Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

China’s Cross-Border Data Transfer Regime For Overseas Businesses: Explained

china cross border data transfer regime banner

Published May 24, 2023 / Updated June 20, 2023

Data continues to be one of the most vital assets for organizations globally. Through various insights gained from data, organizations can innovate, keeping in mind their users' behaviors, perceptions, and aspirations. A key element behind that is data gained from across the world, allowing for a deeper understanding of how customers across the world may differ in what they want.

However, as lucrative as that prospect may be, there are significant privacy and security concerns related to data transfers from one country or region to another. Most data regulations contain cross-border data transfer guidelines and regimes to alleviate these concerns and provide secure mechanisms for data transfers across countries.

The People’s Republic of China (China), being the most populous country in the world, represents a highly attractive data source. However, restrictions and requirements surrounding data transfers in and outside China are stricter because three different privacy and cybersecurity laws deal with data.

Hence, overseas businesses processing data within China must understand China’s cross-border data transfer regime and how they can ensure compliance with the requirements set to ensure a seamless flow of data to and from the country.

For the uninitiated, it is crucial to understand that under the Chinese Personal Information Protection Law (PIPL), Data Security Law (DSL), and Cybersecurity Law (CSL), cross-border data transfer requirements and obligations vary depending on two primary factors:

Whether an organization/ business operator - either data processor or data controller- is a Critical Information Infrastructure Operator (CIIO) or Non-CIIO per China’s laws;
Whether the data in question is important data or personal data.

Determination of CIIO Status

CSL categorizes organizations into two main groups:

Critical Information Infrastructure Operators (CIIOs).
Network Operators (CIIOs and non-CIIOs).

Article 2 of Regulations on the Security and Protection of Critical Information Infrastructure (“CII Regulations”) further elaborates on the industries and organizations that qualify as CIIOs. These include important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science, and technology industry, etc., which can gravely jeopardize the national security, economy, fundamental rights, and interests of people. As per Article 8 of CII Regulations, it is the responsibility of government regulatory departments to determine whether a company would fall within the purview of CIIO.

Cross-Border Regime for Non-CIIO

Here’s how a non-CIIO would have to proceed when it comes to transferring “important data” or personal data:

Transfer of Personal Data

For non-CIIO, transferring personal data outside China is an incredibly laborious process. Several layers of requirements need to be met, in addition to several assessments that need to be carried out concurrently.

However, if followed diligently, there’s no reason why each of these requirements cannot be honored, allowing for seamlessly transferring personal data outside China. Here’s how the process works.

Pre-Transfer Requirements

The PIPL is reasonably transparent about setting certain pre-transfer requirements that must be met if a business operator wants to comply with China’s strict cross-border data transfer regime. These pre-transfer requirements include the following:

Separate, informed, and explicit consent of the individual whose personal information is being transferred should be obtained,
Organizations are required to carry out a Personal Information Protection Impact Assessment before they can initiate the process of transferring personal data out of China. This should include legitimacy, the necessity of the purpose, scope, impact on individuals’ rights and interests, security risks, and security measures, and
The users whose personal data is to be transferred are adequately informed about the potential transfer with information regarding the name of the overseas recipient, contact information, purpose and method of processing, type of personal information, and how they can exercise their data rights against the recipient.

Transfer Mechanisms

Once the aforementioned pre-transfer requirements are fulfilled, personal data transfer can occur. However, there are some strict protection standards set by the PIPL that the overseas recipient of data must fulfill. Typically there are three data transfer mechanisms such as security assessment, security certification, and Standard Contractual Clauses (SCCs). These are discussed in detail below:

Security Assessment Mechanism

As per PIPL, there are already strict data localization requirements placed on organizations. In July 2022, the Cyberspace Administration of China (CAC) passed “Measures for Security Assessment of Data Exports (“Assessment Measures”) (Effective from 1st September 2022) that discussed the need for organizations to do thorough security assessments before transferring sensitive data and individual personal information outside China.

