Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
Editorial Note: Since the publication of the following article, the Cyberspace Administration of China released “The Provisions on Regulating and Promoting Cross-border Data Flows (draft for comments).” These proposed provisions may, if approved, materially alter the requirements to transfer employee data out of the People’s Republic of China. Littler addresses these new developments here.
* * *
U.S.-based multinationals with employees in the People’s Republic of China (PRC) are confronting a November 30 deadline to implement China’s new cross-border data transfer mechanism—the Standard Contract. This implementation requires not just completion of the standardized data transfer agreement but also completion of a complex transfer impact assessment and submission for approval of these and related documents to the relevant provincial offices of the Cyberspace Administration of China (CAC). This Insight will explain the steps multinational employers are required to take to transfer personal data out of China lawfully.
Cross-border Data Transfers under the PIPL
Since going into effect in 2021, China’s Personal Information Protection Law (PIPL) has required notice to, and the consent of, the data subject when transferring personal information to locations outside of China plus additional steps to be mandated by the CAC. In February 2023, the CAC published the Measures for the Standard Contract for the Export of Personal Information (“Measures”), which established one option for the additional steps required to transfer personal data out of the PRC. This option is a standardized Personal Information Export Standard Contract (“Standard Contract”) supported by a transfer impact assessment and related documents.
Similar to the European Union’s Standard Contractual Clauses (SCCs), the Chinese Standard Contract is a set of standardized contractual terms intended to ensure that personal information transferred to a third country continues to receive a level of protection essentially the same as the protection provided by the PIPL. The Measures provide that an entity in China can utilize the Standard Contract unless it meets one of the following criteria:
- Is an operator of critical information infrastructure (“CIIO”);
- Holds/processes the personal data in China of more than one million individuals;
- Has transferred out of China the personal data of more than 100,000 individuals since January 1 of the previous year;
- Has transferred out of China the sensitive personal data of more than 10,000 individuals since January 1 of the previous year.
Because CIIOs generally will be corporations native to the PRC, such as telecommunications service providers, military contractors, and financial institutions, and in light of the high numeric thresholds, most corporate affiliates in China of a U.S. multinational will qualify to use the Standard Contract to legitimize the transfer of personal data out of the PRC.
Entities in China were required to implement the Standard Contract as of June 1, 2023, for transfers of personal data that commenced for the first time after that date. For data transfers that have been on-going since before June 1, 2023, entities in China must submit the Standard Contract, the transfer impact assessment, and related documents for approval by November 30, 2023.
The Standard Contract versus the EU Standard Contractual Clauses
Like the EU’s SCCs, China’s Standard Contract sets forth obligations between the parties with regard to transparency, data retention, information security, security breach notification, and data subject rights, among other obligations. These obligations mirror the obligations established by the PIPL to ensure that transferred personal data receives the same level of protection outside the PRC as when it is processed locally. As with the EU SCCs, the substantive terms of the Standard Contract cannot be modified.
While the terms of the Standard Contract cannot be varied, the parties are required to complete a description of the transfer. This description must be specific to the transfers for which approval is sought. The description must include the following: (a) the purposes for, and methods of, processing the transferred personal data; (b) the quantity of personal information to be transferred (with reference to the thresholds noted above); (c) the types of personal information and sensitive personal information to be transferred; (d) any identification of third parties that will receive onward transfers from the overseas recipient; (e) the method of transfer; (f) the overseas storage location; and (g) the retention period at that location.
The Standard Contract takes a one-size-fits all approach. The Standard Contract is to be used for transfers between data controllers, from a data controller to a data processor, or between data processors. Consequently, the same burdensome regulatory compliance requirements will apply to both an intercorporate group data transfer as well as a transfer to an HR service provider. We encourage employers to begin the conversation with their service providers to understand how a global service provider plans to implement the Standard Contract.
