Employers with operations in China could face steep financial penalties and even criminal charges for violating new rules for transferring employee or customer data out of the country.
Companies that meet certain thresholds must undergo a security assessment by the Cyberspace Administration of China to lawfully export data, said Todd Liao, an attorney with Morgan Lewis in Shanghai.
The compliance grace period for such companies ended on Feb. 28, he added.
“China’s regulatory regime for cross-border data transfers is evolving fast, which shows the accelerated legislation progress and the government’s determination in enhancing the supervision over the cross-border data transfer,” he said.
Nan Sato, an attorney with Fisher Phillips in Philadelphia, cautioned that businesses need to take heed of the new requirements.
“Companies need to gain a full understanding of the threshold that triggers pre-transfer government review. They must also be extremely careful about complying with the procedural requirements before any international data transfer can take place,” she said.
“Due to the cooling relationship between China and the U.S., enforcement against U.S. companies is expected to increase, so employers will do well to come into compliance as soon as possible,” she added.
China’s cross-border data security and protection measures arose from its Personal Information Protection Law (PIPL), which Sato called “one of the most stringent personal data privacy laws in the world in terms of its exterritorial reach, penalties” and the enforcement power given the government’s Cyberspace Administration.
Compliance Steps
To transfer personal data to another country from China under the PIPL, Sato noted in an article on the topic, a company must satisfy one of the following conditions:
- Pass the security assessment conducted by China’s Cyberspace Administration.
- Be certified by a designated institution in accordance with Cyberspace Administration regulations.
- Sign a contract with the overseas recipient of the information in accordance with the standard contract formulated by the Cyberspace Administration to stipulate the rights and obligations of both parties.
- Otherwise be permitted to do so by other laws, administrative regulations or the Cyberspace Administration.
The company or individual controlling the data also must provide notice to and obtain consent from affected individuals, according to Sato. If the amount of data collected reaches a certain threshold, the company must store it in China or, if international transfer is necessary, undergo an assessment and receive approval from the Cyberspace Administration, she noted in her article.
“Employers that transfer the employees’ personal information or other data generated or collected in China need to evaluate and consider which pathway is applicable to them for their data export practice,” Liao said.
The new measures for the data export security assessment set out which parties must submit their cross-border information transfer to the Cybersecurity Administration for assessment.
Those seeking to transfer “important data”—that is, information that could endanger national security, the economy, social stability, or public health and safety, for instance—must undergo the assessment, according to Sato. Those who have transferred personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals from China since Jan. 1 of the previous year must do the same, she said in an interview.
Liao cited others who must undergo Cyberspace Administration assessment: critical information infrastructure operators or parties handling the personal information of more than 1 million individuals who, in either case, transfer personal information abroad.
To comply with the relevant laws, companies operating in China must do the following before transferring data internationally, according to Sato:
- Execute an international data transfer agreement in accordance with the standard contract formulated by the Cyberspace Administration.
- Prepare or update local law-compliant data privacy notifications for employees and customers in China.
- Review company international data transfer policies and practices to ensure compliance with Chinese law.
- Conduct a separate and thorough data inventory analysis for China, and if the total amount has exceeded the threshold that triggers the pre-transfer review, work with counsel to report the proposed transfer to the Cyberspace Administration for assessment and approval.
Compliance with the EU’s General Data Protection Regulation doesn’t guarantee Chinese Personal Information Protection Law compliance, Sato said.
“Many employers are not complying with these measures because most of them are unaware of these measures and their requirements,” she noted. “Once our clients find out about these new requirements, they have asked us to implement a standard contract and follow the other steps discussed above.”
Severe Penalties
Penalties for noncompliance could be severe, including fines starting at 50 million yuan (amounting to approximately $7.1 million) and ranging to 5 percent of a company’s previous year’s business revenue.
Violators, including executives, also could face shame and lose points in China’s social credit system, and may be prohibited from doing business in China, according to Sato. In serious cases, she said, company executives could face time in prison.
Individuals directly liable for violations could face a fine up to 1 million yuan (amounting to approximately $141,200), and may be prohibited from acting as director, supervisor, senior executive and person-in-charge of personal information protection for relevant enterprises for a certain time period, Liao said.
Dinah Wisenberg Brin is a freelance writer based in Philadelphia.