One of the export criteria set out in these Assessment Measures was that an organization that processes the personal data of more than 1 million individuals needs to conduct a security assessment and must locally store personal information collected and generated within China. A security assessment for the cross-border transfer of personal information will also be required if:

The organization has cumulatively transferred the personal information of more than 100,000 individuals or has cumulatively transferred sensitive personal information of more than 10,000 individuals since January 1st, of previous year.

To understand the criteria and procedure for submitting a data export security assessment, please see our detailed blog on Assessment Measures.

Certification Mechanisms

Organizations that do not qualify for security assessments can apply to a competent government agency for third-party certification. Companies that receive the accreditation are permitted to transfer data outside of China. Certification Guidelines establish standardized cross-border processing mechanisms and also provide a certification system for personal information protection.

The covered entities under the Certification Guidelines are:

Multinational companies and their subsidiaries and affiliates within the same business entity;
Any foreign organizations acting as Personal Information (PI) processors as defined under PIPL.

In the case of cross-border transfers within a multinational company, the domestic party may apply for certification and assume legal responsibility for such transfers. However, in the case of extraterritorial applicability of PIPL, PI processors can apply for the certifications through their locally established entity or designated representative. By obtaining certification, they assume the legal responsibility for compliance with the PIPL.

The Certification Guidelines provide for data processing principles that organizations should ensure such as openness, transparency, quality assurance, and safety of personal data etc. Additionally, the Certification Guidelines stipulate particular requirements for the cross-border processing of personal information for both data exporters and data importers (also referred to as parties) such as:

Have legally binding contracts between the parties.
Appoint a Data Protection Officer (DPO).
Conduct Privacy Impact Assessments.
Keep records of personal information processing.
Have mechanisms to identify, mitigate and notify any personal information breach.
Fulfill data subjects’ rights.

Organizations that carry these certifications can proceed seamlessly with their data transfer activities. Learn more about the Certification Guidelines here. Note that these Certification Guidelines work alongside the Personal Information Certification Rules which as a guidance on how Certification Guidelines should be implemented.

Standard Contractual Clauses (SCCs) Mechanism

Organizations can also seamlessly transfer data out of China by adopting any of the SCCs stipulated by the CAC. To give guidance on the implementation of Article 38(1)(3) of PIPL, Measures for Standard Contracts for the Exit of Personal Information (“SCC Regulations”) were issued on 24th February 2023. SCC Regulations govern the transfer of personal information outside of China and aim to safeguard the rights and interests of personal information and allow organizations to uniformly carry out exit activities.

The SCC Regulations became effective on 01 June 2023 and stipulates a 6-month grace period for organizations to ensure that their data transfer activities are in compliance with the SCC Regulations. Additionally, the Guidelines for the Recording of Standard Contracts for Exporting Personal Information ("SCC Guidelines"), issued by the Cyberspace Administration of China (CAC) on May 30, 2023, are now in effect alongside the SCCs. These guidelines stipulate that personal information processors must provide certain documents when submitting a standard contract.

Personal information exit activities can only be carried out after the standard contract takes effect. Businesses adopting the standard contracts should fulfill all of the following conditions:

The organization is a non-CIIO;
The organization processes the personal data of less than 1 million individuals;
The organization has cumulatively transferred the personal information of fewer than 100,000 individuals since January 1st, of previous year;
The organization has cumulatively transferred sensitive personal information of fewer than 10,000 individuals since January 1st, of previous year.

If the organization exceeds the above-mentioned threshold, it must use the security assessment mechanism for any cross-border data transfer. Organizations must not segment/split the data volume to avoid the security assessment by concluding the standard contracts.

Annexure to the SCC Regulations provides for a Model Standard Contract for Personal Information Exit (“Model Contract”). Personal information exit activities can only be carried out once the standard contract has been concluded between the organization and the overseas recipient and this standard contract must be strictly in accordance with the Model Contract.