Transfer Impact Assessment
The PIPL and the Measures both require that the personal information handler (“PI Handler” or “Data Exporter”) conduct a “personal information protection impact assessment” (hereinafter referred to as a “transfer impact assessment” or “TIA” to be more aligned within the context of cross-border data transfers). The TIA requires detailed information about the PI Handler, the Overseas Recipient, and the data transfer, including the following:
- Detailed information on the PI Handler, including information about the corporate structure and the organization’s privacy governance structure;
- Detailed information on the Overseas Recipient or data importer, including the purposes for processing the transferred personal data, the information security safeguards for that data, and the protections established by local law for transferred personal data;
- Information about the technology used by the PI Handler to effectuate the data transfers; and
- Details regarding the scope of the personal information transferred.
Based on this factual information, the parties to the transfer then must assess the potential risks to transferred personal data and identify measures to reduce those risks. The form TIA published by the CAC identifies six areas that the risk assessment must address including, for example, the types, quantity and sensitivity of transferred personal data; the Overseas Recipient’s safeguards for transferred personal data; and the impact of local law on the Overseas Recipient’s ability to fulfill its obligations under the Standard Contract.
U.S. multinationals with multiple subsidiaries in the PRC and/or multiple corporate members in the United States with access to transferred personal data may need to complete multiple TIAs to account for variations across corporate group members. In addition, if employees outside the United States and the PRC will have access to transferred personal data or that data will be stored in other third countries, the U.S. multinational likely will be required to complete additional TIAs to account for variations in the laws of the destination countries.
Filing with the CAC
The CAC requires that the PI handler (i.e., the entity in the PRC transferring personal information overseas) file a copy of the completed Standard Contract and accompanying TIA with the CAC office in the province where the PI Handler is located within 10 working days of the Standard Contract’s effective date. On May 30, 2023, CAC released guidance on how organizations should complete the filing procedure for the Standard Contract (“CAC Guidance”). The CAC Guidance includes a template for each document that must accompany the Standard Contract at the time of filing. These documents include the following:
- Transfer Impact Assessment.
- Power of Attorney, executed by the data exporter’s legal representative, authorizing the named individual to file the Standard Contract on behalf of the PI handler.
- Commitment Letter executed by the PI Handler’s legal representative, representing that the information provided in the filing materials is true and correct and filed within the timing parameters set by the CAC.
Additionally, the filing must include a photocopy of the following documents with an official seal:
- Unified social credit code certificate for the filing entity;
- ID Card of the agent who submits the filing; and
- ID Card of the Legal Representative who signs the Commitment Letter.
Practical Guidance for Filing with the CAC
Where to File
According to the Measures, the Standard Contract and accompanying documents must be filed with the provincial-level CAC. This means that if a multinational company has several Chinese subsidiaries spread across multiple provinces, each legal entity must submit a completed filing to its local CAC. To help guide PI Handlers through the filling process, several provinces, such as Beijing and Shanghai, have issued their own filing guidelines. These provincial guidelines describe the local filing logistics and local contact information. This offers hope that the local CACs will follow the national CAC filing guidelines in general and deviate primarily only in the filing logistics. We do expect local differences with respect to the standard applied when reviewing the documents submitted for approval, however, particularly the most complex document, the TIA.
Timing for the Approval Process
The national CAC guidelines indicate that upon receipt of the filing material, the provincial authority will verify the material within 15 working days and notify the PI Handler of the filing result. Where the PI Handler is required to supplement or complete the filing material, it must do so within 10 working days of receiving a request from the provincial CAC.
There are local variances in the local guidelines in terms of the review timeline, however. For instance, a locale may require two steps of submission, e.g., first electronic version by email and then submission in paper form upon passing the review of the email submission. These variations cast some uncertainty on when a PI Handler is deemed to have met the filing deadline for compliance purposes or when response times begin to run. From a practical standpoint, the PI Handler must take into account the filing logistics in their particular locale and build in some extra time so that all logistical submission requirements are completed by the November 30 deadline.
