热门搜索：

PIPL 2024: Cross-Border Data Transfer in China Handbook

综合2024-04-30ASIA BRIEFING车***

AI智能总结

PIPL 2024: Cross-Border Data Transfer in China Handbook Summary

Introduction: Importance of Cross-Border Data Transfer Regulations

The global expansion of cross-border data flows has prompted regulatory adjustments worldwide, particularly in China, where the Cybersecurity Law (CSL) and subsequent laws like the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) have tightened controls over data export. These measures are in response to heightened security concerns and align with global standards, such as the European Union's General Data Protection Regulation (GDPR). For multinational corporations operating in China, understanding these evolving regulations is crucial for legal compliance, data security, and business continuity.

Key Data Categories Subject to Cross-Border Data Transfer (CBDT) Regulations

In China, "important data" and "personal information" are the primary data categories subject to CBDT mechanisms. "Personal information" refers to any information related to identified or identifiable natural persons, excluding anonymized data. Unlike GDPR, the PIPL does not cover the personal information of deceased individuals unless accessed by a close relative for lawful purposes. "Sensitive personal information" (SPI) under the PIPL includes biometric data, religious beliefs, specific identities, medical health, financial accounts, and location data, among others. Financial account information is notably categorized as SPI, implying that most business transactions involving payments trigger the processing of SPI.

Current CBDT Mechanisms

Security Assessment by the Cybersecurity Administration of China (CAC): Companies must undergo a security assessment for cross-border data transfers.
Third Party Privacy Impact Assessment (PIA) Certification: Organizations can apply for certification to protect personal information.
Standard Contract Mechanism: Implementing a standard contract that includes privacy impact assessments (PIAs) and adheres to PIPL requirements is an alternative method for CBDT.

Recent Trends and Developments

Easing CBDT Requirements for Foreign Companies: New regulations aim to streamline processes for foreign entities.
Increased Data Volume Thresholds: Higher thresholds for initiating CBDT compliance procedures.
Exemptions for Certain Cross-Border Transactions: Certain transactions involving important data may be exempted from CBDT requirements.
Facilitated Data Flows in Free Trade Zones (FTZs): Enhanced data transfer mechanisms in FTZs.
Extension of Security Assessment Validity Period: Longer validity for security assessments.
Implications for Foreign Companies: The new regulations affect foreign companies' strategies and compliance approaches in China.

2024 Outlook and Regulatory Adjustments

Further Clarity on Legal Definitions: Enhanced understanding of terms like "important data" and "personal information."
Trials for "Green Channels" and "General Data" Lists: Potential for expedited CBDT processes.
Alignment with International Benchmarks: Adapting CBDT mechanisms to meet the standards of the Digital Economy Partnership Agreement (DEPA) and Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP).

Conclusion: Practical Steps for Compliance

Businesses must adopt proactive strategies to navigate China's evolving CBDT regimes. This includes staying informed about regulatory updates, conducting comprehensive PIAs, implementing robust data protection practices, and considering the use of standard contracts. Compliance efforts should prioritize understanding the specific requirements for different types of data and business operations to ensure seamless data management and exchange while adhering to legal and security standards.

