Question raising

At the end of September 2023, the Cyberspace Administration of China released the "Regulations on Regulating and Promoting Cross border Data Flow (Draft for Comments)" (hereinafter referred to as the "Draft for Comments"), which listed the situations where there is no need to declare data export security assessment, enter into personal information export standard contracts, and pass personal information protection certification, including the following exemption situations: (1) It is necessary to enter into and perform contracts to which an individual is a party, Personal information must be provided to overseas parties for cross-border shopping, cross-border remittances, flight and hotel reservations, visa processing, etc; (2) According to the labor rules and regulations formulated in accordance with the law and the collective contract signed in accordance with the law, it is necessary to provide personal information of internal employees overseas for human resource management; (3) In emergency situations, personal information must be provided overseas to protect the life, health, and property safety of natural persons; (4) Expected to provide personal information of less than 10000 people overseas within one year.

So, if the aforementioned content of the draft for soliciting opinions is officially implemented, will personal information processors no longer need to conduct an impact assessment on personal information protection in the aforementioned scenarios of personal information export?

Lawyer Interpretation

1、 In the scenario of personal information leaving the country, personal information processors should conduct a personal information protection impact assessment in advance, which is a legal compliance obligation stipulated in the Personal Information Protection Law.

According to Article 55 of the Personal Information Protection Law, if one of the following situations occurs, the personal information processor shall conduct a personal information protection impact assessment in advance and record the processing situation: (1) processing sensitive personal information; (2) Using personal information for automated decision-making; (3) Entrust the processing of personal information, provide personal information to other personal information processors, and publicly disclose personal information; (4) Provide personal information overseas; (5) Other personal information processing activities that have a significant impact on personal rights and interests. It can be seen that in the aforementioned five legal situations (including the situation of personal information leaving the country), pre assessment of the impact of personal information protection is the legal compliance obligation of personal information processors under the Personal Information Protection Law. The exemption under the draft for soliciting opinions does not require the application for data export security assessment, and does not exempt personal information processors from their security assessment obligations for personal information export under the Personal Information Protection Law.

2、 The impact assessment of personal information protection has positive significance for personal information processors.

Personal information protection impact assessment is not only a legal obligation of personal information processors, but also has positive significance. Personal information processors can identify and analyze whether their personal information processing activities are compliant and whether there are risks by conducting a personal information protection impact assessment; If non-compliance or risks are found, they can be rectified in advance and corresponding remedial measures can be taken to improve the security and compliance of personal information processing activities, reduce or eliminate related risks.

3、 The main content and retention period of the impact assessment on personal information protection.

According to Article 56 of the Personal Information Protection Law, the impact assessment of personal information protection should include the following contents: (1) whether the purpose and method of processing personal information are legal, legitimate, and necessary; (2) The impact on personal rights and security risks; (3) Whether the protective measures taken are legal, effective, and appropriate to the level of risk. The content of personal information protection impact assessment can refer to the attachment "Personal Information Protection Impact Assessment Report (Outbound Version)" in the "Guidelines for Filing of Personal Information Export Standard Contracts". According to the Personal Information Protection Law, the personal information protection impact assessment report and processing record should be kept for at least three years, which means that enterprises should continue to promote the work of personal information protection impact assessment.

Suggestion: As the draft for soliciting opinions has not yet been officially released, enterprises can closely monitor the relevant progress; At the same time, for enterprises exempted from conducting personal information export evaluation and filing under the draft for soliciting opinions, it is still necessary to ensure the compliance of personal information export by conducting a personal information protection impact assessment in advance and signing relevant personal information export agreements with overseas data recipients before the export of personal information.