Cross-border data transfer mechanism in China and practical steps to take – Lexology

Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
China has witnessed the digitisation of its society at an extremely fast pace over the past five years. In the era of big data, data has become a strategic asset for international and domestic companies in China, and this presents both opportunities and compliance challenges for business organisations. China’s Cybersecurity Law, Data Security Law and Personal Information Protection Law constitute China’s comprehensive legal regime for data protection and cybersecurity and provide specific requirements for data localisation and cross-border data transfers.
Since June 2022, China’s data regulators have issued a series of wide-ranging laws and regulations to provide more details and guidance on the implementation of cross-border data transfer mechanisms. The current available mechanisms for transferring data out of China are:
This article outlines the above three approaches, compares the different application scenarios and discusses what compliance actions companies should consider from a practical perspective.
CAC security assessment
CAC released the Measures for Security Assessment of Cross-Border Data Transfer (Security Assessment Measures) on 7 July 2022 and the Guidelines on Application for Security Assessment of Cross-Border Data Transfers (1st Edition) (Security Assessment Guidelines) on 31 August 2022. Both came into effect on 1 September 2022. According to the Security Assessment Measures and Security Assessment Guidelines, a CAC security assessment is required for cross-border data transfers in any of the following circumstances:
In practice, the following issues should be taken into consideration for the purpose of security assessment:
1) Important data
“Important data” is defined as any data which may endanger China’s national security, economic operation, social stability, public health or public security, if it is tampered with, destroyed, leaked, or illegally acquired or used. The general principle for identifying important data is expected to be industry specific, department specific or region specific and will be further detailed by industry regulators and local authorities.
2) CII
CII is defined as “important network facilities and information systems” in the areas of public communication and information services, energy, transport, water conservation, finance, public services, e-government, national defence, and science and technology, as well as industries in which any damage, loss of function or data leakage may seriously endanger national security, the national economy and people’s livelihoods, or the public interest.
In practice, for those entities which have not been notified by the industry regulator as CII operator, it is highly likely that it will not be perceived as CII. However, it is still necessary to keep abreast of any changes to the definition of CII and communicate with the industry regulator from time to time on the current status.
Please note that Chinese regulators are in the process of finalising the regulations on determining important data and CII, and the final version is likely to be issued in the near future.
3) International data transfers
The Security Assessment Guidelines clarify that international data transfers from China include the following scenarios:
In practice, multinational companies often run shared IT systems or applications where the Chinese subsidiary shares, transfers or grants access to data collected or generated in China. This will be treated as a cross-border data transfer subject to mandatory security assessment if it falls under any of the above scenarios.
4) Documents, process and timeline
In order to initiate the security assessment process, the data exporter in China must work with the foreign data recipient to prepare a large volume of requisite documents, including the self-assessment report, the cross-border data transfer agreement, the application form and any other supplementary information depending on the specific requirements set out by CAC in the Security Assessment Measures and Security Assessment Guidelines.
The CAC security assessment takes about 60 working days, but this may be extended for complicated cases. Possible outcomes notified to the data exporter are that: (i) the assessment was not applicable, (ii) the assessment was passed and data transfer is allowed or (iii) the assessment was not passed and data transfer is not allowed. If the data exporter is not satisfied with the outcome of the CAC’s security assessment, it has the right to apply for a review, the result of which will be final.
The security assessment is valid for two years. The data exporter is required to submit a new assessment upon the expiry of the two year period or in the event of any change affecting data security, such as an extension to the data retention period, a change of control of the foreign data recipient, major changes in the destination country’s data laws and practice, and force majeure.
Any failure under a previous assessment to comply in full with the new rules must be rectified by 1 March 2023.
China SCCs
On 30 June 2022, CAC issued the draft Regulations of Standard Contracts for Cross-border Transfer of Personal Information (draft SCC Regulations), thereby unveiling the long-awaited terms of China SCCs. Under the draft SCC Regulations, a data exporter is allowed to transfer personal data abroad by way of the SCC mechanism if all of the following conditions are satisfied:
The data exporter can only choose the SCC option if all the above criteria are satisfied; otherwise it must go through a security assessment.
The China SCCs share some similarities with the SCCs under the EU General Data Protection Regulation (GDPR). However, unlike the different modules (i.e., C-C, C-P, P-P and P-C) under the GDPR SCCs, China SCCs do not differentiate between scenarios based on the role of the parties. China SCCs also impose specific requirements, including the following:
Security certification
On 24 June 2022, China issued the Security Certification Guidelines on Cross-border Transfer of Personal Data (Security Certification Guidelines), which serve as the standard guidelines nationally. The Security Certification Guidelines apply to the intra-group cross-border transfer of personal data and processing of personal data outside China based on the extra-territorial application of China’s Personal Information Protection Law. An entity based in China, or any foreign data controller’s designated representative in China, can apply for security certification and assume the corresponding liability.
The Security Certification Guidelines share similarities with the BCR under article 47 of the GDPR. Either Security certification under the Security Certification Guidelines or the BCR is one of the mechanisms for cross-border data transfers that are applicable to and must be observed by all members concerned within the same group of companies.
The Security Certification Guidelines incorporate the fundamental principles and requirements applicable to security certification, serving as the basis for carrying out security certification and as compliance guidance for data controllers in the context of the cross-border transfer of personal data.
Security certification also requires a legally binding and enforceable agreement to cover the key terms and conditions of the processing of cross-border data transfers. In addition to the binding agreement, the relevant data controller and data processor must establish a data protection department, appoint a data protection officer, properly conduct a data protection impact assessment and formulate the rules with which the data controller and overseas data recipient must comply in the cross-border transfer of personal data . These rules are similar to binding corporate rules (BCR) , but have Chinese characteristics; for example, the BCR rules do not have to cover the identification of the third country or countries in question, but the Security Certification Guidelines require disclosure of such information.
The Security Certification Guidelines have not yet detailed the procedures for certification. We expect that more details on how to obtain certification will be provided in the near future.
Comparison of the three mechanisms and which one to choose
The three mechanisms are a significant part of the current cross-border data transfer regime in China.
A security assessment is mandatory if any of the required scenarios is met. For instance, if a multinational company is a CII operator, or intends to transfer important data out of China, a security assessment will be the only option. The security assessment may take up to 60 working days or even longer to complete, and has three possible outcomes, which could present uncertainties for the intended data transfer. On the other hand, once passed, the security assessment is valid for two years and so can cover multiple data transfers to the same overseas recipient whilst valid.
As the equivalent in China of BCR under the GDPR, security certification applies to the intra-group transfer by the data exporter located in China. Once passed, security certification applies to all members concerned within the same group of companies. However, the detailed guidance on implementation of the security certification may require more clarity.
The draft SCC Regulations have not been finalised yet. The China SCC regime is expected to have clear advantages because of the greater predictability of contract terms and time/cost efficiencies. However, China SCC terms only apply if a compulsory security assessment is not triggered. Moreover, China SCCs are governed by Chinese law and must be filed with the CAC within the prescribed time. It could be challenging for overseas recipients to address the differences between the China SCC and their existing SCCs.
The following diagram illustrates the cross-border data transfer mechanism applicable in different scenarios:

Practical takeaways
Now that a new international data transfer mechanism is in place, business organisations are highly recommended to take appropriate compliance actions to facilitate cross-border data transfers. Although compliance requirements for each multinational company may vary on a case-by-case basis, the below requirements should serve as a general reference:
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR)
© Copyright 2006 – 2022 Law Business Research



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top