China’s Rules on Cross-Border Data Transfer

In 2023, several new regulations on data protection and cybersecurity have been implemented in China, with a particular focus on the cross-border transfer of personal data. Specifically, the Cyberspace Administration has developed the official Chinese version of a data processing agreement known as the "Standard Contract," comparable to SCCs in Europe.

In summary, the Standard Contract provides a regulatory framework for the secure and compliant transfer of personal information, establishing key provisions regarding the responsibilities of personal information processors and overseas recipients, the rights of data subjects, and other crucial aspects of data protection.

From December 2023, it will be necessary to implement the Standard Contract between the Chinese entity and all entities receiving personal data generated by the entity in China.

The submission process will involve a provincial-level CAC review, with a commitment to respond within 15 working days, declaring whether the submission materials have been approved, rejected, or if additional materials are required.

Before the transfer of personal data, a personal data processor must prepare a Privacy Information Protection Impact Assessment Report ("PIPIA Report"), which must be submitted for registration along with the Standard Contract and other required materials.

The Personal Information Protection Impact Assessment and the supporting evidence to be submitted to the Cyberspace Administration, providing arguments for the transfer and the legal basis, are particularly complex. These procedures must be carried out in accordance with the principle of minimizing the transfer of data abroad.