Executive Order 14117, and the implementing Final Rule , intends to address the threat of foreign powers and state-sponsored threat actors using Americans’ sensitive personal data for malicious purposes. The Final Rule sets out the conditions under which a bulk transfer of sensitive personal data or US government-related data to a country of concern or covered person will be permitted, restricted or prohibited.

The Final Rule underpins the higher levels of scrutiny from the US government over bulk cross-border data transfers which may pose a risk to the US national interests, and the tightening of compliance requirements on US companies to protect sensitive personal data and government data when engaging with these countries, or those connected.

Scope of the Final Rule

The key elements determining the applicability and scope of the Final Rule, when applied to a data transaction by a US entity, are:

• Countries of Concern: As noted above, the Final Rule designates six countries as countries of concern: (1) China (including Hong Kong SAR and Macau SAR), (2) Cuba, (3) Iran, (4) North Korea, (5) Russia, and (6) Venezuela. The transfer of sensitive data to Covered Persons within these jurisdictions could therefore be captured.
• Covered Persons: The Final Rule defines four classes of covered persons as the transacting party that will require additional scrutiny: (1) foreign entities that are 50% or more owned by a country of concern, organized under the laws of a country of concern, or have their principal place of business in a country of concern; (2) foreign entities that are 50% or more owned by a covered person; (3) foreign employees or contractors of countries of concern or entities that are covered persons; and (4) foreign individuals primarily resident in countries of concern.
• Sensitive Personal Data: The Final Rule regulates transactions involving six categories of sensitive personal data: (1) certain covered personal identifiers; (2) precise geolocation data; (3) biometric identifiers; (4) human genomic data and three other types of human ‘omic data (epigenomic, proteomic, or transcriptomic); (5) personal health data; and (6) personal financial data.
• Bulk Sensitive Personal Data: Within these Sensitive Personal Data categories, different thresholds for the volume of data being transferred are applied. These thresholds determine the applicability of the Final Rule to the transaction. The prohibitions and restrictions apply to covered data transactions involving sensitive personal data exceeding certain thresholds over the preceding 12 months before the transaction. For example, compliance requirements for the transfer of precise geolocation data will not be triggered unless location data from over 1,000 US persons or devices is being transferred. Contrastingly, the data transfer of the personal identifiers (such as social security numbers) of over 100,000 US persons will be required before the threshold is met. The definition of ‘bulk’ and how this applies across the categories of personal data is therefore key.

Prohibited or restricted transactions?

Alongside these key elements, the Final Rule determines that the type of transaction under which the data is being transferred will inform whether the transaction is restricted, prohibited or exempt from scrutiny. A transaction falling into the category of restricted will impose the new, additional compliance requirements on US Companies before the transaction can proceed.

The Final Rule prohibits transactions involving (1) data brokerage (i.e., “the sale of data, licensing of access to data, or similar commercial transactions involving the transfer of data”), and (2) covered data transactions involving access to bulk human ‘omic data or human biospecimens from which such data can be derived. The outright prohibition on data brokerage agreements with countries of concern is extended further, with the Final Rule also requiring US persons to contractually ensure that data brokerage transactions with other foreign persons, who are not countries of concern or covered persons, do not enable the transfer of the same data to countries of concern under subsequent arrangements. This additional safeguard on data brokerage where sensitive personal data is involved underlines the requirement for sufficient due diligence with overseas partners.

Vendor, employment, and non-passive investment agreements are captured as restricted transactions. These transactions are permitted if they meet certain security requirements developed by the Cybersecurity and Infrastructure Agency (CISA).

Finally, data transactions which fall under categories such as (but not limited to) personal communications that do not transfer anything of value, ordinary corporate group transactions between a U.S. person and its foreign subsidiary or affiliate, and financial services involving transactions ordinarily incident to and part of providing financial services, are exempt from any compliance requirements under the Final Rule: illustrating the practical intention of the requirements.

Compliance obligations

CISA requirements detail the types of cybersecurity, data retention, encryption and anonymisation policies, alongside other measures, that can be adopted by US companies in order to bring a restricted transaction into compliance, ensuring the safety of sensitive personal data.