PIPL2024 Cross-BorderDataTransferinChinaHandbook ResearchedandAuthoredby VISITUSONFACEBOOK <DezanShira&Associates> <ChinaBriefing> VISITUSONLINKEDIN <DezanShira&Associates> <ChinaBriefing> FOLLOWUSONTWITTER @DezanShira@ChinaBriefing THEDOINGBUSINESSINASIAGUIDESSERIES AvailabletoDownloadNow: DoingBusinessinChinaPortal •ChinaGuide •IndiaGuide •VietnamGuide •ASEANGuide •HongKongGuide •IndonesiaGuide •SingaporeGuide •ChinaSuperCityClusters •DubaiGuide OurlatestonlineDoingBusinessinChinaPortalconsists of100+guides,videos,publications,andtoolsthatarepracticalandeasytonavigate,covering:WhyChina,RegionstoInvest,SectorInsights,HowtoSetup,Tax,AuditandAccounting,HR,Recruitment,PEO,andPayroll,News,Events,andmore. ThiseditionofPIPL2023/24:Cross-BorderDataTransferinChinaHandbookwasproducedbyateam ofprofessionalsatDezanShira&Associates,withQianZhouandArendseHuldaseditors,andNathanielRushforthascontributor.CreativedesignoftheguidewasprovidedbyAparajitaZadooandMiguelEnricoAnciano. ©2024DezanShira&Associates Disclaimer Thecontentsofthisguideareforgeneralinformationonly.Foradviceonyourspecificbusiness,pleasecontactaqualifiedprofessionaladvisor.Copyright2024,AsiaBriefingLtd.Noreproduction,copyingortranslationofmaterialswithoutpriorpermissionofthepublisherispermitted. AboutDezanShira&Associates DezanShira&Associatesisapan-Asia,multi-disciplinaryprofessionalservicesfirm,providinglegal,taxandoperationaladvisorytointernationalcorporateinvestors.OperationalthroughoutChina,IndiaandASEAN,ourmissionistoguideforeigncompaniesthroughAsia’scomplexregulatoryenvironmentandassistthemwithallaspectsofestablishing,maintainingandgrowingtheirbusinessoperationsintheregion.Withover30yearsofon-the-groundexperienceandalargeteamoflawyers,taxexpertsandauditors,inadditiontoresearchersandbusinessanalysts,weareyourpartnerforgrowthinAsia. TableofContents Introduction:Whydoesitmatter?6 WhatdataaresubjecttoCBDTmechanisms?7 PersonalInformation7 ImportantData8 WhatkindofcompanieswillhaveCBDTissues?10 Multinationalsandforeigncompanies10 CriticalInformationInfrastructureOperators10 WhatcountsasCBDTactivities?11 ExemptionsforcertainCBDTactivities12 WhatarethecurrentrulesforCBDT?13 CBDTmechanismI:SecurityassessmentbytheCAC14 Whomustundergoasecurityassessmentforcrossborderdatatransfer?14 Proceduresofadataexportsecurityassessment14 Validityandextensionofsecurityassessment17 CBDTmechanismII:ThirdpartyPIprotectioncertification18 WhocanapplyforthePIprotectioncertification?18 PIprotectioncertificationrequirements19 TheimpactoftheSecurityCertificationStandardsonbusinesses23 CBDTmechanismIII:Signingastandardcontract25 WhocanapplythestandardcontractmechanismforCBDT?25 Pre-condition:ConductingPIPIA25 Whatmustbestipulatedinthestandardcontract?26 Filingproceduresforthestandardcontract27 NewStandardContractGuidelinesStreamlineintheGBA28 Recentdevelopments&trends:EasingCBDTrequirements29 forforeigncompanies IncreaseddatavolumethresholdsforCBDTcompliance29 procedures Easingrequirementsfortheexportof“importantdata”30 Exemptionsforcertaincross-borderdatatransactions31 FacilitateddataflowsinFTZs31 Extensionofsecurityassessmentvalidityperiod32 Implicationsofthenewregulationsforforeigncompanies32 inChina 2024outlookforcybersecurityanddataprotectionregulations34 Moreclarityonlegaldefinitions34 Implementationoftrialsfor“greenchannels”and“general34 data”listsforfreeCBDT FurtheradjustmentstoalignwithDEPAandCPTPP34 benchmarks Conclusion:HowbusinessescandealwithChina’sevolving36 cross-borderdatatransferregimes AppendixI:RegulatoryframeworkforCBDTinChina37 Introduction:Whydoesitmatter? Theglobalsurgeincross-borderdataflowhaspromptedgovernmentsworldwide,includingChina,tointensifyoversightofdataexportandenhancesecurityprovisions.AgainstthebackdropoftheEuropeanUnion’senactmentoftheGeneralDataProtectionRegulation(GDPR),ChinarespondedbyenactingtheCybersecurityLawofthePeople’sRepublicofChina(CSL),introducingrestrictionsondataexport.Subsequentlegislation,suchastheDataSecurityLaw(DSL)andthePersonalInformationProtectionLaw(PIPL),alongwithsupplementaryregulations,havecontinuallyrefinedChina’scross-borderdatatransfer(CBDT)regime. FormultinationalcorporationsthatregularlysenddataoverseasorremotelyaccessdatainChinaaspartoftheiroperations,understandingtheevolvingrequirementsandcriteriaforCBDTisofparamountimportance.CompliancewithChina’srelevantdatalawsisnotonlyessentialforconductingbusinesslegallybutalsocrucialformaximizingdatasecurityandfacilitatingthesmoothflowofdataacrossborders.FailuretoimplementproperCBDTmechanismsmayresultindelayeddatasharing,businessdisruptions,andunforeseenpenalties. Despitecybersecurityanddataprotectionlawsbeingwelldeveloped,China’sregulatorylandscapecontinuestoevolve.In2023,severalnewregulationsspecificallyaddressingdataprotectionandcybersecuritywereintroduced,withaparticularemphasisonCBDT.Additionally,anewregulationhasbeenreleasedinMarch2024,introducingeasingCBDTrules. Thisongoingdevelopmentalphasehascreatedsomeframeworkgaps,makingitchallengi

点击免费查看完整报告