Over the past few years, China’s central government regulators have established a robust framework for cybersecurity, data security and personal information protection. These stipulate a number of requirements and obligations for any entity operating in China; as well as for foreign entities, even if without legal representation in China, but providing certain products or collecting data in China (see FAQ “Do I need to comply with China’s cybersecurity laws?”).
A central part of the framework relates to cross-border data transfers. The requirements and procedures are summarised as follows:
- Personal information (PI):
- If the PI to be transferred abroad, in one calendar year, do not exceed 100k individuals, or do not exceed 10k sensitive PI, then it can be transferred freely
- If the PI to be transferred abroad, in one calendar year, exceeds 100k individuals, but do not exceed 1 million individuals, data processors must sign with the offshore receiver, and submit to Chinese authorities, Standard Contract Clauses; if the data processor and the offshore receiver belong to the same business group, a certification might be obtained.
- If the PI to be transferred abroad, in one calendar year, exceed 1 million individuals and/or 10k sensitive PI, a security assessment must be conducted with Chinese cybersecurity regulators prior to the cross-border transfer. The process is extremely long and complex
If the personal information is anonymised, without the possibility to restore it to its original state, then it is not subject to cross-border transfer restrictions (unless it is classified as “important data” – see below).
- Data:
- Important data, namely data that, if tampered with, leaked, compromised, or illegally acquired or used, may cause harm to China’s national security or public interest. It can be transferred overseas only after a security assessment has been concluded with Chinese cybersecurity regulators. The process is extremely long and complex
- Generic data, namely any data that is not important.
China has issued a number of standards for the identification of important data. These include general principles, as well as guidelines for specific sectors. Essentially, operators will be notified by relevant authorities in case the data processed by them is considered important data. Detailed “negative lists” are also being published by Chinese Free Trade Zones to regulate cross-border data transfers from their jurisdictions.
In practice, the impact on EU SMEs is, so far, more limited compared to large multinational corporations and research institutions. Exceptions can be found in case EU SMEs have active R&D operations within China, and operate in highly strategic sectors (e.g. semiconductors, mining, etc.) and/or sectors where massive amount of personal information is collected (e.g. life sciences, automotive)
Finally, it must be noted that remote access, from abroad, to a document hosted in China is also considered as cross-border data transfer, even if there is no transfer per se.
The EU SME Centre has developed a solid amount of materials and knowledge in the field. For more details, please reach out to us via the Ask the expert service.
