How to transfer data out of China

While operating in China, Canadian companies may need to transfer data collected or produced in their operations out of the country. In recent years, China has introduced laws and regulations related to cybersecurity and data protection that may impact foreign firms' ability to transfer data outside China. This article explains China's regulatory requirements on the cross-border transfer of data.

Regulatory exemptions

There are currently exemptions in China's regulations that allow for the easier export of the following data:

• data that is generated in international trade, cross-border transportation, academic cooperation, cross-border manufacturing, and marketing, and does not involve important data^{Footnote 1} or personal information
• personal information that is generated overseas and transferred to China for processing, and then re-exported overseas, and does not introduce domestic important data or personal information during processing in China
• personal information that is necessary for the execution and performance of a contract where the personal information at issue is derived from a party to the contract; such contracts may relate to cross-border shopping, mailing, remittance, payments, account opening, air ticket and hotel bookings, visa applications, examination services, etc.
• employees' personal information for human resource purposes arising from employment policies and collective labour contracts
• personal information to protect individuals' lives, health, or property in emergency situations
• non-sensitive personal information^{Footnote 2} of no more than 100,000 individuals per calendar year that is exported by a non-Critical Information Infrastructure operator^{Footnote 3}; and
• data that is exported by companies in China's Free Trade Pilot Zones and is subject to exemptions that apply within these Zones

Additional revisions to exemptions by Chinese authorities are possible.

Under these exemptions, certain additional requirements may also apply, including a Personal Information Protection Impact Assessment for personal information. When these exemptions do not apply, a company must utilize either the security assessment, the standard contract, or the security certification mechanism to transfer data abroad.

Security assessment

When a company processes or transfers outbound a certain amount of personal information, or transfers outbound important data, it must proactively apply for a security assessment via the provincial-level cybersecurity authority who then forwards the application to the Cyberspace Administration of China (CAC) for review.

Upon receipt of the application, CAC has seven business days to decide whether to accept the application. While the timeline may be extended in complex cases, CAC has forty-five business days to run the security assessment. During the security assessment, CAC examines the risks that the cross-border data transfer may pose to national security, the public interest, and the legitimate rights and interests of individuals and organizations.

When CAC decides on the security assessment, the decision is valid for three years. If the applicant disagrees with the decision of the security assessment, it may ask CAC to review the decision within fifteen business days after they receive their decision notice. The decision of the review is final.

When a security assessment by CAC is not mandated, a data processor may transfer personal information out of China if it signs a CAC standard contract with its overseas recipient or obtains a security certification from a designated institution. Companies cannot circumvent the security assessment requirement by dividing the transferred personal information into smaller quantities so that the volume of personal information does not reach the statutory thresholds.

Standard contract

If the data thresholds for a security assessment are not met, businesses transferring personal information may choose to utilize the standard contract to export data. The articles of the standard contract illustrate:

• the obligations of a personal information processor and of an overseas recipient
• the impact of the laws and policies of the country where the overseas recipient is located
• the rights of the individual who provides personal information
• the remedies available for the individual who provides personal information
• the cancellation of the standard contract; and
• the liabilities of contractual breaches, among others

While parties may negotiate additional articles and attach them to Annex II of the standard contract, additions cannot deviate from the standard contract's obligations and requirements.

Within ten business days of the standard contract taking effect, parties must file to the provincial CAC office in their jurisdictions, their standard contract and a self-assessment report that evaluates the impact of the transfer on personal information protection.

For a company that operates in both China and Europe, the EU Standard Contractual Clauses (SCCs) under the EU General Data Protection Regulation (GDPR) cannot substitute for the Chinese standard contract. A fundamental difference is that, unlike the EU's four-module approach that applies under the SCCs (controller to controller, controller to processor, processor to processor and processor to controller), China's standard contract adopts a one-size-fits-all approach, without any differentiation in relation to the role of the overseas recipient. However, despite different legal systems, both regimes share some similarities, such as the principles of lawful processing, transparency, respecting data subjects' rights, and responding to inquiries of supervisory authorities.

Security certification

Security certification is an alternative option to the standard contract for a company that intends to export data out of China when a security assessment does not apply. The certification process includes the following steps:

• A personal information processor submits an application to the China Cybersecurity Review Technology and Certification Center (CCRC) (in Simplified Chinese only). The application needs to specify what is to be certified, such as the type and volume of personal information, the scope of personal information processing activities, and the information of a technical verification agency.
• The technical verification agency carries out the technical verification as requested and issues a report to the CCRC and the applicant.
• The CCRC performs an on-site review and issues a report to the applicant.
• The CCRC makes a decision based on the materials submitted by the applicant, the technical verification report, and the on-site review report. If the applicant meets the requirements, a three-year certificate is issued to the applicant.
• During the three-year validity period of the certificate, the CCRC exercises ongoing oversight on the applicant. It has the power to suspend or revoke the certificate if the applicant no longer meets the requirements.

The Chinese certification rules share some similarities with the EU GDPR certification, but an EU GDPR certificate cannot substitute for a Chinese certificate.

Other regulatory requirements

For certain types of data to be transferred out of China, Chinese industrial regulators may impose additional requirements. Please contact the Canadian Trade Commissioner Service in China at infocentrechina@international.gc.ca and advise us of your specific type of data if you are interested in more information.

Related links

China's cybersecurity regime