China cross-border data transfer: Navigating legal complexities
Stricter regulations for cross-border data transfers, such as risk impact assessments, now apply in China. The Ecovis experts explain what companies that transfer data need to consider.
An example
Contemplating a new business idea, Mr. X from Heidelberg (Germany) explores the possibility of providing software support to Chinese companies through remote maintenance and repair services. While the geographical distance is no hurdle, a crucial aspect demands careful consideration: the handling of personal information.
Enhanced regulations for cross-border data transfer
Companies engaging in cross-border data transfer now face enhanced regulations in China. In addition to the mandatory standard contract (18 pages long), employers must submit an impact evaluation and gain approval from the provincial government bureau of the Cyberspace Administration of China (CAC) every time data crosses borders. The implementation of the Personal Information Protection Law (PIPL) in 2021 provides an extra challenge, mandating notification, individual approval, and adherence to CAC stipulations.
Deadlines and requirements
For Chinese companies, compliance involves adopting the standard contract for personal data transfers, effective from 1 June 2023. For ongoing transfers before this date, companies must submit the standard contract, transfer impact assessment, and related documents for approval by 30 November 2023.
Together with our Chinese partners, we can implement the new data transfer requirements for you.Richard Hoffmann, Lawyer, ECOVIS Rechtsanwaltskanzlei Richard Hoffmann, Heidelberg, Germany
What companies should do now
Navigating the CAC submission process requires precision. Each Chinese subsidiary of a company must file a contract with its local regulatory authority, taking into account unique filing guidelines in certain provinces such as Beijing and Shanghai. While local CACs are expected to align with national guidelines, differences in filing logistics may exist. Document reviews, especially for transfer impact assessments (TIAs), may vary locally.
The submission process takes approximately 15 working days, during which approval or rejection is determined. Importantly, anonymous inquiries about the application process are prohibited; inquirers must disclose the identity of the person handling personal information when contacting the CAC via phone or email.
For employers with Chinese subsidiaries, the next steps involve collecting data for the standard contract and transfer impact assessment, preparing TIAs for data recipients, and submitting these documents to the relevant local CACs. Navigating these legal intricacies demands meticulous preparation to ensure compliance with China’s evolving data transfer regulations.
For further information please contact:
Richard Hoffmann, Lawyer, ECOVIS Rechtsanwaltskanzlei Richard Hoffmann, Heidelberg, Germany
Email: richard.hoffmann@ecovis.com
Contact us:
Richard Hoffmann
ECOVIS European China desk
Lenaustrasse 1269115 Heidelberg
Phone: +49 6221 9985 639
www.ecovis.com/heidelberg