Global menu

Our global pages

Close

New PRC guideline on cross-border transfer of personal information 新的中国个人信息跨境转移指南

  • Hong Kong
  • Technology - Articles
  • Technology, Media and Telecoms - Telecoms

19-05-2022

Since the introduction of the PRC Personal Information Protection Law (“PIPL”) in November 2021, there have been uncertainties regarding how multinational organisations are able to transfer PRC personal information offshore.

Currently, Article 38 of the PIPL provides the requirements for cross border transfer of personal information to outside the PRC, including:

(1) passing a regulator-led security assessment. This is typically reserved for “critical information infrastructure operators” or organisations seeking to export personal information over a prescribed threshold;

(2) obtaining security accreditation from a regulator-accredited professional institution;

(3) having in place standard contractual clauses (which have yet to be published) with the offshore recipient; or

(4) other circumstances permitted by PRC laws or regulations.

However, the law has been uncertain about whether these offshore transfer restrictions equally apply to organisations that have both data collection points and back-end processing capabilities located outside the PRC.

Recently, the PRC regulators released new draft guidelines (namely, the Consultation Draft of the Technical Specification for Accreditation of Cross-border Personal Information Processing Activities (the “Draft Accreditation Specification”)).

Although the focus of the Draft Accreditation Specification is to provide guidance on the requirements that data controllers must meet in order to obtain accreditation from a regulator-accredited professional institution (see (2) above), the Draft Accreditation Specification provided some interesting insights on the regulators’ latest thinking:

  • Firstly (and most importantly), the Draft Accreditation Specification clarifies that the cross-border transfer requirements under Article 38 of the PIPL may equally apply to transfers that wholly take place offshore (i.e. both the transferor and transferee are located outside the PRC).

    Specifically, the following two scenarios will be caught by the offshore transfer restrictions under the PIPL:

    (A) intra-group data transfers which involve a PRC entity; or

    (B) personal information transfers between an offshore transferor and an offshore transferee, as long as the data concerned is used to analyse and assess the behaviour of PRC individuals.

    While this provides some clarity, there are still some unanswered questions which have yet to be clarified by the PRC regulators.
  • Secondly, the PRC-based entity of a multinational organisation (in the case of an intra-group transfer) and the PRC-based designated representative of an offshore data controller may apply for the accreditation from the regulator-accredited professional institution to legitimise the offshore transfer.

Other obligations relating to cross-border data transfers (e.g. having in place a data transfer agreement, carrying out a self-assessed privacy impact assessment) continue to apply.

Multinational organisations should review their data flows and assess whether they are required to comply with requirements for cross-border personal information transfer under Article 38 of the PIPL.

To read the Draft Accreditation Specification, please see here (in Chinese language only).

For more information on cross-border transfer of personal information to outside of the PRC, please contact us.

 

自从《中华人民共和国个人信息保护法》(「个人信息保护法」)于2021年11月推出以来,跨国企业如何将中国的个人信息转移到境外一直存在不确定性。

目前,《个人信息保护法》第三十八条规定了向中国境外跨境转移个人信息的要求,包括:

(1) 通过监管机构主导的安全评估。这通常是保留给关键信息基础设施营运者或处理个人信息达到国家网信部门规定数量的的组织;

(2) 获得监管机构认可的专业机构发出的安全认证;

(3) 与境外接收方签订标准合同条款(条款内容尚未公布);或

(4) 中国法律或法规允许的其他情况。

然而,对于这些离岸转移限制是否同样适用于那些在中国以外有信息收集点和后端处理能力的组织,法律一直处于不确定的状态。

最近,中国监管机构发布了新的指导方针草案(即《个人信息跨境处理活动认证技术规范》咨询稿(「认证规范草案」))。

尽管《认证规范草案》的重点是就信息控制者为获得被监管机构认可的专业机构的认证而必须满足的要求提供指导(见上文(2)),但《认证规范草案》就监管机构的监管方向提供了一些有趣的见解:

  • 首先(也是最重要的),《认证规范草案》澄清了《个人信息保护法》第三十八条规定的信息跨境转移要求可同样适用于完全发生在境外的转移(即转让方和受让方都位于中国以外)。

    具体来说,以下两种情况将受到《个人信息保护法》的境外转让限制:

    (A) 涉及中国实体的集团进行内部信息转移;或

    (B) 境外转让方和境外受让方之间的个人信息转移,而有关信息是用于分析和评估中国个人的行为。

    虽然这提供了一些清晰度,但仍有一些未回答的问题有待中国监管机构澄清。
  • 其次,跨国组织在中国的实体(在集团内部转移的情况下)和境外信息控制者在中国的指定代表可以向监管机构认可的专业机构申请认证,以使境外转移合法化。

其他与跨境信息转移有关的义务(例如签订信息转移协议,进行自我评估的隐私影响评估)继续适用。

跨国机构应审查它们的信息流程,并评估它们是否需要遵守《个人信息保护法》第三十八条规定的境外转移个人信息要求。

如您希望阅读《认证规范草案》原文,请看这里。

有关个人信息跨境转移到中国境外的更多信息,请联系我们。