For the cross-border transfer of personal information, personal information handlers must provide notices to individuals explaining the details of the transfer, and obtain their specific consent for the transfer of their personal information. It also imposes an obligation on personal information exporters to ensure data protection standards are met after transfer.
Personal information handlers are also required to meet one of the following conditions:
- Passing a security assessment organized by the CAC and informatization department (this requirement is for the operators of Critical Information Infrastructure and organizations that transfer personal organization of more than one million individuals or sensitive personal information of more than 10,000 individuals; or
- Undergoing personal information protection certification conducted by a specialized body according to provisions by the CAC and informatization department (this is a requirement for organizations that transfer personal information of between 100,000 and one million individuals; or sensitive PI of less than 10,000 individuals); or
- Concluding a contract with the foreign receiving side in accordance with a standard contract formulated by the cyberspace and information department, agreeing upon the rights and responsibilities of both sides (this is a requirement for organizations that transfer personal information of between 100,000 and one million individuals; or sensitive PI of less than 10,000 individuals); or
- Other conditions provided in laws or administrative regulations or by the State cybersecurity and information department.
The thresholds have been added by the Regulations on Promoting and Standardizing the Cross-border Flow of Data. These regulations grant also exemptions from security assessments for data transfers related to trade, transport, academia, non-important or non-personal business data, contractual obligations, employee management, and emergencies
Furthermore, the Data Security Regulations expand on the relaxations by introducing additional legal bases for cross-border data transfers. In addition to the existing three mechanisms, businesses may now rely on the following justifications:
- transfers necessary for contract signing or performance;
- transfers of employee data necessary for cross-border human resources management;
- emergency situations;
- transfers necessary for performing mandatory duties; or
- transfers permitted under other laws and regulations.
It’s also important to note that operators of Critical Information Infrastructure and entities that transfer a large volume of personal information must locally store personal information collected in China and undergo a security assessment to transfer if necessary. The PIPL also explicitly allows the cross-border transfer of personal information when treaties or international agreements are in place.
If it is necessary to transfer personal information outside of China for international judicial assistance or administrative law enforcement, personal information handlers must file an application with the relevant competent authority for approval.