Increased regulatory focus on data security protection in recent years has brought about discussions regarding compliance when multinational companies transfer data out of China. Compared with two years ago when China enacted the Personal Information Protection Law (PIPL), the regulatory regime for cross-border data transfers (CBDT) is now clearer and more sophisticated, though uncertainties remain in some key areas.
In the first half of 2023, there has been progress on how businesses can conduct outbound data transfers – the Cyberspace Administration of China (CAC; China’s national data security regulator) has granted approvals on security assessments and standard contracts relating to outbound data transfers. Amid such regulatory developments, there are a few things businesses should bear in mind:
- Despite the emphasis on national security, the increased clarity of CBDT regulations is aimed at ensuring that the CBDT framework does not undermine business confidence or economic goals.
- Concerns about cumbersome CBDT processes deterring investment will not prevent the gradual tightening of enforcement. Persistent ambiguity on issues like the definition of critical data will continue to contribute to compliance challenges.
- Regulators as of mid-2023 are still at an early stage of building enforcement capacities, with relevant CBDT application reviews likely to remain slow and cautious in the near future.
More regulatory clarity for CBDT compliance
Since the enactment of the Data Security Law (DSL) and the PIPL in 2021, compliance requirements for CBDT activities have been a source of uncertainty and increased operation costs for foreign investors in China, as well as Chinese companies with overseas businesses.
However, over the past two years, there has been increased regulatory guidance provided by the CAC and other sectoral regulators, with the goal of making China’s CBDT governance system clearer for businesses to navigate. As with many other issues, Beijing has tried to strike a balance between national security concerns and the economic benefits of CBDTs, avoiding the imposition of an aggressive blanket regime that pushes for the localisation of all data.
Such a balanced position is evidenced by the establishment of two clearly defined mechanisms to help companies ensure compliance when conducting CBDTs, namely the Outbound Data Transfer Security Assessment (ODTSA) – which applies to transfers involving critical data and large volumes of personal information – and the Standard Contract for the Cross-border Transfer of Personal Information – for transfers of personal data below a certain threshold by non-critical information infrastructure operators (CIIO). After the CAC and its provincial branches issued practical guidelines on the two approaches in July 2022 and February 2023, respectively, multiple companies secured approvals from regulators.
Regional authorities have published these successful approvals in a bid to demonstrate their support of international businesses. The table below shows how Beijing, Shanghai and other eastern coastal provinces have been at the forefront of facilitating both foreign and domestic companies’ CAC reviews. Notably, there is a likelihood that some of these publicly announced cases involved CIIOs or critical data in sectors that are of strategic and economic importance (such as aviation and healthcare). Many experts believe that such cases would have faced difficulties during the ODTSA applications but their eventual approval demonstrates support from the authorities.
Approval of CBDTs in regions at the forefront of facilitating businesses in CAC reviews
|Summary of progress
|Six entities in Beijing – from the healthcare, aviation and automotive sectors – have secured ODTSA approvals as of June 2023. The regional authorities are also working with more than 120 organisations on finalising their applications. In June 2023, the CAC’s Beijing branch approved China’s first standard contract for the outbound transfer of personal data.
|Shanghai announced in April 2023 that it had received more than 400 ODTSA applications and submitted 60 of them to the CAC after primary review. Two Shanghai-based entities (an automaker and a retailer) secured approvals by May 2023.
|Two Zhejiang-based entities in the IT sector obtained ODTSA approvals in May 2023. The CAC’s Zhejiang branch also approved its first standard contract application in July 2023 for an industrial equipment manufacturer.
|The CAC’s Jiangsu branch in May 2023 announced that it facilitated China’s first ODTSA approval in the e-commerce sector.
|The CAC’s Liaoning branch in July 2023 announced that it approved the province’s first standard contract application for a local software service provider.
Collected by Control Risks from Chinese official announcements as of August 2023
In recent years, there have been national policies to support CBDTs and align them with China’s economic development agendas (such as promoting the integration of the Greater Bay Area and free trade zone development). Guangdong, Hainan, Shanghai and Beijing have in 2022-23 launched various pilot programmes that aim to introduce “whitelist mechanisms” for CBDT or at least reduce the administrative barriers.
However, businesses should understand that the Chinese government will always maintain relatively tight and proactive supervision over CBDT activities. The coming years will see stricter rather than looser standards in the oversight of CBDTs and, even now, not all CBDT applications have been approved. Multiple factors are likely to influence approvals, such as the sensitivity of the sectors and relevant data, the necessity or economic value of the CBDTs, the legal environment of countries receiving the transfer, and the adequacy of documentation.
What is still missing
There are still two critical issues to be further clarified by the regulators in 2023 and beyond – the definition of critical data and the security certification for the cross-border processing of personal information.
The absence of clear definitions of what constitutes “critical data” remains a cause for concern among businesses when it comes to choosing their CBDT approach. The concept of “critical data” was introduced during the 2017 issuance of the Cyber Security Law (CSL), but national guidelines on critical data identification have yet to be finalised as of July 2023 after multiple rounds of review. A leading expert on the National Information Security Standardisation Technical Committee (TC260; the key drafting body for data security technical standards) in May said that the identification guidelines were under final review and would be released in the coming months.
However, as indicated by the expert, the final official definitions of critical data are likely to be broad in scope rather than industry specific (which was the direction taken by previous drafts for comments). In December 2022, the Ministry of Industry and Information Technology announced that following the issuance of broad national guidelines, industrial and provincial authorities would have to develop their own critical data catalogues and conduct data mapping independently within their jurisdictions. Therefore, companies that operate across different regions and sectors could face varied and potentially extensive requirements if the CBDTs they are looking at involves critical data.
There also remains major ambiguity around the third-party security certification mechanism, which has been defined by the DSL as the third pathway for companies to ensure CBDT compliance, especially for small-scale personal data transfers between entities under the same multinational company. Despite the November 2022 rules released by the CAC regarding the mechanism, there have been no publicly announced successful case using the security certification, making it a less preferred choice for companies looking to ensure CBDT compliance. The China Cybersecurity Review Technology and Certification Center, under the State Administration for Market Regulation, is the only known third-party agency that can administer the certification process, and it is unclear if the list will expand in the future.
Forming a practical compliance plan
Despite China’s progress in this area, enforcement of CBDT regulations remains at an early stage, and it is likely that it will take time for regulators and businesses to bring the field to a more sophisticated level. The CAC’s provincial branches, in particular, which are responsible for standard contract filings and the earlier rounds of checks on ODTSA applications, are stretched due to the high volume of applications and their limited resources. The processing period for newly submitted CBDT applications could take months or even more than a year.
For many companies, preparing the application documents for both ODTSA and standard contract filings could be costly and time consuming, usually requiring back-and-forth communications with the CAC. Businesses also have to explain China’s CBDT regulatory complexities to their overseas counterparts and demonstrate to regulators that sufficient data protection efforts have been taken by both sides. Such communications will continue to be challenging given the increased tensions and disagreements between China and Western countries regarding data security.
It is recommended that companies have a comprehensive understanding of the data involved in CBDTs before deciding on the appropriate compliance pathway. Proactive and early communications with the CAC’s local branches can help companies improve their chances of securing approvals. Most importantly, the preparation of either security assessments or standard contracts usually requires significant involvement from several functions and departments within an organisation. This means that companies will need a robust collaboration mechanism, led by senior management, to be put in place before beginning the CBDT process.