Navigating the fast-evolving personal data protection regime in China

The personal data protection regime in China is scattered yet fast-evolving.  After the Cyber Security Law (CSL) came into effect, the Chinese authorities have released several national standards, draft guidelines and measures putting flesh on the bones.  This alert provides a brief overview of (1) personal data protection; (2) data localization and (3) cross-border data transfer for businesses operating within and outside China.

(1)   Personal data protection

The CSL outlines the key principles and requirements on using, collecting and transferring personal data.  The Information Security Technology-Personal Information Security Specification (PI Specification) provides more guidance on the aspect of practical application.  For instance, it distinguishes “sensitive personal data” (e.g. geographical location and bank account number) from “personal data” and requires explicit consent for collecting and sharing sensitive personal data.  The PI Specification also provides a template privacy policy.

(2)   Data localization

The data localization requirement is already embedded in existing industry-specific regulations.  The CSL further tightens the control over data localization and require certain entities to store personal data and important data collected during their operation on servers within China.  According to The Information Security Technology-Cross-border Data Transfer Security Assessment Draft Guideline (Draft Guideline), the data localization requirement will apply to all network operators.

(3)   Cross-border data transfer

Previously, there was no blanket prohibition or restriction on cross-border data transfer.  The CSL now imposes a security assessment requirement on any cross-border data transfer by critical information infrastructure provider.  The Measures for Security Assessment of Cross-border Transfer of Personal Data and Important Data (Draft Measures) even extends such requirement to cover all network operators and “other organizations or individuals” who collect or generate personal data in China for cross-border transfer.

Self-assessments shall be conducted against all cross-border data transfer, but for instance where the personal data transferred involves more than 500,000 individuals or the data size is over 1,000 GB, assessment by the competent authority shall be organized.  Data transfer is prohibited without the data subject’s consent, where the transfer may infringe upon data subject’s interests or where such transfer adversely affect national security.

The Draft Guideline has classified some scenarios as cross-border transfer, namely, (a) transferring data to a non-Chinese entity or entity not subject to the China’s jurisdiction; (b) data accessed from outside China; (c) intra-group transfer of data to outside China.  It also provides that network operators not registered in China but with business presence in China are subject to the cross-border data transfer obligations.

Companies are therefore recommended to review their data protection practices from time to time to meet the rapidly developing compliance requirements.  Please contact us if you want to know more.