On 22 March 2024, the Cyberspace Administration of China (CAC) officially issued and implemented the "Regulations on Promoting and Regulating Cross-Border Data Flow" (Data Flow Regulations). These regulations will greatly facilitate employers in implementing cross-border transfer of employee data. This update will summarize the key content of the Data Flow Regulations.
Before the implementation of the Data Flow Regulations
In our previous update, we analysed the cross-border data transfer mechanisms under China's "Personal Information Protection Law" (PIPL).
In short, the PIPL stipulates three statutory mechanisms for cross-border data transfer: (a) a security assessment conducted by the CAC (this is a mandatory requirement for operators of critical information infrastructure and large-scale cross-border data transfer); (b) personal data protection certification from a professional institution designated by the CAC; and (c) entering into a contract with the overseas data recipient based on the Standard Contract for Cross-border Transfer of Personal Information template prepared by the CAC (Standard Contract).
Prior to the implementation of the Data Flow Regulations, employers within China generally needed to enter into a Standard Contract with the overseas data recipient if they wanted to transfer employee data to overseas affiliated companies or employment management systems. The terms of the Standard Contract are set by the CAC and cannot be changed. While parties can agree to additional terms in an appendix, these terms cannot be inconsistent or conflict with the terms of the Standard Contract.
In addition, as personal data processors, employers must conduct a personal data protection impact assessment, prepare a report, and file the Standard Contract with the local CAC together with the personal data protection impact assessment report.
After the implementation of the Data Flow Regulations
The good news is that the Data Flow Regulations have significantly relaxed the compliance requirements for personal data cross-border transfer.
According to the Data Flow Regulations, some specific scenarios of personal data cross-border transfer will be exempt from the statutory mechanisms for cross-border data transfer under the PIPL. This includes the scenario where "the implementation of cross-border human resources management is in accordance with legally established labour rules and regulations and legally signed collective contracts, and it is necessary to provide employee personal data overseas".
In addition, according to the Data Flow Regulations, data processors who are not operators of critical information infrastructure and who have cumulatively provided personal data (excluding sensitive personal data) of less than 100,000 individuals to overseas data recipients from 1 January of the current year are also exempted from the statutory mechanisms.
This means that in the employment management context, employers who fulfil at least one of the following criteria will be exempted from the three statutory mechanisms for employee data cross-border transfer:
- The cross-border transfer of employee data is necessary for human resources management, and it is supported by internal rules and regulations or collective contracts; or
- The employer is not an operator of critical information infrastructure and has not provided personal data (excluding sensitive personal data) of 100,000 individuals or more to overseas data recipients in the current year.
Conclusion
Based on the above Regulations, we understand that the vast majority of employee data cross-border transfer conducted by Chinese employers during routine human resources management would be exempt from the statutory mechanisms. However, employers should still review their data policies or other relevant rules and regulations to ensure that appropriate data clauses are included in the company's policies, so as to fully meet the qualifying criteria for exemption.
中国:数据新规放宽员工数据出境要求
2024年3月22日,国家互联网信息办公室(“网信办”)正式发布并实施了《促进和规范数据跨境流动规定》(“《数据流通规定》”)。这份《数据流通规定》将为雇主实施员工数据跨境传输提供极大的便利。本次更新将总结《数据流通规定》的关键内容。
《数据流通规定》实施之前
我们在此前的更新中对中国《个人信息保护法》(“《个保法》”)下的数据出境机制进行过分析。
简单来说,《个保法》规定了三种法定的数据出境机制:(a) 由网信部门进行安全评估(对于关键信息基础设施运营者和大规模数据出境的情况来说,安全评估是强制的);(b) 通过网信办指定的专业机构进行个人信息保护认证;和 (c) 与境外数据接收方签订由网信办制定的个人信息出境标准合同(“标准合同”)。
在《数据流通规定》颁布之前,位于中国境内的雇主如果要将员工数据传输至境外的关联公司或雇佣管理系统,一般来说应与境外数据接收方签订标准合同。标准合同的条款由网信办制定,不得更改。虽然合同双方可以在附件中约定其他条款,但这些条款不得与标准合同条款不一致或者相冲突。
此外,作为个人信息处理者的雇主还需要进行个人信息保护影响评估,并准备一份报告。标准合同与个人信息保护影响评估报告需要一并提交给所在地网信部门进行备案。
《数据流通规定》实施之后
好消息是,《数据流通规定》很大程度地放宽了个人信息出境的合规要求。
根据《数据流通规定》,一些特定场景下的个人信息出境将免于履行《个保法》下的数据出境法定机制,其中就包括“按照依法制定的劳动规章制度和依法签订的集体合同实施跨境人力资源管理,确需向境外提供员工个人信息的”情况。
此外,根据《数据流通规定》,关键信息基础设施运营者以外的数据处理者自当年1月1日起累计向境外提供不满10万人个人信息(不含敏感个人信息)的,也不再需要通过法定机制。
也就是说,在雇佣管理的场景下,只要符合下列任一条件,雇主便可就员工数据出境免于法定机制的要求:
- 员工数据出境是出于人力资源管理所需的,且有规章制度或集体合同的支持;或者
- 雇主不是关键信息基础设施运营者,且当年向境外传输的个人信息(不含敏感个人信息)数量较少,不满10万人次。
总结
我们理解,基于上述规定,中国雇主在进行日常人力资源管理时所进行的绝大多数的员工数据出境均可免于履行法定机制。不过,各雇主还是应当审阅自己的数据政策或其他相关规章制度,以确保公司政策中已包含了恰当的数据条款,才能使自身充分符合豁免的资格条件。
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.