April 2024 - Update on the new regulations of data transfer relating to personal information in China
Pursuant to the PRC Personal Information Protection Law (PIPL), if a personal information handler needs to transfer personal information outside of China, it shall fulfill at least one of the following pre-requisites:
- Perform a self-assessment on data security of the outbound data transfer and submit to Cyberspace Administration for registration and review.
- Obtain a certification issued by a specialized agency on protection of personal information in accordance with the provisions of the Cyberspace Administration.
- Sign a Standard Contract, following the template released by the Cyberspace Administration, with the overseas recipient and submit for registration.
- Perform a self-assessment on data security of the outbound data transfer and submit to Cyberspace Administration for registration and review.
- Obtain a certification issued by a specialized agency on protection of personal information in accordance with the provisions of the Cyberspace Administration.
- Sign a Standard Contract, following the template released by the Cyberspace Administration, with the overseas recipient and submit for registration.
As the regulatory landscape for data protection in China continues to evolve, the Cyberspace Administration of China (CAC) issued a new regulation, Provisions on Promoting and Regulating Cross-border Data Flows[ref1], on March 22, 2024. This regulation, effective as of March 22, 2024, includes exemptions of the above pre-requisites for certain types of data transfers, such as those necessary for the conclusion or performance of contracts to which the data subjects are parties, and transfers for HR management purposes.
Key takeaways for multinational companies on employee personal information management in China
The new provisions provide exemptions for transferring employee personal information excluding critical data[ref2] for implementing HR management according to employment policies and collective labor contracts. This is particularly relevant for multinational companies managing global workforces and sharing HR data across borders.
1. Compliance with PIPL
The law emphasizes the importance of obtaining explicit consent from employees for data collection and use.
2. Data Collection Minimization
Companies should only collect employee information that is necessary for the performance of employment-related activities.
3. Cross-Border Data Transfers
This may involve conducting security assessments and ensuring that the recipient country has adequate data protection measures in place.
HR departments should ensure that employees are fully informed of how their data is collected, used, and transferred, and that the separate written consent from the employees is obtained.
4. Record Keeping and Accountability
Establish a system of accountability for personal information protection compliance.
5. Continuous Compliance Efforts
Regularly review and update data protection policies and practices to align with evolving legal requirements and technological advancements.
In summary, while the new regulation offers some relief for cross-border data transfers, it also underscore the importance of maintaining robust personal information protection practices. Companies shall ensure that they manage employee personal information in a manner that complies with Chinese laws, put in place sufficient safeguards for personal information, and obtain separate consent letter from each employee when transferring personal information outside of China.
Should you have any questions or require further guidance, please do not hesitate to reach out to us.
Reference:
Provisions on Promoting and Regulating Cross-border Data Flows, the official regulation issued on March 22, 2024
Rules of Data Classification, effective from October 1, 2024
