China cross-border data transfers – revised requirements for security assessment and standard contract filings

Our earlier briefing summarised the new rules on cross-border data transfer issued on 22 March 2024. Accompanying the new rules, the Cyberspace Administration of China (CAC) also released revised guidelines for filing applications for security assessment and standard contracts.

The key changes:

Security assessment filing

• Most applications can now be made online through a new dedicated online filing system (https://sjcj.cac.gov.cn). The supporting documentation remains the same, namely:
  • A data transfer security assessment declaration (in a template form) 
  • A data transfer agreement, etc. with the overseas recipient (in practice the CAC expects the standard contract to be used for this)
  • A self-compiled impact assessment report.
• The application form no longer requires an identity card number for a person in charge of the overseas recipient. This individual’s name, position and contact information is, however, still required.
• In security assessment applications under the previous rules, the CAC had been strictly focused on the necessity of data transfer, in particular for higher sensitivity categories of data. Organisations were being asked to justify the frequency and quantity of the data they are transferring, and to explain why related functions and processes could not be supported from within China. In keeping with this focus on the necessity of transfer, the new Guidelines now require applicants to separately list out all items of transferred data, and to explain individually the reason why it is necessary to transfer that item of data out of China. A table format has been prescribed for this disclosure to be made, which the CAC mandates applicants to follow. 
• It is no longer required to describe either (a) the cyber security and data protection laws and policies in the jurisdiction of the overseas recipient, or (b) the processing activities the overseas recipient will carry out (although this unavoidably will form part of the necessity justification).

Standard contracts

• The CAC has similarly removed the requirement for the data exporter’s TOMs to be set out and evidenced.
• The processing activities the overseas recipient will carry out no longer need to be described. 
• No material changes have been made to the terms of the standard contract itself. Among other things, the standard control includes controls on onwards transfers of personal data by the overseas recipient (including to service providers), requires the overseas transferee to submit to the CAC’s supervision and enables data subject rights to also be exercised directly as against the overseas transferee.
• On the other hand, the Guidelines take the position that scenarios in which the PIPL applies extra-territorially are also to be viewed as cross-border data transfers (in addition to direct transfers by a Chinese entity and remote access, etc. from overseas). These extra-territorial scenarios are similar to those under the GDPR, namely (i) the provision of products or services to Chinese consumers, and (ii) analysis of the behaviour of individuals in China (e.g., profiling or monitoring, etc.), when conducted from outside of China. It is, however, unclear with whom the standard contract should be entered into in these scenarios. Clarification will be needed from the CAC.