On September 28, 2023, the Cyberspace Administration of China (“CAC”) issued a Draft Rule on the Regulation and Facilitation of Cross-Border Transfer of Personal Information (the “Draft Rule”). The Draft Rule seeks to streamline the security requirements pertaining to cross-border transfer of personal information under certain circumstances. The Draft Rule is open for comments from the public until October 15, 2023.
The Personal Information Protection Law (“PIPL”) introduces several conditions for cross-border transfer of personal information, including the filing of mandatory security review with the CAC, obtaining the personal information protection certificate, the execution of the PIPL Standard Contractual Clauses (“SCCs”), or fulfillment of other statutory or regulatory requirements. The Draft Rule attempts to ease the regulatory oversight in the following situations:
(a) Non-personal information or non-“important data” generated or derived from (i) international trade, (ii) academic collaboration, (iii) cross-border manufacturing and (iv) marketing activities;
(b) Personal information that is not generated or derived from China;
(c) Mandatory provision of personal information as required in the performance of contractual obligations, such as cross-border purchases, cross-border money transfers, reservations of flights and hotels, visa applications, etc.;
(d) Mandatory provision of personal information of employees in accordance with relevant labor laws and regulations and collective contracts for human resources administration;
(e) In cases of emergencies where it is necessary to provide personal information for protection of lives and properties of individuals;
(f) Personal information of less than 10,000 data subjects intended to be provided across borders within one year (though consent of data subjects is nevertheless required for such transfer); and
(g) Data that is not listed under the “Negative List.”1
The foregoing draft provisions could potentially resolve challenges of life sciences companies with manufacturing operations in China and companies that are required to transfer across borders personal information of patients in a global clinical trial setting.
If companies intend to transfer across borders personal information of 10,000 data subjects or more but less than 1,000,000 data subjects within one year, companies will need to enter into PIPL SCCs with the party that is intended to be the data recipient or processor and file the PIPL SCCs with the relevant local CAC. The recipient may also seek to obtain the certification under the PIPL. It is not required under the foregoing circumstances to file for the CAC’s security review. The mandatory security review is only applicable to transferring over 1 million data subjects’ personal information offshore within one year.
It is worth noting that the CAC has been working on a catalogue that defines “important data” in order to guide companies in the security review process. By way of background, “important data” is defined as any data that may endanger China’s national security, economic operation, social stability, public health or public security, if it is tampered with, destroyed, leaked, or illegally acquired or used. The Draft Rule took a different approach. It allows the CAC to determine what “important data” entails on a case-by-case basis. Unless a personal information controller is notified by the CAC that it has been processing “important data,” the personal information controller can refer to the above situations and decide how to comply with the cross-border data transfer requirements.
While the proposed Draft Rule can be conducive to businesses with a global operation, it remains to be seen how the Draft Rule will be finalized. The contents of the Negative List and the scope of important data remain quite ambiguous. We encourage business organizations to provide comments to the CAC in order to clarify some ongoing ambiguity during the security review process.
1. The Draft Rule proposed a “Negative List” concept pursuant to which Free-Trade Zones in China are enabled to formulate a list of data that are subject to the PIPL cross-border transfer requirements. Data that do not fall under the Negative List will not be exempted from the stringent requirements.