No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • GRC Connect U.S.
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

With a Key Deadline Fast Approaching, Now Is the Time to Address Requirements for Data Transfers Outside of China

Transfer impact assessments will be particularly time-consuming for multinationals

by Littler Mendelson
November 6, 2023
in Data Privacy
world map of china

Though the Chinese government has proposed potential carve-outs, U.S. companies with workers in the People’s Republic of China are facing a deadline this month to implement a new cross-border data transfer mechanism. A group of experts from Littler share details companies need to know.

U.S.-based multinationals with employees in the People’s Republic of China (PRC) are confronting a Nov. 30 deadline to implement a new cross-border data transfer mechanism, the standard contract. This implementation requires not just completion of the standardized data transfer agreement but also completion of a complex transfer impact assessment and submission for approval of these and related documents to the relevant provincial offices of the Cyberspace Administration of China (CAC). 

In late September, the CAC released a set of proposed revisions that would establish a number of exceptions to the requirement to enter into the standard contract, including a potential exception for HR-related transfers. There is no timeline as to when (or if) the HR exception will be passed, and employers would still be required to conduct the transfer impact assessment, though they may not have to file it.

Cross-border data transfers under Chinese law

Since going into effect in 2021, China’s Personal Information Protection Law (PIPL) has required notice to, and the consent of, the data subject when transferring personal information to locations outside of China plus additional steps to be mandated by the CAC. In February, the CAC published the measures that would be required to export personal information, which established one option for the additional steps required to transfer personal data out of the PRC. This option is a standardized personal information export standard contract, supported by a transfer impact assessment and related documents. 

Similar to the European Union’s standard contractual clauses (SCCs), the Chinese standard contract is a set of contractual terms intended to ensure that personal information transferred to a third country continues to receive a level of protection essentially the same as the protection provided by the PIPL. The measures provide that an entity in China can utilize the standard contract unless it meets one of the following criteria:

  • Is an operator of critical information infrastructure (CIIO).
  • Holds/processes the personal data in China of more than 1 million individuals.
  • Has transferred out of China the personal data of more than 100,000 individuals since Jan. 1 of the previous year.
  • Has transferred out of China the sensitive personal data of more than 10,000 individuals since Jan. 1 of the previous year. 

Because CIIOs generally will be corporations native to the PRC, such as telecommunications service providers, military contractors and financial institutions, and in light of the high numeric thresholds, most corporate affiliates in China of a U.S. multinational will qualify to use the standard contract to legitimize the transfer of personal data out of the PRC.

Entities in China were required to implement the standard contract as of June 1 for transfers of personal data that commenced for the first time after that date. For data transfers that have been ongoing since before June 1, entities in China must submit the standard contract, the transfer impact assessment and related documents for approval by Nov. 30.

doj data enforcement
Compliance

The DOJ Doubles Down on Data, Raising the Stakes for Proactive Information Governance

by FTI Consulting
October 19, 2022

As the DOJ signals that proactive compliance measures focused on data and analytics will be central to the agency’s future treatment of organizations that run afoul of the law, experts from FTI Consulting explore what companies (and compliance professionals) need to know.

Read more

The standard contract vs. the EU standard contractual clauses

Like the EU’s SCCs, China’s standard contract sets forth obligations between the parties with regard to transparency, data retention, information security, security breach notification and data subject rights, among other obligations. These obligations mirror the obligations established by the PIPL to ensure that transferred personal data receives the same level of protection outside the PRC as when it is processed locally. As with the EU SCCs, the substantive terms of the standard contract cannot be modified. 

While the terms cannot be varied, the parties are required to complete a description of the transfer. This description must be specific to the transfers for which approval is sought. The description must include the following: (a) the purposes for, and methods of, processing the transferred personal data; (b) the quantity of personal information to be transferred (with reference to the thresholds noted above); (c) the types of personal information and sensitive personal information to be transferred; (d) any identification of third parties that will receive onward transfers from the overseas recipient; (e) the method of transfer; (f) the overseas storage location; and (g) the retention period at that location.

The standard contract takes a one-size-fits all approach, as it is to be used for transfers between data controllers, from a data controller to a data processor or between data processors. Consequently, the same burdensome regulatory compliance requirements could apply to both an intercorporate group data transfer as well as a transfer to an HR service provider, pending approval of the latest proposal. 

Transfer impact assessment

The PIPL and the measures published in February both require that the personal information handler conduct a personal information protection impact assessment (most often referred to globally as a transfer impact assessment, or TIA). The TIA requires detailed information about the PI handler, the overseas recipient and the data transfer, including the following:

  1. Detailed information on the PI handler, including information about the corporate structure and the organization’s privacy governance structure.
  2. Detailed information on the overseas recipient or data importer, including the purposes for processing the transferred personal data, the information security safeguards for that data and the protections established by local law for transferred personal data.
  3. Information about the technology used by the PI handler to effectuate the data transfers.
  4. Details regarding the scope of the personal information transferred.

