PIPL 2024: Cross-Border Data Transfer in China Handbook

PIPL2024 Cross-BorderDataTransferinChinaHandbook ResearchedandAuthoredby VISITUSONFACEBOOK <DezanShira&Associates> <ChinaBriefing> VISITUSONLINKEDIN <DezanShira&Associates> <ChinaBriefing> FOLLOWUSONTWITTER @DezanShira@ChinaBriefing THEDOINGBUSINESSINASIAGUIDESSERIES AvailabletoDownloadNow: DoingBusinessinChinaPortal •ChinaGuide •IndiaGuide •VietnamGuide •ASEANGuide •HongKongGuide •IndonesiaGuide •SingaporeGuide •ChinaSuperCityClusters •DubaiGuide OurlatestonlineDoingBusinessinChinaPortalconsists of100+guides,videos,publications,andtoolsthatarepracticalandeasytonavigate,covering:WhyChina,RegionstoInvest,SectorInsights,HowtoSetup,Tax,AuditandAccounting,HR,Recruitment,PEO,andPayroll,News,Events,andmore. ThiseditionofPIPL2023/24:Cross-BorderDataTransferinChinaHandbookwasproducedbyateam ofprofessionalsatDezanShira&Associates,withQianZhouandArendseHuldaseditors,andNathanielRushforthascontributor.CreativedesignoftheguidewasprovidedbyAparajitaZadooandMiguelEnricoAnciano. ©2024DezanShira&Associates Disclaimer Thecontentsofthisguideareforgeneralinformationonly.Foradviceonyourspecificbusiness,pleasecontactaqualifiedprofessionaladvisor.Copyright2024,AsiaBriefingLtd.Noreproduction,copyingortranslationofmaterialswithoutpriorpermissionofthepublisherispermitted. AboutDezanShira&Associates DezanShira&Associatesisapan-Asia,multi-disciplinaryprofessionalservicesfirm,providinglegal,taxandoperationaladvisorytointernationalcorporateinvestors.OperationalthroughoutChina,IndiaandASEAN,ourmissionistoguideforeigncompaniesthroughAsia’scomplexregulatoryenvironmentandassistthemwithallaspectsofestablishing,maintainingandgrowingtheirbusinessoperationsintheregion.Withover30yearsofon-the-groundexperienceandalargeteamoflawyers,taxexpertsandauditors,inadditiontoresearchersandbusinessanalysts,weareyourpartnerforgrowthinAsia. TableofContents Introduction:Whydoesitmatter?6 WhatdataaresubjecttoCBDTmechanisms?7 PersonalInformation7 ImportantData8 WhatkindofcompanieswillhaveCBDTissues?10 Multinationalsandforeigncompanies10 CriticalInformationInfrastructureOperators10 WhatcountsasCBDTactivities?11 ExemptionsforcertainCBDTactivities12 WhatarethecurrentrulesforCBDT?13 CBDTmechanismI:SecurityassessmentbytheCAC14 Whomustundergoasecurityassessmentforcrossborderdatatransfer?14 Proceduresofadataexportsecurityassessment14 Validityandextensionofsecurityassessment17 CBDTmechanismII:ThirdpartyPIprotectioncertification18 WhocanapplyforthePIprotectioncertification?18 PIprotectioncertificationrequirements19 TheimpactoftheSecurityCertificationStandardsonbusinesses23 CBDTmechanismIII:Signingastandardcontract25 WhocanapplythestandardcontractmechanismforCBDT?25 Pre-condition:ConductingPIPIA25 Whatmustbestipulatedinthestandardcontract?26 Filingproceduresforthestandardcontract27 NewStandardContractGuidelinesStreamlineintheGBA28 Recentdevelopments&trends:EasingCBDTrequirements29 forforeigncompanies IncreaseddatavolumethresholdsforCBDTcompliance29 procedures Easingrequirementsfortheexportof“importantdata”30 Exemptionsforcertaincross-borderdatatransactions31 FacilitateddataflowsinFTZs31 Extensionofsecurityassessmentvalidityperiod32 Implicationsofthenewregulationsforforeigncompanies32 inChina 2024outlookforcybersecurityanddataprotectionregulations34 Moreclarityonlegaldefinitions34 Implementationoftrialsfor“greenchannels”and“general34 data”listsforfreeCBDT FurtheradjustmentstoalignwithDEPAandCPTPP34 benchmarks Conclusion:HowbusinessescandealwithChina’sevolving36 cross-borderdatatransferregimes AppendixI:RegulatoryframeworkforCBDTinChina37 Introduction:Whydoesitmatter? Theglobalsurgeincross-borderdataflowhaspromptedgovernmentsworldwide,includingChina,tointensifyoversightofdataexportandenhancesecurityprovisions.AgainstthebackdropoftheEuropeanUnion’senactmentoftheGeneralDataProtectionRegulation(GDPR),ChinarespondedbyenactingtheCybersecurityLawofthePeople’sRepublicofChina(CSL),introducingrestrictionsondataexport.Subsequentlegislation,suchastheDataSecurityLaw(DSL)andthePersonalInformationProtectionLaw(PIPL),alongwithsupplementaryregulations,havecontinuallyrefinedChina’scross-borderdatatransfer(CBDT)regime. FormultinationalcorporationsthatregularlysenddataoverseasorremotelyaccessdatainChinaaspartoftheiroperations,understandingtheevolvingrequirementsandcriteriaforCBDTisofparamountimportance.CompliancewithChina’srelevantdatalawsisnotonlyessentialforconductingbusinesslegallybutalsocrucialformaximizingdatasecurityandfacilitatingthesmoothflowofdataacrossborders.FailuretoimplementproperCBDTmechanismsmayresultindelayeddatasharing,businessdisruptions,andunforeseenpenalties. Despitecybersecurityanddataprotectionlawsbeingwelldeveloped,China’sregulatorylandscapecontinuestoevolve.In2023,severalnewregulationsspecificallyaddressingdataprotectionandcybersecuritywereintroduced,withaparticularemphasisonCBDT.Additionally,anewregulationhasbeenreleasedinMarch2024,introducingeasingCBDTrules. Thisongoingdevelopmentalphasehascreatedsomeframeworkgaps,makingitchallengi