Additionally, prior to transferring any personal information abroad, the organization must conduct a data protection impact assessment (DPIA). Organizations should file the DPIAs and the standard contract with the local provincial network information department at least 10 working days prior to the effective date of the standard contract. They might be required to re-conduct a DPIA or supplement or re-contract the standard contract if there occurs any change in the purpose, scope, type, sensitivity, method, place of deposit of personal information or any change in the data protection policies of the recipient country.

SCC Regulations stipulate that the data subject is a third party beneficiary and may use his or her third party beneficiary rights in accordance with the provisions of the standard contract, unless he or she expressly objects within 30 days.

Additionally, SCC Regulations also highlight number of organizational obligations for the overseas recipient such as:

Record-keeping of personal information processing for up to 3 years;
Notifying in case of any change in the regulations or policies of the country/region due to which overseas recipient cannot fulfill obligations under the standard contract;
Adopting organizational and technical measures to ensure security of the personal data;
Adopting remedial measures in case of a breach incident and informing the controller.

Learn more about the SCC Regulations in detail here.

Other Laws and Mechanisms Approved by CAC

Where an organization satisfies other conditions prescribed by other Chinese laws, administrative regulations, or the CAC, it may transfer personal information. Furthermore, organizations that do not need to undergo a security assessment may also rely on an international treaty or agreement that China has signed as the basis for the data transfer.

Transfer of Important Data

Both the CSL and DSL require organizations to carry out a mandatory security assessment regarding cross-border transfers of important data.

Organizations must have mechanisms and checks in place to promptly identify important data. The Security Assessment Measures have an unambiguous definition for important data as being “data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and safety, and so forth.”

The Draft Guidelines for the Identification of Important Data state that any data that contains the following can be deemed important data:

Operation of Economy,
Population and Health,
Natural Resources and Environment,
Science and Technology,
Security Protection,
Service Providing,
Government Affairs, and
Other non-state secret information.

How Can Securiti Help

An increasing number of countries have begun to, have drafted, or have already enforced data privacy laws. The primary purpose behind most of these is to ensure the safety and privacy of users’ data by placing certain obligations and responsibilities upon organizations that collect and process the users’ data.

In most cases, these obligations extend to cross-border data transfers to guarantee the same level of security is extended to users’ data if it is transferred outside the country or region where it was collected.

Securiti is a market leader in providing enterprise solutions in data governance and compliance. Its state-of-the-art artificial intelligence and machine learning algorithms enable automated compliance with all major data regulations based on its plethora of privacy products such as DSR automation, data classification, cookie consent management, and breach management, among others.

Request a demo today and learn more about how Securiti can help your organization comply with the PIPL, DSL, CSL, and all other global data regulations.

China’s Cross-Border Data Transfer Regime For Overseas Businesses: Explained

Determination of CIIO Status

Cross-Border Regime for Non-CIIO

Transfer of Personal Data

Pre-Transfer Requirements

Transfer Mechanisms

Security Assessment Mechanism

Certification Mechanisms

Standard Contractual Clauses (SCCs) Mechanism

Other Laws and Mechanisms Approved by CAC

Transfer of Important Data

How Can Securiti Help

More Stories that May Interest You

Newsletter

Company

Resources

Terms

Get in touch

China’s Cross-Border Data Transfer Regime For Overseas Businesses: Explained

Determination of CIIO Status

Cross-Border Regime for Non-CIIO

Transfer of Personal Data

Pre-Transfer Requirements

Transfer Mechanisms

Security Assessment Mechanism

Certification Mechanisms

Standard Contractual Clauses (SCCs) Mechanism

Other Laws and Mechanisms Approved by CAC

Transfer of Important Data

How Can Securiti Help

Join Our Newsletter

Share

More Stories that May Interest You

Learning from the Fallout : A Massive $1.3 Billion Fine for Violating EU’s Cross-Border Data Transfer Regulation

China Measures for Standard Contracts for the Exit (Export) of Personal Information 2023

Newsletter

Company

Resources

Terms

Get in touch

What'sNew

What's
New