[1] Since 1 January of the previous year
[2] The Draft Provisions now suggested that data handlers may be exempted from exporting less than 1,000,000 personal information, provided that they have concluded Standard Contractual Clauses for the data export.
December 7, by Felicia Wang, Startup Manager at Swissnex in China, and Kai Kim, Lawyer at Taylor Wessing law firm
Q: What are China’s CBDT and PIPL?
The PIPL refers to China’s Personal Information Protection Law, which came into effect in November 2021. The PIPL is often called China’s GDPR, as it resembles Europe’s General Data Privacy Regulation. From a Chinese perspective, however, the PIPL is only one of several pieces in China’s larger data framework. This framework also contains, among others, China’s Data Security Law and China’s Cybersecurity Law, both of which came out years before the PIPL.
China’s CBDT refers to China’s legal regime on the cross-border transfer of data. This means the export of data from China to overseas. In that sense, China’s CBDT control regime has wider coverage than the PIPL, as it not only deals with the export of personal information but also other categories of data, such as “important data”.
Q: What impact does it have on foreign startups?
Foreign startups are impacted by the PIPL and China’s CBDT in various ways.
Firstly, while the PIPL does in many regards resemble legislations such as the GDPR or the Swiss Federal Data Protection Act, it also includes a variety of requirements that exceed those familiar to foreign startups. To name one example: China’s data privacy rules not only require explicit consent for the handling of personal information, but require separate and additional consent under specific circumstances, for example when personal information is considered sensitive, or when personal information shall be exported abroad.
Secondly, as mentioned above, the PIPL only forms one of several pieces of China’s data framework. As a result, China’s data regime not only focuses on data privacy, but also extensively on national security concerns. This creates additional scrutiny for foreign startups handling data in or from China.
Thirdly, when it comes to the CBDT regime, the biggest difficulty for foreign startups is often determining and conducting the correct mechanism for a legal export of data from China. Under China’s data regime, there are generally three possible mechanisms that may form the legal basis for the export of data from China to overseas:
- a mandatory data security assessment with the competent local cybersecurity and informatization department;
- the conclusion and filing of a standard contract between the data handler in China and the recipient abroad or
- obtaining a personal information protection certification issued by a specialized third-party agency.
Q: What kind of difficulties does it pose for foreign startups?
The first difficulty that foreign startups often face in this regard, is determining the correct mechanism for the data possessed by them. A data security assessment, for example, will be mandatory if the data handled by a foreign startup is considered “important”. Unlike personal information, however, identifying important data is quite complicated and not always fully clear, which creates a lot of uncertainty for foreign startups.
The second difficulty will then be to conduct the correct mechanism in the right way and in due time. For the completion of data security assessments, for example, the deadline has expired in February 2023, while for the conclusion and filing of standard contracts, the deadline just expired at the end of November 2023.
Q: what has been changed in the new draft regulations on CBDT?
The Draft Provisions suggested welcome exemptions from the above-mentioned CBDT mechanisms, as well as some certainty with respect to what may be considered as important data. On the other hand, all other statutory obligations under the PIPL would continue to apply (e.g., securing consent from the data subject upfront, and preparing a transfer impact assessment report). Given the draft status of the Draft Provisions, however, these changes are not yet applicable. When the Draft Provisions will be finalized and whether the final version will contain the same changes as the Draft Provisions from the end of September are not yet clear.
Some of the main changes by the Draft Provisions are as follows:
[3] Non-anonymous clinical data does not fall into this category of exemption
▪The Draft Provisions suggest a negative approach when it comes to the identification of important data, meaning that unless a data handler has been informed by the competent authority that certain data in its possession is classified as important data, or unless it has been publicly released that certain data is considered as important, the data will not be regarded as important. Given the uncertainty among foreign startups as to whether data generated or obtained by them in China is considered to be important or not, this change would likely create a great relief for foreign startups.
Q: What kind of data is in the whitelist that does not need to undergo security reviews by the CAC?
A data security assessment is generally only required for the export of data that is considered “important” or for the export of large amounts of personal information. As a result, data outside these two categories are, in principle, already exempted from the necessity of a data security assessment and could be considered as “whitelisted”.
Aside from this, the idea of a broader whitelist for data export likely stems from a list of 24 measures that China’s State Council published in 2023. One of the proposed measures involves piloting a “free-flowing general data list,” which would specify data that can be exported freely from certain big cities in China to overseas. As of now, it appears that such a list has not been published.
Besides, the concept of a whitelist of general data that may be freely exported is somewhat misleading, as “general data” are, in principle, already freely exportable and only the aforementioned categories of data will be subject to a mandatory data security assessment.
Q: What are some common CBDT/PIPL practices adopted by foreign startups in China?
Given the above-described particularities of China’s CBDT regime, foreign startups will usually first want to examine their IT setups and data flows in China. Based on this, the startups may then want to explore the possibility of IT/data storage localization in China (e.g., adopting onshore solutions). While the processing of data within China would then still require steps to stay compliant, unnecessary regulatory burdens resulting from CBDT-specific requirements may be reduced in such a way.
Certain routine legal tools will then normally be established or improved, such as an impact assessment, a privacy policy, or templates for consent, all of which can be considered as must-haves, irrespective of the size of a startup.
It is generally also advisable, if not crucial, for foreign startups to have a good data governance structure in place, including robust data inventory and classification systems, to help them better identify and manage their ongoing data flows and processing activities.
On top of these, what practices foreign startups will have to apply to stay fully compliant with China’s data and CBDT regime will often depend on the particularities of foreign startups, such as the industrial sectors, the IT infrastructure, or the risk preferences of the foreign startups.
About
Felicia Wang
Swissnex in China
Kai Kim
Taylor Wessing