Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
How are China's new cross-border data transfer requirements different from what is generally required in the rest of APAC?
Before I answer that question, let me provide some background. Cross-border transfers of HR data are the lifeblood of global organizations. HR leadership needs information on employees worldwide to manage the workforce, regionally and globally for global succession planning, to conduct cross-border investigations, and much, much more. Also, multinational corporations in today's world rely heavily on global service providers to support HR functions.
Currently, transferring personal information within APAC is relatively straightforward. Many APAC countries have enacted comprehensive data protection laws, but these laws allow for cross-border data transfers with employee consent. Some examples of these countries include Indonesia, Japan, Malaysia, the Philippines, South Korea, and Thailand. A few APAC countries impose additional requirements.
Singapore, for example, requires a data transfer agreement, but none of them are like what's coming in China. Effective November 30, 2023, employers in China will have to meet four requirements to transfer personal information outside the PRC. Like other APAC countries, China requires that employers obtain employee consent. What else is required? China based employers will have to conduct a transfer risk assessment to assess the risk to transfer data after it arrives in the destination country.
In addition, the exporting subsidiaries in China and the receiving subsidiaries outside the PRC will need to execute a data transfer agreement in the form of the standard contract approved by the Cybersecurity Administration of China. The transfer risk assessment, the standard contract and several ancillary documents will have to be filed with the provincial office of the Cybersecurity Administration, and organizations will have to obtain government approval for the data transfer based on those filings.
These requirements will apply as well to transfers from China based subsidiaries to global vendors located outside the PRC. So what are the implications for global employers with a presence in China? First, start now preparing all of the necessary documentation is going to take some time. Second, the starting point is understanding the facts of the data transfers, conducting data mapping, identifying the corporate group members in China that will export HR data on China employees and the receiving entities outside of China.
Also inventory all global service providers that will receive HR data from China. After that fact finding is complete, consider whether any of the recipients can be eliminated to reduce the burden of the transfer risk assessment and preparing the standard contract, and also of obtaining approval from the provincial CAC. And last, if your organization has multiple subsidiaries in China, think about strategies you can follow to reduce the number of filings with provincial CACs.
If your organization needs help working through any of these new and complex requirements, Littler has the resources to assist you.