct the transference.
‍

The exemptions are: 

• When concluding or fulfilling a contract to which the data subject is a party, for example, cross-border shopping, mailing, payment, etc 
• When implementing cross-border human resources management.
• When transferring the personal information of less than 100.000 individuals.
• When protecting a natural person’s life, health, and property in an emergency.
• When transferring data that are not personal information or important data.
• When personal information collected and generated outside of China is transferred, it is transmitted to China for processing before being transferred and is not combined with any personal information or important data in China during processing.

This new Regulation is viewed as a positive step; it relaxes current data transfer standards that help to save businesses time and money when they do not need to complete all these complex procedures to transfer their data across borders, especially for companies in technology sectors that often rely on cross-border data flows for innovation and service delivery. However, these exemptions do not include the transference of “important data,” meaning companies dealing with “important data” still need to comply with the transfer mechanisms regulated by the PIPL. The term “important data” is a longstanding and puzzling issue of China’s approach to data policy. There is no clear definition of this term, but it still depends on the decisions of the Chinese authorities. This issue is also mentioned in the European Position Paper 2023/2024 (“Position Paper”), among other recommendations, which suggest Chinese authorities clearly define some phrases, including “important data” and “national security,” and differentiate between critical information infrastructure and non-critical information infrastructure.

Although the Chinese government has tried to facilitate multinational businesses, it is undeniable that China still prioritizes its national security and public interests; it maintains to reduce compliance requirements for companies while continuing to allow the authorities to change key definitions, namely the definition of “important data” which is used quite often in the China personal information protection laws. Therefore, multinational businesses are cautiously optimistic regarding these new regulations but remain vigilant about the practical implications. It is also essential to strengthen the dialogue and cooperation between China and its key partners, like the European Union, to identify common grounds and alleviate data-related operational burdens, providing many advantages for multinational companies.

It is recommended that multinational companies work closely with competent Chinese authorities and their guidelines on China data protection laws. They must also understand their processing activities and apply the correct mechanisms to ensure compliance. To receive our international compliance report, you can simply fill out this form. 

China cross border data transfer overview

Here is an illustration for a better understanding of the different responsibilities that multinational companies have to take into account in case of cross-border data transfer: 

‍

Conclusion:

The Position Paper (see ref: 13 for more info) recommends that companies handling their operations in China maintain strong communication between their headquarters and China operations, integrate foreign and Chinese staff to acquire inside knowledge relating to the China data protection laws, and establish a “decoupling team” to evaluate costs related to localization and disconnection from global systems.

‍

‍

References: 

1. China eases requirements for cross-border data transfers: Link 
2. Unpacking the China data laws: Link 
3. China’s standard contract for the outbound cross-border transfer of personal information is in effect: Link  
4. China released new regulations to ease requirements for outbound cross-border data transfers: Link
5. China’s New Standard Contractual Clauses and impact on data-intensive businesses: Link 
6. Dentons quits operations in China due to incoming data regulations: Link
7. First-ever China SCC filing case made public: Link 
8. Challenges and Solutions for European Businesses in China: Insights from the EU Chamber’s Position Paper 2023/2024: Link 
9. China cybersecurity and data protection Regulations - 2023 and 2024 outlook: Link 
10. China’s Standard Contract Measures for Personal Information Export - Additional Guidelines Released: Link
11. China’s new approach to data policy: Here to stay or Here for now? Link 
12. China standard contract that impacts transferring personal information from China: Link 
13. European Business in China Position Paper 2023/2024: Link