Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
|
Multinationals with employees in the People’s Republic of China (PRC) continue to confront a November 30 deadline to implement China’s new cross-border data transfer mechanism—the Standard Contract. This implementation requires not just completion of the standardized data transfer agreement but also completion of a complex transfer impact assessment and submission for approval of these and related documents to the relevant provincial offices of the CAC . In recent weeks, however, the CAC announced proposed provisions that countermand the original requirements, particularly with regard to HR data flows.
What Occurred
On September 28, 2023, right before the beginning of the Mid-Autumn Festival and National Day holiday, the CAC released a set of proposed provisions – the Provisions on Regulating and Promoting Cross-border Data Flows (draft for comments) (the “Proposed Provisions”) to facilitate the cross-border flow of data out of the PRC. The Proposed Provisions establish a number of exceptions to the requirement to enter into the Standard Contract and the accompanying requirement to file it and a personal information protection impact assessment the with the CAC. The Proposed Provisions specifically provide an exception for transfers of HR data, stating that “it is not necessary to conclude the Standard Contract…where the personal information of internal staff must be provided overseas to carry out human resources management in accordance with lawfully drafted labor rules systems and lawfully concluded collective contracts.”
There are additional exceptions outlined in the Proposed Provisions that may apply to a multinational employer. For example, the Proposed Provisions permit pilot free-trade zones (e.g., the Shanghai Free Trade Zone) to establish their own exceptions to the general requirement to execute the Standard Contract. The Proposed Provisions also eliminate the need for the Standard Contract and filing with the provincial CAC where it is estimated that the personal data of fewer than 10,000 individuals will be transferred overseas in a year. These exceptions extend beyond HR data to business contact information and other types of personal data, thus creating a patchwork of potential exceptions to the requirement to enter into the PRC’s Standard Contract and file with the provincial CAC.
The Proposed Provisions were open for public comment through October 15, 2023. As of this writing, the CAC has not indicated if or when the Proposed Provisions will become effective. However, the Proposed Provisions are likely a geopolitical move by the Chinese government to address pressure from foreign investors to ease the flow of information out of China. To have the intended impact, the Proposed Provisions will need to be adopted before the November 30th compliance deadline.
Anticipated Impact of the Proposed Provisions on Data Transfer Requirements
If the exception for HR data is ultimately adopted and construed broadly, business-to-business multinationals likely will find significant relief from having:
- to enter into the Standard Contract;
- to file with the relevant provincial office of the CAC the Standard Contract and the “personal information protection impact assessment” (hereinafter referred to as a “transfer impact assessment” or “TIA” to be more aligned within the context of cross-border data transfers)
By offering to shed the obligation to file the Standard Contract and the TIA, the PRC is removing layers of bureaucratic confusion and barriers to the flow of data. If approved, qualifying multinationals will no longer need to interact with one or more provincial CACs to obtain governmental approval for cross-border transfer of HR data.
Nonetheless, China’s Personal Information Protection Law (PIPL), Articles 55 and 56, requires a personal information handler (“PI Handler” or “Data Exporter”) to conduct a TIA for cross-border data transfer and to retain the TIA for at least three years. The Proposed Provisions do not modify this requirement. In other words, if the Proposed Provisions are approved as-is, only the obligation to file the TIA with the provincial CAC would be eliminated, but not the need to complete a TIA.
That raises the question whether the multinational is required to use the TIA template form published by the CAC in its Measures for the Standard Contract for the Export of Personal Information (“Measures”). As described in our previous Insight on this issue, the form TIA published by the CAC identifies six areas that the risk assessment must address including, for example, the types, quantity and sensitivity of transferred personal data; the Overseas Recipient’s safeguards for transferred personal data; and the impact of local law on the Overseas Recipient’s ability to fulfill its legal obligations. With time, we may see some changes to the form TIA to be more aligned with any final version of the Proposed Provisions. However, for now, to the extent possible, we strongly recommend that the organization use the government-issued TIA form. We anticipate that Chinese authorities will expect personal information handlers to use this form if the authorities ever audit compliance with the PIPL’s requirements.
The Proposed Provisions raise many other questions of interpretation. For example, the HR exception appears to focus on internal labor rules as the alternative mechanism to safeguard the transfer. The “labor rules systems” (employer rules and regulations similar to a U.S. employee handbook) will likely need to be amended in accordance with the Proposed Provisions (if approved in current form). This will require a shift in many multinationals’ current compliance approach. Employers’ labor rules and regulations are required in China, but many companies do not have updated or enforceable documents. Not only will the employer need to review and update the documents, but it will also need to plan for rolling out the changes. Among other things, employers need to follow a democratic procedure to implement the rules and regulations to render them binding on employees.
If and until the Proposed Provisions are adopted, we will not know how extensively the CAC will gut the current requirements with exceptions. Furthermore, assuming the HR exception is ultimately approved, we likely will not have clarity from the Chinese authorities in the immediate future regarding the correct interpretation of any exceptions in the Proposed Provisions (if adopted) and will need to (continue to) navigate the uncertainty.
Next Steps for Employers with Chinese Subsidiaries
We encourage employers to initiate and focus on the TIA now because the obligation to complete a TIA does not appear to be affected by the language of the Proposed Provisions. As the TIA is a complex legal document, by carrying on the TIA work, the organization would likely be in a better position to meet the compliance deadline in the event the Proposed Provisions are not approved quickly. Further, we recommend holding off on performing work on other aspects of a PRC compliance project until we have more information about the fate of the Proposed Provisions. Employees that choose to hold off on all China data transfer compliance work may need to be prepared for a rush project in the event the Proposed Provisions change or are not approved quickly.
We are closely monitoring the situation and will update you on any news or changes.