Doing the business in China in the times of geopolitical tension and post covid, you are required to meet China increasing data compliance regulatory challenges and meanwhile keep your company and your client data in secure.
2023 China further raises bars on data export from China
With the effectiveness of the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information on 1 June 2023, China’s legislature on data export from China further raises the bar. Together with 2017 Cybersecurity Law, 2022 cross border Data Transfer Guidelines and 2021 Personal Information Protection Law and 2021 Data Security Law constitutes current China data export legislature (the “China Data Export Laws”).
According to China Data Export Laws, unlike GDPR enacts adequacy principle adopted between country or region with the EU, the data export mechanism of China will be authority which is local Cybersecurity Administration of China (the “CAC) on a case-by-case basis cybersecurity assessment or standard contract filing in accordance with China Data Export Laws. No matter which approvals categories your entity subject to, China’s methodology toward data export mechanism means that the burden of getting the respective approval from CAC will be assumed by the entity individually.
Under what’s scenario your entity will subject to CAC Cybersecurity Assessment Approval
According to China Data Export Laws, a CAC security assessment is required for cross-border data transfers in ANY of the following circumstances:
- Cross-border transfers of “important data”
- Cross-border transfers of personal data by critical information infrastructure (CII) operators
- Cross-border transfers by data exporter processing the personal data of 1 million or more individuals
- Any transfer (in aggregate) of the personal data of more than 100,000 individuals or the sensitive personal data of more than 10,000 individuals that has occurred since 1 January of the preceding year
- Other situations requiring security assessment in accordance with PRC laws and regulations
Under what’s scenario your entity will subject to CAC Standard Contract Filing Approval
According to China Data Export Laws, if your entity needs transfer personal information cross border and not reach the cybersecurity assessment bar, is required to get the standard contract filing approval.
For example:
- Non-CII operator
- Annually processed personal information no more than 1 million individuals
- From 1 January last year to date, cross border transfer personal information out of China no more than 100,000 individuals
- From 1 January last year to date, cross border transfer personal sensitive information out of China no more than 10,000 individuals
The data exporter shall not split the cross border transfer measures avoiding get the prior standard contract filing approval.
However, what highlights in this approval is the entity is required to take data privacy impact assessment first as this assessment will be one of important documents supporting your entity to apply this approval.
Legal Consequences if NOT Complying with Data Export Laws
Before we move to legal consequences toward either of cybersecurity assessment approval or standard contract filing approval, two points should make clear.
- The approvals not regulate foreign invested companies in China but also Chinese local business owners which has overseas data flow requirements; and
- CAC has the right to reject your application for approval until your entity meets the CAC requirements case by case
To date, we only see no more than 10 approval cases for either approval category.
However, your entity will face the severe legal consequences if not meeting Data Export Laws of China.
For example:
- Ban your system/App from using
- Fine no more than 5% of your entity annual revenue or no more than 50 million RMB
- Ban your entity’s operation or deregister your entity from business registration
Your Actions Required Even NOT Required to Get Approvals
Even your entity not required to achieve the approvals from CAC, you are still required to meet the basics regulated in accordance with Data Export Laws of China when you need cross border flow for your financial or HR information in managing your business in China.
Some basics you need to know when planning your export data out of China:
- Data Inventory Check
The purpose is to know the current data inventory whether there is “important data” in the business operation or volumes of data cross border flow reaching the approval bar
- Building up Internal Data Processing Guidelines
The purpose of doing this is to draw the “red line” for your Chinese employees when handling financial or HR data flow. It is the specific procedures to define and urge your Chinese employees to follow when dealing with HR data or business data cross border transfer.
- Add China chapter to your privacy policy or cookie policy for your website or system
Although there are some similarity between Data Export Laws of China and GDPR, there are significant differences between two legislature system.
To avoid any conflict, we suggest your website or APP has special sector when regulating export data from China mainland.
- IT Risk Assessments for Wechat platform or Your Chinese website
If your entity using Wechat platform to promote the business or Chinese website, we suggest you do the regular IT risks assessment to protect your client data and your company data in secure.
- Considering Outsourcing Data Protection Officer Services
Hire a local data expert to deal with daily China data utilization issues will be time and cost saving in the context that China is strengthening data export control.
- Considering Data Localization and Segregate Your Chinese System/Platform Strategy
We understand that deploy a separate system, server or Chinese version platform will be a burden and costly to your entity.
However, in the long run, if your entity has a vision to treat its Chinese subsidiary as an isolated external entity for the system wise, it may finally contribute the data you collect within China mainland territory.
We can assist client to deploy data localization and system segregate strategy to prepare and balance the challenges of cross border data transfer concerns.
- Our Team
Our team delivers only the best professional services in data security and privacy protection.
- We are experts in regulatory understanding and built-in regulatory requirements for your products and services.
- We are familiar with major technical security tools and apply the technology tools to multiple data compliance frameworks.
- We are cross-border experts that have both legal and technical backgrounds and understand technical terminology and product design logic.
- We have multinational knowledge and certifications that cover ASEAN, Europe, India, and North America. We are qualified and certified compliance professionals with CEPE L CIPP/E, CIPP/A, HITRUST CCSFP, CDPSE and CISO.
- Our team has an ongoing interest and passion to dedicate our time and resources to research and follow up on the newest developments in data security and privacy protection regulatory changes. In addition, all our professionals have trans fields knowledge and practice backgrounds.
If you have further inquiries, please contact grace.chen@1compliance.group