Following the promulgation of the Personal Information Protection Law (the "PIPL") in November 2021, a series of regulations have been issued by the PRC Government with an aim to establish a sound regulatory regime for the protection and transfer of personal information. Specifically with respect to the outbound transfer of personal information below certain thresholds, the Cyberspace Administration of China (the "CAC") issued the Measures on the Standard Contract for Outbound Transfer of Personal Information (the "Measures") in February 2023. The Measures elaborated on the regulatory requirements for the entering into and filing of the standard data transfer agreement (the "DTA") and for the preparation of the personal information protection impact assessment report (the "DPIA Report"). Specifically, the filing of the executed DTA and the DPIA Report with the local CAC by 30 November 2023 is one of the possible tracks that onshore companies may follow in order to transfer onshore personal information offshore (the "DTA Filing Track"). There are also two other tracks for the cross-border transfer of personal information (namely, data transfer security assessment and personal information protection certification). However, for multinational corporations ("MNC") in the PRC dealing with a small volume of personal information, the DTA Filing Track would be the one to follow.
In practice, most MNCs operating in the PRC would need to share and exchange data (including personal information) with their foreign headquarters, including for the purposes of HR management, supplier and customer management and so on. Some of them have filed the executed DTA and the DPIA Report by 30 November 2023, as required by the Measures. However, some MNCs who transfer a small volume of personal information (in particular employee's personal information only) have not taken any actions to follow the DTA Filing Track. This is mainly because of the draft rules published by the CAC in September 2023, which specified certain exemptions for following the DTA Filing Track. After months of waiting, on 22 March 2024, the central CAC officially published the Regulations regarding Promoting and Regulating Cross-border Data Flow (the "Regulation"), which crystalises these exemptions.
1. Exemptions officially released
The Regulation became effective immediately upon its publication. It introduced several exemptions for cross-border transfer of personal information which would not be subject to the DTA Filing Track. Such exemptions include, most notably:
(i) Any organisation which is not a critical infrastructure information operator ("CIIO") and has transferred less than 100,000 individuals' personal information (excluding sensitive personal information or important data) from the PRC to offshore from 1 January of the current year.
(ii) Transfer of employees' personal information (excluding important data) to offshore which is necessary for cross-border HR management purposes in accordance with the employment policies formulated and collective employment contract entered into in accordance with relevant laws and regulations.
(iii) If the data processor has collected the personal information offshore which has subsequently been transferred into the PRC, and after having processed such personal information, the data processor will transfer them offshore, provided that the processing did not bring in any onshore personal information or important data.
(iv) Transfer of personal information offshore that is necessary for the entry into or performance of an international services contract where an individual is a contract party, such as cross-border e-commerce, cross-border courier, cross-border remittance, cross-border payments, cross-border account opening, plane ticket purchases, hotel bookings, visa applications and examination services.
If any of the above exemptions applies, an onshore company would not be required to sign the DTA and file the executed DTA with the local CAC.
2. Other requirements to fulfil
The Regulation provides that even if an onshore company can rely on one of the above exemptions to not sign and file the DTA with the local CAC, it will still need to satisfy the following requirements if it wishes to transfer personal information offshore:
- the relevant individuals' separate personal consent still need to be obtained;
- the DPIA still needs to be conducted and a DPIA Report needs to be prepared (although the DPIA Report does not need to be filed with the CAC, the PIPL requires it to be prepared and kept for internal record for at least three years); and
- other requirements set out in the PIPL still need to be complied with, e.g. sufficient personal information protection measures should be put in place to ensure data security and the company should report to the regulators in the event of a data security accident.
In addition, if an onshore company is transferring less than 10,000 individuals' sensitive personal information offshore ("sensitive personal information" means any information if leaked or used illegally may easily result in damages to the individual's dignity and/or personal/property safety, such as information relating to biological recognition, religions, specific identity, medical and health status, financial accounts, whereabouts and children under 14 years old), then it must enter into the DTA and prepare the DPIA Report and file the executed DTA and the DPIA Report with the local CAC, unless it can rely on one of the exemptions available under the Regulation. This essentially means that if an onshore company were to transfer sensitive personal information relating to individuals other than its employees and no other exemptions were available (e.g. the transfer is for the purposes of an international service contract where an individual is a contract party), then it would likely still need to follow the DTA Filing Track.
3. Next steps
We summarise below the next steps for companies in the PRC that wish to transfer a small volume of non-sensitive personal information offshore and that have not yet completed the DTA Filing Track.
Employee's personal information
If an onshore company were to only transfer personal information of its employees offshore, then it may be able to rely on exemption (ii) set out above and that being the case, it would not be required to follow the DTA Filing Track. However, such transfer needs to be justified on the basis that it is "necessary" for cross-border HR management purposes and in accordance with the company's employment policies and collective employment contract. Notwithstanding the foregoing, the company would still need to fulfil other requirements under the PIPL, including but not limited to:
(1) obtaining the personal consent of the relevant employees; and
(2) conducting the DPIA and preparing the DPIA Report (but it would not need to file the DPIA Report with the local CAC).
Sensitive personal information
The onshore company will also need to ascertain whether it is transferring any sensitive personal information offshore (other than those relating to their employees). If so, they may still need to follow the DTA Filing Track.
Proceeding with or withdrawing filing application
Together with the Regulation, the CAC also published a FAQ setting out further guidance on how to deal with the DTA filing. In the FAQ, the CAC clarified that for those companies that have submitted the filing applications with the local CAC before the date of the Regulation, if such company is exempted from the DTA Filing Track in accordance with the Regulation, the company may choose to either proceed with the filing, or withdraw its application from the local CAC.
Authors: Michael Sheng, Office Managing Partner, Shanghai; Derek Wang, Counsel; Chloe Xiang, Associate