Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
Multinational employers operating in China have been waiting since September 2023 for the Cyberspace Administration of China (CAC) to finalize proposed revisions to its complex and burdensome rules for cross-border data transfers. Relief arrived on March 22, 2024, when the CAC published the “Provisions on Promoting and Regulating Cross-border Data Flows” (the “Approved Provisions”), which went into effect on the same day. The Approved Provisions adopt three key changes, first proposed in September 2023, to the CAC’s original cross-border data transfer rules, which were published in February 2023. While these changes will substantially reduce multinational employers’ compliance burdens when transferring human resources (HR) data and business contact information (BCI) out of China, the changes do not eliminate all compliance obligations. In this ASAP, we will explain the new, burden-reducing exemptions and describe the compliance obligations that remain in effect.
Statutory and Regulatory Background
Since its November 1, 2021 effective date, China’s Personal Information Protection Law (PIPL) has established the following requirements for transfers of personal information overseas:
- Providing notice to data subjects of the overseas transfer of their personal information;
- Obtaining the express consent of the data subject to the cross-border data transfer;
- Conducting a “transfer impact assessment” (TIA) to assess the risks associated with the data transfer; and
- Executing a standard data contract issued by the CAC.
On February 22, 2023, the CAC published the “Measures for the Standard Contract for the Export of Personal Information” (“Measures”), which, among other things, included the “Personal Information Export Standard Contract” (“Standard Contract”) as well as a comprehensive and burdensome form for completing the TIA. The Measures imposed a November 30, 2023 deadline on multinational employers to execute the Standard Contract, complete the TIA, and file both with each relevant provincial office of the CAC — depending on the location of each subsidiary in China.1
In response to concerns expressed by the European business community and others over the complexity and burden of the process, particularly for transfers of HR data and BCI, in late September 2023, the CAC proposed the “Provisions on Regulating and Promoting Cross-border Data Flows” (draft for comments) (“Proposed Provisions”). The Proposed Provisions created several exceptions, including exceptions applicable to HR data and BCI, from the requirements to enter into the Standard Contract and to file it and the TIA with the CAC.2 As the November 30, 2023 deadline came and went, multinational employers with a presence in China — particularly B2B companies which collect only HR data and BCI — anxiously awaited the CAC’s final word on the Proposed Provisions.
The Approved Provisions’ Exceptions for Cross-Border Transfers of HR Data and BCI
In a piece of good news for multinational employers, the Approved Provisions maintained the exceptions in the Proposed Provisions, substantially easing the compliance burdens associated with the cross-border transfer of HR data and BCI. With respect to HR Data, this means subsidiaries of multinationals in China are not required to enter into the Standard Contract, when the transfer of HR data from China is truly necessary to carry out cross-border HR management in accordance with the employer’s internal labor rules and regulations and collective contracts.
While the Approved Provisions do not expressly exempt BCI from the requirement to execute the Standard Contract, they do exempt virtually all businesses from the requirement to enter into the Standard Contract where the business transfers, in a calendar year, the personal information of fewer than 100,000 individuals. It is highly unlikely that overseas transfers of BCI from a China-based subsidiary would exceed this threshold.3
Perhaps of greatest importance to multinational employers, the Approved Provisions necessarily eliminate the need to file the TIA with the Chinese government. The Approved Provisions specifically state that to the extent the Measures are inconsistent with the Approved Provisions, the Approved Provisions control. The Approved Provisions do not require the filing of the TIA. In addition, the Measures linked the filing of the TIA with the filing of the Standard Contract. For multinational employers no longer required to execute and file the Standard Contract, the elimination of any requirement to file the TIA is logical.
Multinational Employers Must Still Comply with the PIPL’s Requirements before Transferring HR Data and BCI Overseas
The Approved Provisions emphasize that all provisions of the PIPL related to cross-border data transfers not subject to an exception continue to apply. As a result, multinational employers still are required to satisfy the following compliance obligations before transferring HR data and BCI overseas:
- Provide notice to employees and business contacts that their personal information will be transferred overseas;
- Obtain their express consent to the transfer; and
- Complete the TIA.
While the requirement to complete the TIA remains, the elimination of the requirement to file the TIA with Chinese authorities provides some leeway for multinational employers to be less rigorous when completing the TIA. The elimination of the filing requirement also eliminates the risk that Chinese authorities would determine that a filed TIA was inadequate and then order the suspension of cross-border transfers of HR data and BCI until the multinational employer secured the Chinese government’s approval of a revised TIA.
Takeaways
While the Approved Provisions reduce the compliance burden on multinational employers that transfer HR data and BCI outside of China, multinational employers should not lose sight of the compliance obligations that remain. Multinational employers must ensure that a workflow process exists for the distribution of notice / consent forms to workforce members and business contacts whose personal information is transferred outside of China. This should be coupled with a process for storing the executed consent forms. Multinational employers must still complete the TIA, a process which has the benefit of helping to reduce data protection and data security associated with the cross-border data transfers. While the TIA no longer needs to be submitted to Chinese authorities for approval, multinational employers should be mindful that in the event of a government inquiry — for example, in response to a report of a data breach or an employee’s complaint — the TIA may need to be produced and subjected to government scrutiny.
See Footnotes
1 See Philip Gordon, Grace Yang, Morgan Matson, Kwabena Appenteng, and Zoe Argento, With a Key Deadline Fast Approaching, Now Is the Time to Address the New and Complex Requirements for Data Transfers Outside of China, Littler Insight (Sept. 25, 2023).
2 See Philip Gordon, Grace Yang, Morgan Matson, Kwabena Appenteng, and Zoe Argento, Strategy to Address China’s Recent Proposed HR Exception to Facilitate Cross-Border Data Transfers, Littler Insight (Oct. 31, 2023).
3 There are two other potentially applicable exceptions from the requirement to execute the Standard Contract: (a) where the transfer is truly necessary to provide personal information overseas for the purposes of entering into or performing a contract to which the data subject is a party (e.g., cross-border shopping), and (b) where the data transfer is necessary in a situation to protect the life, health, property, or safety of an individual.