China has promulgated a series of laws and regulations governing data protection, in particular data export in past years.
The People’s Republic of China (PRC) law currently provides three routes for data export, i.e., (1) Cybersecurity Administration of China (CAC) assessment, (2) certification (by professional institutions), and (3) standard contractual clauses (SCC). Depending on the nature and volume of data to be exported and the identity of the exporter, the exporter must pick at least one route in order to export data.
Implementation rules for CAC assessment and certification have been released by relevant PRC authorities in 2022. In late February 2023, the long expected SCC were officially released and will take effect on 1 June 2023.
For most small-medium sized multi-national financial institutions SCC are likely to be an applicable route for export of data from China to overseas. Possible scenarios that would cause a multi-national financial institution to trigger the SCC requirement would include providing personal information of investors for KYC purposes, sharing staff’s personal information for HR management, etc.
SCC are one of a few steps required to take for data export under PRC law. Before adopting SCC, the exporter shall conduct a Data Protection Impact Assessment (DPIA), which is a requisite pre-procedure for all export of personal information, regardless of which route it shall follow. After SCC are signed, the exporter shall file the signed contract and the DPIA report with the local authority. Particular consent for export of data is also required to be obtained from each individual whose personal information will be exported.