Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases.
Cybersecurity Law requires “critical information infrastructure” providers to store “personal information” and “important data” within China unless their business requires them to store data overseas and they have passed a security assessment. At this point, it remains unclear what qualifies as “critical infrastructure” and “important data,” although its inclusion in the text of the law alongside “personal data” means that it likely refers to non-personal data.
The National Standard of Information Technology – Personal Information Security Specification, (个人信息安全规范, GB/T 35273-2020), effective October 1, 2020, includes suggested best practices relating to personal data. When transmitting or storing sensitive personal information, the Specification recommends that security measures, such as encryption should be used.
In addition, before sharing and transferring personal sensitive information, network operators should inform data subjects of the type of personal sensitive information involved, the identity and data security capabilities of the data recipient, and should obtain the personal data subject’s prior, express consent.
The Specification does not establish standards specifically related to employers or the collection, use or disclosure of employees’ personal data. That said, the definition of “personal data controller” is broad enough to include employers as data controllers with respect to their employees’ personal data.
Chinese law does not specifically address transferring employee data out of China. The “Draft Measures for the Security Assessment of Personal Information to be Transferred Abroad,” includes a detailed definition of “personal information” and the assessment requirement before transferring personal information abroad. This definition of personal information would likely cover most categories of employee data, to the extent the information is individually identifiable.
Under the Draft Measures, if a network operator transfers personal information collected in China outside the country, a security assessment should be conducted. If it is determined that the transfer of personal information may affect national security, harm the public interest, or it is difficult to effectively safeguard the security of personal information, the personal information should not be transmitted outside of China. To safeguard the personal information, network operators should conclude contracts with the receivers (who are outside of China) that specify the purpose, type, retention period and other necessary protection measures. In addition, network operators should establish the files of personal information overseas transfer and maintain it for at least five years.
The Draft Measures, also allow authorities to request that a network operator suspend or terminate transferring the information outside of China, if:
- a large data leakage, data abuse or other event occurs by either the network operator or the recipient of the data;
- the subject of personal information is unable or has difficulty safeguarding the legitimate rights and interests; or,
- the network operator or recipient is unable to guarantee the security of personal information.
The Draft Measures have not yet been finalized and are therefore not binding at this time.