Based on this factual information, the parties to the transfer then must assess the potential risks to transferred personal data and identify measures to reduce those risks. The form TIA published by the CAC identifies six areas that the risk assessment must address including, for example, the types, quantity and sensitivity of transferred personal data; the recipient’s safeguards for transferred personal data; and the impact of local law on the recipient’s ability to fulfill its obligations under the standard contract.

U.S. multinationals with multiple subsidiaries in the PRC and/or multiple corporate members in the United States with access to transferred personal data may need to complete multiple TIAs to account for variations across corporate group members. In addition, if employees outside the United States and the PRC will have access to transferred personal data or that data will be stored in other third countries, the U.S. multinational likely will be required to complete additional TIAs to account for variations in the laws of the destination countries.

Filing with the CAC

The CAC requires that the PI handler (i.e., the entity in the PRC transferring personal information overseas) file a copy of the completed standard contract and accompanying TIA with the CAC office in the province where the PI handler is located within 10 working days of the standard contract’s effective date. On May 30, CAC released guidance on how organizations should complete the filing procedure for the standard contract, which included a template for each document that must accompany the standard contract at the time of filing. These documents include the following:

  1. Transfer impact assessment.
  2. Power of attorney, executed by the data exporter’s legal representative, authorizing the named individual to file the standard contract on behalf of the PI handler. 
  3. Commitment letter executed by the PI handler’s legal representative, representing that the information provided in the filing materials is true and correct and filed within the timing parameters set by the CAC. 

Additionally, the filing must include a photocopy of the following documents with an official seal:

  • Unified social credit code certificate for the filing entity.
  • ID card of the agent who submits the filing.
  • ID card of the legal representative who signs the commitment letter.

Next steps for employers with Chinese subsidiaries

Despite uncertainty of how the filing process will ultimately roll out at the provincial level and with the proposed exceptions, given the complexity of the requirements, multinationals with corporate group members in China should start preparing now. Compliance will require detailed and time-consuming fact-finding and manpower to prepare all of the required documentation, especially the transfer impact assessment. 

To summarize, multinationals with corporate group members in China will need to:

  • Ascertain whether they qualify for the standard contract option to transfer personal data from China and, if so:
    • Conduct a fact-finding process to gather the data needed for the standard contract and TIA and identify the applicable local CACs for filing and their filing requirements.
    • Prepare and execute the standard contract among the relevant legal entities of the multinational.
    • Prepare the TIA(s) for the data recipients, including variations as needed for data recipients located in multiple countries.
    • File the standard contract and TIA with the applicable local CACs.
  • Consult with those service providers that process China personal data on behalf of the employer to determine the service provider’s plan for compliance with the new cross-border data transfer requirements.
Philip Gordon, Grace Yang, Morgan Matson, Kwabena Appenteng and Zoe Argento of Littler co-authored this article.

 


Tags: Data Governance
Previous Post

New Payment Security Standards Call for Modern Approach to Data Discovery & Classification

Next Post

Navigating the AI Landscape

Littler Mendelson

Littler Mendelson

Littler Mendelson is a U.S.-based law firm headquartered in San Francisco, specializing in labor and employment law, global mobility and immigration. The firm has more than 70 offices around the world.

Related Posts

whimsical depiction of man stealing data

Deloitte: 1 in 5 Digital Trust Execs Lack Confidence in Organizations’ Data Protection Programs

by Staff and Wire Reports
October 29, 2023

Nearly half of leaders expect companies will increase time and effort on data protection, privacy

stacks of papers

Advent of New State Data Privacy Laws Is the Perfect Time to Revisit Your Contracts

by Sarah McAvoy
October 9, 2023

Complying with patchwork of laws creates continual burden

us map with pins

Privacy Law Compliance Parallels and Peculiarities: Navigating the Consumer Privacy Compliance Circus

by Roy Wyman, Alexandria Wood Davenport and Joelle L. Hupp
October 9, 2023

Are states stepping into the void — or muddying the waters — on data protection laws?

ceo speaking concept

Why Data Privacy and Cybersecurity Must Be at the Top of CEOs’ Communications Agendas

by FTI Consulting
September 26, 2023

The scope of a CEO’s job is wide, to be sure, but as data privacy and cybersecurity continue to come...

Next Post
Moodys Navigating the AI Landscape

Navigating the AI Landscape

Available SQ

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment Sanctions SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2023 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • GRC Connect U.S.
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe

© 2023 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT