China in Focus
The Bulletin. September 2023
Challenges in Outbound Personal Data Transfer
Challenges in Outbound Personal Data Transfer <br/>出境個人數據的挑戰

Challenges in Outbound Personal Data Transfer <br/>出境個人數據的挑戰

Companies in Hong Kong and overseas doing business in or with China are busy working to obtain Chinese Government approval for outbound personal data transfer so that their Mainland affiliates can continue to share customer and employee data. 

China has detailed rules on the permissible mechanisms for data transfer, and companies across different industries need to thoroughly evaluate their data export activities to ensure compliance. The penalties for non-compliance are hefty: criminal and civil liabilities, 5% of turnover of the previous year, and personal liability, as shown in the latest round of punishment decisions. 

The data transfer mechanisms include Government approval (security assessment); certification by a professional institution; entering into a standard contract (Chinese SCCs) prescribed by the Government with the overseas recipient; and other permissible mechanisms, such as the cross-border data transfer mechanism within the Greater Bay Area being discussed between the Central Government and the HKSAR Government. 

 

Implementation Challenges

Businesses in Hong Kong and overseas have been facing difficulties in adopting these measures, some of which are explained below.

 

1. Consent of individuals is not sufficient for outbound transfer 

According to the China Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL), outbound data transfer requires prior Government approval. Even in cases where approval is not needed, outbound data transfer must be by way of the other two mechanisms set out in the law, i.e. obtaining certification that the outbound transfer may proceed, or signing Chinese SCCs. The consent of the data subject alone is not sufficient. This is very different from outbound personal data transfer in Europe, the United States and other jurisdictions. 

To ensure full compliance, companies may familiarize themselves with the requirements (a report on the three mechanisms can be obtained at www.tiangandpartners.com).

 

2. Companies may not get to choose mechanisms for outbound transfer 

Government approval is mandatory under the following circumstances: 

  • A critical information infrastructure operator (CIIO) transfers personal data out of China (critical information infrastructures are broadly defined as important network facilities and information systems in the industries of public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defence, science and technology as well as those that may seriously endanger national security, national economy and the people’s livelihood, and public interests in case of damage, loss of function or data leakage);
  • A company which processes personal information of one million people or above; 
  • A company (including one that is not a CIIO) transfers “important data” out of Mainland China (Important data is broadly defined as data that may endanger national security, economic operation, social stability, public health, and safety once tampered with, destroyed, leaked, or illegally obtained or used);
  • A company which has, since 1 January of the preceding year, cumulatively provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals out of China.

Businesses should thoroughly map their data to see whether it meets the threshold for Government approval. If it does, they need to apply for approval (with impact assessment reports). If it does not, they may proceed with the certification or Chinese SCCs mechanism (also with impact assessment report). (Usually companies do not opt for the certification mechanism as it involves the certification organization conducting on-site inspections, including into the companies’ data systems.)

 

3. Industry specific requirements companies must comply with

There are regulations for different industries that set out other legal requirements. For example, regulations in human genetic resources require that clinical trial data must be uploaded onto the regulator’s platform prior to outbound transfer.  

In the area of vehicle data (personal data and important data in relation to the process of automobile design, production, sales, use, operation, maintenance, etc.), geographical information and vehicle external video and image data have been categorized as important data that would require Government approval. Processing important vehicle data requires prior record with the Chinese regulator of annual vehicle data security management forecast. If an individual requests deletion of vehicle data, the company must do so within 10 working days. Prior Government approval is needed to add/update automatic driving functions through online and other software upgrades.

In regard to data generated by medical devices, hospitals and clinics must conduct comprehensive reviews annually of data, update data security management systems, and conduct data security risk assessment. 

In these cases, companies should comply with all relevant standards and industry specific requirements.

 

4. Outbound personal data transfer must meet the necessity requirement

Companies need to justify that the outbound transfer is necessary, otherwise, it would be denied. For example, if bank account information of Chinese employees does not need to be sent to Hong Kong because the salaries are paid in the Mainland, companies may consider not including such data in outbound transfer.

 

5. Impact assessment for outbound transfer must be conducted  

Impact assessment covers the data to be transferred and the necessity of the transfer; the overseas recipient; the sufficiency of legal protection provided by the contract with the overseas recipient; and risk of data leakage. The impact assessment report, which must be submitted to the Chinese regulator, should be prepared according to the style given by the Chinese regulator.  

Companies may wish to coordinate internally and externally to prepare impact assessment. The report should be kept for at least three years.

 

6. Separate consents must be obtained otherwise outbound transfer would be denied  

Notice should be given to the individual of the name and contact details of the overseas recipient, purpose and method of processing, type of personal information, and the process for how the individual may exercise his/her rights. The individual must give proper, informed, unbundled consent (Separate Consent) prior to the outbound transfer.

Companies may wish to prepare China law – compliant privacy policies, notice and consents, and explain them to individual employees and customers, as well as document the consents from the individuals.

 

Chiang Ling Li, Partner, Tiang & Partners

Top

Over the years, we have helped businesses overcome adversity and thrive locally, in Mainland China and internationally.

If you want to take advantage of our network,insights and services, contact us today.

VIEW MORE