China recently finalized the Measures for Security Assessment for Cross-Border Data Transfers, unveiling the last piece of the puzzle for cross-border data transfer. This LawFlash highlights the key requirements in the data protection regime and the implications for business operators in the highly regulated, data-intensive field of healthcare.
Data privacy has been a hot topic in China since the Chinese government actively released data privacy laws and regulations in recent years. Three milestone laws in the privacy regime have been published and come into effect, including the Cybersecurity Law (CSL) (2017), the Data Security Law (DSL) (2021) and the Personal Information Protection Law (PIPL) (2021).
Under the umbrella of these fundamental laws, the Chinese government has recently been focusing on rolling out rules and regulations for implementing its cybersecurity, data security, and personal information protection laws.
For example, on June 24, 2022, China published the final version of the Certification Specification for Cross-Border Processing of Personal Information, which provides guidance for companies to have their cross-border data transfer certified as one of the legal routes for business operators to transfer the personal information outside China. On June 30, China further published the draft version of the standard contract for the cross-border transfer of personal information, considered China’s standard contractual clauses (similar to SCC under the EU General Data Protection Regulation), which also provides additional obligations for filing of the standard contract with the government authorities, before the cross-border data transfer can take place.
Finally, on July 7, the Measures for Security Assessment for Cross-Border Data Transfers were finalized, which clarify under what circumstances a company must undergo a security assessment approved by the competent Chinese government authority before exporting data out of China.
The data protection laws require companies as data handlers (a concept under the PIPL, similar to data controllers under the General Data Protection Regulation) to obtain informed and separate consents from the data subjects for the collection, processing, and cross-border transfer of personal information (limited exceptions apply).
The law has an extra-territorial effect, which applies both to personal information processing activities within China and those that take place outside China if their purpose is to provide products or services to individuals located in China, or to analyze or assess the behaviors of individuals located in China. Overseas companies caught by the exterritorial jurisdiction of the PIPL should establish a dedicated entity or appoint a representative in China to handle matters in relation to the protection of personal information they collect, and to file the information of the entity or the representative with competent government authorities. Foreign organizations or individuals may be put on a "blacklist" that would restrict or prohibit them from receiving personal information from China if they infringe the personal information rights and interests of Chinese citizens or harm the national security or public interest of China.
Additionally, the law grants statutory rights to data subjects, such as the right to withdraw and modify consents, the right to data portability, and the right to refuse automated decision-making. The law also imposes a number of new administrative requirements on the data handlers, including, but not limited to, designating a data protection officer, signing data processing agreements with data processors, preparing data breach notices, conducting a personal information protection impact assessment (PIPIA), or in some cases obtaining regulatory approval for certain data processing transfer activities.
Employers also qualify as data handlers, so every company will need to ensure that they understand the new requirements that cover the collection and processing of their employees’ personal information, in addition to other types of personal information, as part of their routine employee management functions.
A company must undergo a security assessment approved by the competent government authority before exporting data under any of the following scenarios:
Companies in violation of the data protection laws may be subject to severe penalties, including a fine of up to 5% of the last year's turnover of the company, revocation of the company’s license to do business in China, and personal liabilities for company executives.
Healthcare data (such as medical, genetic, and biometric data) is sensitive personal information, which is subject to a higher level of protection. Processing sensitive personal information requires the data handlers to ensure:
The recent series of data privacy legislation updates demonstrate the Chinese government's aim in enhancing data protection supervision, specifically with respect to data that will impact data security and national security. Healthcare is a highly regulated field that involves intensive data collection and processing activities. Morgan Lewis provides companies around the world with integrated legal guidance. Our lawyers work seamlessly together to advise and represent hospitals and healthcare providers, digital health, life sciences, and technology companies, employers, investors, and other healthcare stakeholders.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact the authors or any of the following Morgan Lewis lawyers:
Shanghai
Todd Liao