On May 30th, the Cybersecurity Administration of China (CAC) issued details of the format for filing with the government the documentation necessary for the export of Personal Information collected in China. This guide acts to supplement the requirements set forth in the February 24, 2023 regulations, which came into effect on June 1, 2023 (though there is a 6-month extension allowed for existing data transfers).
To recap the February 24, 2023 requirements:
-
The export of any personal data from China is now restricted unless the proper documentation, and in some cases approvals, are completed.
-
For personal data export related to critical infrastructure or above certain thresholds (over 1M people overall, over 100k exported from China, or over 10k sensitive information exported from China within a calendar year), a mandatory assessment must be undertaken and approved by the authorities.
-
In order to export any other personal data from China, the regulations require the:
-
Data Exporter and the Data Recipient to execute a designated Standard Contract;
-
Data Exporter must conduct an export Personal Information Protection Impact Assessment meeting the export requirements; and
-
Data Exporter must file the executed Standard Contract and the impact assessment report with the authorities within 10 working days of the effective date of the Standard Contract.
-
Note: A data export includes not only the actual transfer of the data from China, but also the ability to view the data from outside of China.
The May 30, 2023 guidelines clarify the filing process which involves non-critical information or large volume data exports. It provides:
-
The specific format of the Personal Information Protection Impact Assessment including the following details regarding the:
-
basic information on the Data Exporter such as the type of organization and the equity structure, including whether it is a domestic or foreign investment entity;
-
information system collecting and exporting the data, including the use of data centers in the process;
-
personal information to be transported with a detailed breakdown of purpose, necessity, sensitivity, legality, use of automatic decision making and recipients data storage location;
-
ability of the Data Exporter to protect the data, including technical, management and training for handling, emergency response and compliance;
-
data recipient’s use of the data, ability to protect and details of the information protection in its country/region; and
-
an Impact Assessment for each of the items to be exported including potential risks.
-
-
Besides the Impact Assessment and the Standard Contract binding the Data Recipient to handle the data accordingly, the other documents to be filed by the Data Exporter are:
-
the Unified Corporate Credit Code Certificate (essentially, the business registration number and taxpayer ID);
-
the legal representatives ID;
-
the ID of the person handling the actual filing;
-
the Power of Attorney certifying the authority of the person making the filing on behalf of the data exporter; and
-
a Letter of Commitment from the data exporter confirming the veracity of the filing and committing to follow its contents or as otherwise required by the CAC. This is a designated format.
-
The new regulations have now clarified that the submission process includes the review of the provincial-level CAC, indicating that it will respond within 15 working days stating whether the filing materials passed or failed, or that supplementary materials are required (in which case, the exporter should resubmit the filing with the supplementary materials within 10 working days).
As these requirements are now effective, we continue to encourage companies to move forward quickly to prepare for any planned personal data export from China.