Data ProtectionPrivacy

News rules on cross border data transfers from China

There have been significant developments on cross-border transfers of personal data and “important data” from China and here is a summary of the current status.

According to the current regulatory framework, to transfer or access personal data outside of Mainland China, organizations must:

  • obtain explicit (separate) consent from data subjects;
  • complete a personal information impact assessment (similar to a GDPR DPIA) for each such transfer; and
  • put in place a data processing agreement with the recipient of the data.

The most relevant change is that each organizations must now also work out which of the four routes for legitimizing cross-border transfers of China data each relevant data controller entity within an organization will need to take, and follow the relevant steps for each route.  The four viable options are:

  1. Obtaining a certification from the Cyberspace Administration of China (CAC);
  2. Adopting the Chinese Standard Contractual Clauses (SCCs);
  3. Performing a CAC security impact assessment; or
  4. Implementing other mechanisms, such as those for certain regulated industries).

All these options involve to a different extent data mapping, repapering of DPAs (likely to include SCCs in options 1 to 3), and engagement with the regulator (CAC and/or industry regulators), in one form or another.

The relevant option for an organization will vary depending on factors such as the identity and location of the data controller, the nature of the data being transferred, the volume and type of data, the operations of the organization in Mainland China and other factors.  The key is that all organizations must select one of the approved approaches, and take steps to comply, by 1 March 2023.

The new rules apply to both personal data as well as the so-called “important data”.  As such, the data mapping and assessment will need to encompass certain non-personal data as well.

Our DLA Piper China colleagues created a decision tree to support organizations to assess and decide the relevant route and are also preparing roadmaps/toolkits for each of the four options to help organizations implement them.

You can read more on the topic in the following articles from our DLA Piper China colleagues “China: Draft SCCs Released – Time to Focus on Overseas Data Transfers” and “CHINA: Cross-border data transfers – what are your options?“.

On a similar topic, you can read the article “Do you have a data transfer impact assessment methodology based on the Schrems II decision?“.

Photo by Christian Lue on Unsplash

Don't miss our weekly insights

Show More

Giulio Coraggio

I am the location head of the Italian Intellectual Property & Technology department and the global co-head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our client's success.

Related Articles

Back to top button