AMCHAM Newswire Press Release
For Immediate Release
Implementing Regulations for Data Exports in China: What Do They Mean for Your Company?
July 30, 2023
Beijing, China– AMCHAM® is delighted to announce a comprehensive analysis of the new implementing regulations for data exports in China, empowering Foreign Invested Enterprises (FIEs) with invaluable insights. The esteemed legal experts, Jacob Blaclock, Cecilia Zhu, and Kenan Jiang from Lehman, Lee & Xu China Lawyers, have delved into the implications of these regulations, providing crucial clarity for businesses operating in China’s dynamic landscape of data protection.
Navigating China’s Data Protection Landscape:
In response to escalating concerns over data security and privacy, the Cybersecurity Administration of China (CAC) has introduced a set of implementing regulations encompassing three pivotal data protection laws: the 2017 Cybersecurity Law (CSL), the 2021 Data Security Law (DSL), and the 2021 Personal Information Protection Law (PIPL). These regulations aim to streamline data protection practices and ensure regulatory compliance for FIEs.
Key Highlights of the Implementing Regulations:
1. Draft Provisions on Standard Contracts for Outbound Transfers of Personal Information: Seeking public comments, this regulation outlines guidelines for FIEs on utilizing Standard Contractual Clauses (SCCs) for secure cross-border data transfers. The SCC approach offers simplicity and is particularly favored by small and medium-sized enterprises. To adopt SCCs, companies must meet specific eligibility criteria, including not being a Critical Information Infrastructure (CII) operator and adhering to defined data transfer volume restrictions.
2. Security Assessment Measures for Outbound Data Transfers: Effective from September 1, 2022, this regulation focuses on conducting security assessments for personal information and important data transferred outside China. Companies providing important data abroad or processing personal information for a substantial number of individuals must comply with these Security Assessment requirements.
Routes for Data Transfer Outside of China:
Businesses have three main options for data transfers outside of China:
1. Adopting China Standard Contractual Clauses (SCC): Small and medium-sized companies often prefer this route due to its simplicity. However, companies must ensure they meet the eligibility requirements set forth by the CAC.
2. Passing Security Assessment: Covering cross-border transfers of personal information and important data, companies must conduct a thorough self-assessment before applying for a Security Assessment. Complying with Security Assessment requirements is crucial for FIEs transferring important data or processing significant amounts of personal information.
3. Obtaining Certification: While specific regulations on Certification are yet to be established, relevant institutions have issued standards for its implementation. Certification can be utilized for company intra-group data transfers or by overseas processors within the extra-territorial scope of PIPL.
Expert Guidance for Regulatory Compliance:
Lehman, Lee & Xu China Lawyers, AMCHAM®’s exclusive legal service provider, offers unparalleled expertise to companies navigating these new regulations. Their experienced data compliance counsel can assist in interpreting the regulations and developing a customized compliance strategy. For more information, visit
www.lehmanlaw.com
or reach out to the team at Lehman, Lee & Xu China Lawyers.
Suggested Action Plan for Foreign Invested Enterprises:
1. Conduct a Compliance Assessment: Evaluate current data processing practices to determine alignment with the new regulations. Identify potential risks and areas requiring improvement.
2. Determine Applicable Route: Choose the most suitable route for data transfers based on the company’s size, data volume, and operational requirements. Decide between adopting SCCs, undergoing a Security Assessment, or pursuing Certification.
3. Implement Necessary Measures: Ensure data protection policies and practices align with the selected route. Collaborate with IT and legal teams to implement required security measures and internal controls.
4. Employee Training: Conduct training sessions to educate employees about data protection regulations and their roles in compliance.
5. Maintain Documentation: Keep comprehensive records of data transfer agreements, self-assessment reports, and other relevant documentation for regulatory review.
6. Review and Renewal: Regularly review compliance measures to ensure ongoing adherence to regulations. Renew or re-apply for Security Assessment or Certification when required.
About AMCHAM®:
AMCHAM® plays a pivotal role in fostering trade, investment, and cultural exchange between the United States, greater China, and the global community. As a leading advocate for business interests, AMCHAM® empowers economic growth and cooperation on an international scale. For legal inquiries, please contact mail@amchamus.org or visit www.amchamus.org.
Contact Information:
For media inquiries or interviews, kindly contact:
Cecilia Zhu, Lehman, Lee & Xu China Lawyers
czhu@lehmanlaw.com