What happens after filing?
Even though it is called a filing process, the national CAC Guidance suggest that this is, in fact, an approval process. Section III of the CAC Guidance states that the filing result is categorized as a “pass” or “fail.” A PI Handler that has “passed” will be issued a filing number while a PI Handler that has “failed” will receive a “failed” notice with the reason. The CAC Guidance is silent on the standard the provincial authorities are required to apply in determining whether a PI Handler passes the filing. Consequently, companies are left with no answer to the important question of whether the provincial CAC must conduct a substantive review of the content of the filed material, especially the transfer impact assessment, or whether the provincial CAC will check only the completeness of the material against their checklist. At this stage, it seems the CAC is checking carefully whether the transfer impact assessment submitted is responsive to the focus points listed in the government template.
Corporate Group Filing
The Measures and the CAC Guidance are unclear as to how the PI Handler should proceed in a corporate group context where the corporate group members are in different provinces in China. For instance, if the parent corporation is located outside of China, can one subsidiary file on behalf of itself and all other subsidiaries in different provinces in China? Several local CAC guidelines touch on this topic but not in so much detail as to definitively answer this question. For example, both Beijing and Jiangsu provide that if multiple independent legal entities belong to the same group company, the head/lead company can be the one filing the Standard Contract. However, this does not answer whether the head/lead company can submit one filing for all subsidiaries within the same corporate group, regardless of where the subsidiaries are located in China or what to do if the Chinese subsidiaries do not have a direct ownership relationship. In this scenario, it is likely that each subsidiary would be required to submit its own filing in its particular province. As a result, the parent corporation may be required to undertake the burden of preparing and submitting for approval different packets for different provinces, with the risk that each provincial authority will approach and interpret the filing requirements differently.
Wait and See?
Another issue to consider is whether to file now or “wait and see” until closer to late November. These filing requirements are brand new, not just to PI Handlers, but also to the provincial CAC authorities themselves. The filing process is evolving for all involved. A potential risk of filing now is that the CAC will have the time to conduct greater scrutiny than in late November. However, waiting until the last minute may not decrease this risk. It is very well possible that the CAC, with the accumulated experience, may impose additional “de facto” requirements it did not have time to develop and may pull more manpower to handle large volumes of filings. Another challenge associated with waiting to file is the difficulty in anticipating the potential back and forth with the government, given the lack of a “track record” of how the provincial authorities will handle reviews.
Inquiries with the Authority
Consistent with the CAC Guidance, the provincial CAC authorities are not accepting anonymous inquiries about the filing process. Local CAC guidelines all suggest that to ask the CAC a question either by phone or by email, the person inquiring would have to disclose the PI Handler’s identity. As part of the strategic planning, it may make sense to conduct all necessary issue-spotting first and to develop a concise list of questions to limit the number of inquiries to provincial authorities.
Next Steps for Employers with Chinese Subsidiaries
Despite the uncertainty of how the filing process will ultimately roll out at the provincial level, we are certain that given the complexity of the requirements, multinationals with corporate group members in China should start preparing NOW. Compliance will require detailed and time-consuming fact-finding and manpower to prepare all of the required documentation, especially the transfer impact assessment.
To summarize, multinationals with corporate group members in China will need to:
- Ascertain whether they qualify for the Standard Contract option to transfer personal data from China and, if so:
- Conduct a fact-finding process to gather the data needed for the Standard Contract and TIA and identify the applicable local CACs for filing and their filing requirements;
- Prepare and execute the Standard Contract among the relevant legal entities of the multinational;
- Prepare the TIA(s) for the data recipients, including variations as needed for data recipients located in multiple countries; and
- File the Standard Contract and TIA with the applicable local CACs.
- Consult with those service providers that process China personal data on behalf of the employer to determine the service provider’s plan for compliance with the new cross-border data transfer requirements.