Transfer of employee information outside of China under PIPL and the new Draft Standard Contract
The Cyberspace Administration of China has issued a draft standard contract for cross-border transfers of personal information out of China which will, if adopted, constitute a valid transfer mechanism under the Chinese Personal Information Protection Law. Both the transferring entity and the overseas recipient must still be aware of additional data protection requirements related to cross-border transfers, including reporting requirements.
The Chinese Personal Information Protection Law (“PIPL”) was enacted on 1 November 2021 and is sometimes referred to as China’s equivalent to the General Data Protection Regulation (“GDPR”). It is China’s first and most comprehensive act of legislation on the processing of personal information.
PIPL applies to all processing activities of personal information of individuals that is carried out by entities within the territory of China. Amongst the numerous obligations and compliance requirements imposed on personal information processors, PIPL has, in particular, strict rules on cross-border transfer of personal information, and aims to put an end to or at least control the large flow of information from China to the rest of the world.
Whilst PIPL does not define cross-border transfers of personal information, the industry practice has been to approach this question by applying a broad interpretation. By way of example, cross-border transfers are deemed to include any situation where a Chinese entity stores personal information, such as employee information and business contacts, on servers located outside China or otherwise makes personal information available to overseas recipients, such as a parent company or group affiliate.
Transfer mechanisms for cross-border transfer and a new draft standard contract
For a cross-border transfer of personal information to be compliant with PIPL, the transfer must be “necessary”. This means that the Chinese entity intending to transfer personal information must assess the necessity of the transfer, typically by reference to a business need. In addition, the transferring entity must also conduct a personal information protection impact assessment (“PIPIA”) prior to the transfer. The PIPIA must include assessments on the lawfulness, legitimacy and necessity of the processing, impact on personal rights and interests and level of risk and security protection measures implemented. The PIPIA and a record of processing must be retained for at least three years.
Furthermore, the transfer must be subject to a transfer mechanism, which is either (i) a completed security assessment organized by the Cyberspace Administration of China (“CAC”), (ii) a certification for personal information protection issued by a professional institution recognized by the CAC, or (iii) a standard contract provided by the CAC to establish the rights and obligations of the transferring entity (within China) and the overseas recipient.
In practice, the third alternative – the standard contract – is perceived as the most efficient and cost saving option for companies which will not be transferring critical data and which will only transfer personal information of less than 100,000 people or sensitive personal information of less than 10,000 people on an annual basis.
For this purpose, the CAC issued a draft standard contract on 30 June 2022 (“Draft Standard Contract”). The Draft Standard Contract also includes proposals related to filing, requiring the Chinese transferring entity to file both the standard contract and the completed PIPIA with the provincial CIA. The time limit for public comments to the Draft Standard Contract expired on 29 July 2022, and if the proposal is approved, all local transferring entities in China must use the approved standard contract and comply with the corresponding filing requirements.
Specific consent from the individual
In addition to a transfer mechanism, PIPL requires the transferring entity to obtain a specific personal consent from the individual prior to any cross-border transfer of personal information. PIPL also requires that such personal consent is a voluntary and explicit indication of intent given on a fully informed basis.
Furthermore, the individual has the right to withdraw the consent at any time, and the personal information processor must provide the individual with an easy method for withdrawing the consent.
Information to the individual prior to the transfer (privacy notice)
PIPL also requires that the Chinese entity provides the individual with information about the transfer, including the name and contact information of the overseas recipient, the purpose and method of the processing, and the type of personal information involved. The individual must also be informed of how they can exercise their rights under PIPL against the overseas recipient.
Such information on the processing of personal information is usually prepared in the form of a privacy notice and included as part of the employee handbook or similar internal regulation.
The Standard Contract entered into between the Chinese transferring entity and the overseas recipient, together with a specific personal consent accompanied with a privacy notice, will constitute a legitimate basis for cross-border transfer.
Additional requirements for overseas recipients of personal information
In addition to the requirements on the transferring entity, it is important to be aware that the overseas recipient is also required to comply with Chinese data protection requirements.
Firstly, PIPL has an extraterritorial scope, and an entity outside China processing personal information about individuals within China can be deemed a personal information processor if the purpose of the processing activity is to provide a product or service to the individual or assess their behaviour.
PIPL requires that any personal information processors located outside the territory of China (i) establish a local representative in China, for example by appointing a legal entity or nominating a person responsible for personal information protection-related affairs, and (ii) submit the name of the representative and their contact information to the Chinese authorities.
Detailed guidelines regulating what is the requirement for a legal entity or person to be appointed as representative are however not yet issued by the relevant Chinese authorities.
Secondly, the overseas recipient may be subject to local data protection laws. For example, if the overseas recipient is established within Norway or another EU/EEA country, transfers of personal information from China to the EU/EEA may trigger the rules under the GDPR.
The GDPR applies to controllers (and processors) established within the EU/EEA regardless of whether the data subjects are located within or outside the EU/EEA, i.e. an overseas recipient within the EU/EEA will be deemed a data controller when receiving personal data about data subjects in China.
The obligations of a data controller under the GDPR include having a valid legal basis for processing and informing the data subjects (such as data subjects in China, whose personal data is being transferred to the EU/EEA) about the relevant processing of their personal data in accordance with the GDPR. When it comes to transfers of personal data related to employees, it may be problematic to use consent as a legal basis for receiving personal data under the GDPR. Furthermore, businesses should follow the basic principles relating to processing of personal data underlying the GDPR, including data minimization and purpose limitation.