Part 4: Rules and Requirements for Cross-border Data Transmission
In the digital economy era, data is a basic strategic resource that countries are competing for. Countries continue to introduce rules and policies for cross-border data transmission to strengthen their own control over data resources in order to occupy a favorable position in the global digital economy development pattern. At the same time, only the flow of data can generate economic dividends. How to balance cross-border data flow will greatly promote cross-border cooperation while also better safeguarding sovereign states’ rights to personal privacy, corporate business interests, and national security. On the issue, a brand-new challenge in legal regulation has been raised.
(1) Interpretation of my country’s Personal Information Protection Law:
01 Pre-conditions for cross-border provision of personal information
my country’s Personal Insurance Law has formally established a system of rules for the cross-border flow of personal information in our country, stipulates that personal information should be stored within the country as a principle, and established the rules for providing personal information overseas under the conditions prescribed by the law.
It can be seen that the cross-border flow of personal information in my country will affect personal privacy, corporate interests and even national security, and the cross-border flow of data is irreversible, and it has adopted the method of pre-supervision of cross-border transmission of personal information.
Article 38 of the Individual Protection Law clearly stipulates that if a personal information processor really needs to provide personal information outside the People’s Republic of China due to business needs, it shall meet at least one of the following conditions:
Pass the security assessment organized by the national cybersecurity and informatization department in accordance with the provisions of Article 40 of this Law;
Conduct personal information protection certification by professional institutions in accordance with the regulations of the National Cyberspace Administration;
Enter into a contract with the overseas recipient in accordance with the standard contract formulated by the National Cyberspace Administration of China, stipulating the rights and obligations of both parties;
Laws, administrative regulations, or other conditions stipulated by the national cybersecurity and informatization department.
Where the international treaties and agreements that my country has concluded or participated in have provisions on the conditions for providing personal information abroad, they can be implemented in accordance with those provisions.
First of all, starting from the analysis of the original meaning of the law, at least one of the conditions should be met, but in practice, it is better if other conditions can be met at the same time.
Secondly, it should be noted that security assessment or personal information protection certification is not just enterprise self-assessment or self-certification, but both need to be carried out under the arrangement and organization of the national cybersecurity and informatization department. According to the “Measures for the Security Evaluation of Personal Information Exiting Borders (Draft for Comment)” issued by the Cyberspace Administration of China in 2019, the rules related to security evaluation are still in the stage of soliciting comments, and there are no other further mandatory regulations and policy guidelines for the time being.
Therefore, although there is no specific standard contract designated by the national cyberspace administration, compared with the former two, the current more feasible way for multinational companies to conduct cross-border transmission of personal information is to adopt a “contract with overseas recipients”. The method of “contracting” requires the provider and the recipient company to sign a contract to agree on the rights and obligations of both parties in the handling and protection of personal information.
02 Basic requirements for cross-border provision of personal information
Cross-border transmission is a type of personal information processing activity. Therefore, when “pre-conditions” are met, when companies provide personal information overseas, they still need to continue to follow the basic requirements of my country’s personal protection law, including: :
The data subject informs the identity and contact information of the overseas recipient, the processing purpose of the personal information, the processing method, the type of personal information, the corresponding rights of the data subject, and the retention period (and the shortest time necessary to achieve the processing purpose, etc.);
Obtain the individual consent of the data subject;
Conduct a preliminary personal information protection impact assessment (DPIA or PIA)
Take necessary measures to ensure that the processing of personal information by overseas recipients meets the personal information protection standards required by the individual protection law;
Ensure that overseas recipients are not included in the blacklist of the national cyberspace administration (listed in the list of announcements restricting or prohibiting the provision of personal information).
03 Equivalent requirements for cross-border provision of personal information
Our country’s personal protection law has established the “equivalence principle” for cross-border transmission of information, that is, if the information receiving country and region adopts discriminatory prohibitions, restrictions or other similar measures against our country in terms of personal information protection, our country can follow the actual situation. Take equivalent prohibitions, restrictions or other similar measures to the country or region. Under such circumstances, when personal information is provided to these countries or regions, it will be subject to corresponding restrictions and specific analysis will be required depending on the situation.
04 Special requirements for cross-border provision of personal information
When providing personal information abroad, you also need to pay special attention to the nature and quantity of the personal information being transferred.
For key information infrastructure operators, as well as personal information processors that process personal information up to the amount prescribed by the national cyberspace administration, they should:
Store personal information collected and generated in China in China;
If it is really necessary to provide it overseas, it shall pass the security assessment organized by the national cybersecurity and informatization department; however, if laws, administrative regulations and the national cybersecurity and informatization department stipulate that the security assessment may not be performed, the provisions shall be followed.
The identification of “critical information infrastructure” is reflected in the “Regulations on the Security Protection of Critical Information Infrastructure” that has just come into effect, mainly referring to public communications and information services, energy, transportation, water conservancy, finance, public services, and e-government , National defense technology industry and other important industries and fields, as well as other important network facilities, information systems, etc. that, once damaged, lost function, or data leaked, may seriously endanger national security, national economy, people’s livelihood, and public interests.
Regarding the definition of “personal information reaching the amount prescribed by the national cybersecurity and informatization department”, please refer to the “Cyber Security Review Measures (Revised Draft for Solicitation of Comments)” issued by the Cyberspace Administration of China in July this year, and the “Personal Information” issued by the Cyberspace Administration of China in 2017. Provisions in the Measures for the Security Evaluation of the Exit of Information and Important Data (Draft for Solicitation of Comments).
Provisions on assisting overseas judicial enforcement
my country’s personal protection law sets a very high threshold in this regard, clearly stipulating that personal information stored in my country cannot be provided to foreign judicial or law enforcement agencies without the approval of my country’s competent authority. It can be seen that my country has also emphasized and adopted the principle of prior supervision in this situation. Even if various security assessments, data subject consent, personal information protection certification and other methods are carried out, they cannot be provided to overseas judicial or law enforcement agencies. Conditions, and only with the clear approval of the Chinese competent authority before they can go abroad.
(2) Comparison of major overseas personal information protection laws:
In terms of cross-border data flow, it can be seen that countries are constantly strengthening the rules and restrictions on cross-border data transmission, which reflects the awareness of sovereign states to control their own data resources. Looking at the management ideas of various countries in the cross-border flow of data, the two approaches led by the United States and the European Union are the main ones.
The United States advocates the “free flow of data” in terms of data inflow, and emphasizes the use of US technology and data resources to promote the development of the digital economy; in terms of data outflow, it uses export controls to restrict high-tech, dual-use data Outbound.
The EU has chosen the cross-border data management model of “loose within the EU and tight outside the EU”. In the EU, the “Regulations on the Free Flow of Non-Personal Data” have been adopted to promote the free flow of data within the EU. At the same time, the “General Data Protection Regulation” (GDPR) has been adopted to determine the EU data protection legal framework and strengthen the control of data outflows abroad. In addition, the protection of EU personal data has been strengthened through long-arm jurisdiction.