With a Key Deadline Fast Approaching, Now Is the Time to Address Requirements for Data Transfers Outside of China

U.S.-based multinationals with employees in the People’s Republic of China (PRC) are confronting a Nov. 30 deadline to implement a new cross-border data transfer mechanism, the standard contract. This implementation requires not just completion of the standardized data transfer agreement but also completion of a complex transfer impact assessment and submission for approval of these and related documents to the relevant provincial offices of the Cyberspace Administration of China (CAC). 

In late September, the CAC released a set of proposed revisions that would establish a number of exceptions to the requirement to enter into the standard contract, including a potential exception for HR-related transfers. There is no timeline as to when (or if) the HR exception will be passed, and employers would still be required to conduct the transfer impact assessment, though they may not have to file it.

Cross-border data transfers under Chinese law

Since going into effect in 2021, China’s Personal Information Protection Law (PIPL) has required notice to, and the consent of, the data subject when transferring personal information to locations outside of China plus additional steps to be mandated by the CAC. In February, the CAC published the measures that would be required to export personal information, which established one option for the additional steps required to transfer personal data out of the PRC. This option is a standardized personal information export standard contract, supported by a transfer impact assessment and related documents. 

Similar to the European Union’s standard contractual clauses (SCCs), the Chinese standard contract is a set of contractual terms intended to ensure that personal information transferred to a third country continues to receive a level of protection essentially the same as the protection provided by the PIPL. The measures provide that an entity in China can utilize the standard contract unless it meets one of the following criteria:

• Is an operator of critical information infrastructure (CIIO).
• Holds/processes the personal data in China of more than 1 million individuals.
• Has transferred out of China the personal data of more than 100,000 individuals since Jan. 1 of the previous year.
• Has transferred out of China the sensitive personal data of more than 10,000 individuals since Jan. 1 of the previous year. 

Because CIIOs generally will be corporations native to the PRC, such as telecommunications service providers, military contractors and financial institutions, and in light of the high numeric thresholds, most corporate affiliates in China of a U.S. multinational will qualify to use the standard contract to legitimize the transfer of personal data out of the PRC.

Entities in China were required to implement the standard contract as of June 1 for transfers of personal data that commenced for the first time after that date. For data transfers that have been ongoing since before June 1, entities in China must submit the standard contract, the transfer impact assessment and related documents for approval by Nov. 30.

The standard contract vs. the EU standard contractual clauses

Like the EU’s SCCs, China’s standard contract sets forth obligations between the parties with regard to transparency, data retention, information security, security breach notification and data subject rights, among other obligations. These obligations mirror the obligations established by the PIPL to ensure that transferred personal data receives the same level of protection outside the PRC as when it is processed locally. As with the EU SCCs, the substantive terms of the standard contract cannot be modified. 

While the terms cannot be varied, the parties are required to complete a description of the transfer. This description must be specific to the transfers for which approval is sought. The description must include the following: (a) the purposes for, and methods of, processing the transferred personal data; (b) the quantity of personal information to be transferred (with reference to the thresholds noted above); (c) the types of personal information and sensitive personal information to be transferred; (d) any identification of third parties that will receive onward transfers from the overseas recipient; (e) the method of transfer; (f) the overseas storage location; and (g) the retention period at that location.

The standard contract takes a one-size-fits all approach, as it is to be used for transfers between data controllers, from a data controller to a data processor or between data processors. Consequently, the same burdensome regulatory compliance requirements could apply to both an intercorporate group data transfer as well as a transfer to an HR service provider, pending approval of the latest proposal. 

Transfer impact assessment

The PIPL and the measures published in February both require that the personal information handler conduct a personal information protection impact assessment (most often referred to globally as a transfer impact assessment, or TIA). The TIA requires detailed information about the PI handler, the overseas recipient and the data transfer, including the following:

1. Detailed information on the PI handler, including information about the corporate structure and the organization’s privacy governance structure.
2. Detailed information on the overseas recipient or data importer, including the purposes for processing the transferred personal data, the information security safeguards for that data and the protections established by local law for transferred personal data.
3. Information about the technology used by the PI handler to effectuate the data transfers.
4. Details regarding the scope of the personal information transferred.

Based on this factual information, the parties to the transfer then must assess the potential risks to transferred personal data and identify measures to reduce those risks. The form TIA published by the CAC identifies six areas that the risk assessment must address including, for example, the types, quantity and sensitivity of transferred personal data; the recipient’s safeguards for transferred personal data; and the impact of local law on the recipient’s ability to fulfill its obligations under the standard contract.

U.S. multinationals with multiple subsidiaries in the PRC and/or multiple corporate members in the United States with access to transferred personal data may need to complete multiple TIAs to account for variations across corporate group members. In addition, if employees outside the United States and the PRC will have access to transferred personal data or that data will be stored in other third countries, the U.S. multinational likely will be required to complete additional TIAs to account for variations in the laws of the destination countries.

Filing with the CAC

The CAC requires that the PI handler (i.e., the entity in the PRC transferring personal information overseas) file a copy of the completed standard contract and accompanying TIA with the CAC office in the province where the PI handler is located within 10 working days of the standard contract’s effective date. On May 30, CAC released guidance on how organizations should complete the filing procedure for the standard contract, which included a template for each document that must accompany the standard contract at the time of filing. These documents include the following:

1. Transfer impact assessment.
2. Power of attorney, executed by the data exporter’s legal representative, authorizing the named individual to file the standard contract on behalf of the PI handler. 
3. Commitment letter executed by the PI handler’s legal representative, representing that the information provided in the filing materials is true and correct and filed within the timing parameters set by the CAC. 

Additionally, the filing must include a photocopy of the following documents with an official seal:

• Unified social credit code certificate for the filing entity.
• ID card of the agent who submits the filing.
• ID card of the legal representative who signs the commitment letter.

Next steps for employers with Chinese subsidiaries

Despite uncertainty of how the filing process will ultimately roll out at the provincial level and with the proposed exceptions, given the complexity of the requirements, multinationals with corporate group members in China should start preparing now. Compliance will require detailed and time-consuming fact-finding and manpower to prepare all of the required documentation, especially the transfer impact assessment. 

To summarize, multinationals with corporate group members in China will need to:

• Ascertain whether they qualify for the standard contract option to transfer personal data from China and, if so:
  • Conduct a fact-finding process to gather the data needed for the standard contract and TIA and identify the applicable local CACs for filing and their filing requirements.
  • Prepare and execute the standard contract among the relevant legal entities of the multinational.
  • Prepare the TIA(s) for the data recipients, including variations as needed for data recipients located in multiple countries.
  • File the standard contract and TIA with the applicable local CACs.
• Consult with those service providers that process China personal data on behalf of the employer to determine the service provider’s plan for compliance with the new cross-border data transfer requirements.

Philip Gordon, Grace Yang, Morgan Matson, Kwabena Appenteng and Zoe Argento of Littler co-authored this article.