An enhanced due diligence exercise is therefore expected when seeking to transact with covered persons, where the bulk transfer of sensitive personal data is a possibility. Key features of this include the implementation of a data compliance program, including comprehensive policies, procedures and record keeping surrounding data involved in a restricted transaction, as well the completion of third-party audits to monitor compliance with the Final Rule. Finally, reporting is expected when engaging in restricted transactions, demonstrating the depth of US government oversight and interest in these transactions.

FAQs, Compliance Guide and Enforcement Policy

On April 11, 2025, the Department of Justice published answers to Frequently Asked Questions;  a Compliance Guide; and issued a Implementation and Enforcement Policy for the first 90 days of the Final Rule. (i.e. through July 8, 2025). 

• Compliance Guide. The Compliance Guide aims to provide ‘general information’ to assist individuals and entities when complying with the Data Security Program (“DSP”), established by the Department of Justice’s National Security Division to implement the  Final Rule and Executive Order 14117. The Compliance Guide includes guidance on a number of different areas, including, key definitions, steps that organizations should take  to comply with the Final Rule, model contract language and prohibited and restricted data transactions.

• FAQs. The Department of Justice has provided answers to more than 100 FAQs, which aim to provide high level clarifications about Executive Order 14117 and the DSP, including, for example, answers to questions in relation to scope of the DSP;  the effective date of the Final Rule; definitions , exemptions; and enforcement and penalties.

• Implementation and Enforcement Policy for the First 90 Days (“the Policy“): The Policy states that during the first 90 days, enforcement will be limited “to allow U.S. persons (e.g., individuals and companies) additional time to continue implementing the necessary changes to comply with the DSP “. Specifically, the Policy is clear that there will be limited  civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025 “so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP during that time”. The Policy provides examples of ‘good faith efforts’, including: conducting internal reviews of access to sensitive personal data; renegotiating vendor agreements or negotiating contracts with new vendors; transferring products and services to new vendors; implementing CISA security requirements; adjusting employee work locations, roles or responsibilities; and evaluating investments from countries of concern or covered persons. The Policy stated that at “the end of this 90-day period, individuals, and entities should be in full compliance with the DSP.”

Next steps

Whilst certain due diligence, auditing, and reporting obligations will not become effective until October 2025, preparation for effective oversight and compliance with the CISA requirements can begin now. In particular, organisations should assess current compliance measures in place to identify potential compliance gaps and establish controls to address those gaps, in order to be able to demonstrate that they are engaging in “good faith efforts.” DLA Piper can advise on a review of current policies and procedures and preparing effectively for transactions that may fall within the Final Rule.

On 3 January 2025, the Cyberspace Administration of China (“CAC“) released for public consultation the draft Measures for Certification of Personal Information Protection for Cross-Border Transfer of Personal Information (“Draft Measures“). This regulation represents the final piece in the CAC’s regulatory framework for the three routes to legitimize cross-border transfers of personal data outside of China (“CBDTs“).

To recap, Chinese law requires data controllers to take one of the following three routes to legitimize CBDTs, unless they qualify for specific exemptions under the Provisions on Promoting and Regulating Cross-Border Data Flows (click here for our summary, “Provisions“) or local rules:

• CAC security assessment;
• Standard Contractual Clauses (“SCCs“) filing; or
• CAC-accredited certification.

If enacted, the Draft Measures will provide significant clarity regarding the certification route, offering data controllers both within and outside of China a viable option for compliance of CBDTs. Below is a practical guide to the key provisions of the Draft Measures, along with our recommendations for data controllers engaged in CBDTs in light of this new regulation.

Who can utilise the certification route?

Data controllers in China: In alignment with the conditions outlined in the Provisions, the Draft Measures reiterate that a data controller in China may pursue the certification route if:

• the data controller is not a critical information infrastructure operator (“CIIO“);
• no important data is transferred outside of China; and
• it has cumulatively transferred non-sensitive personal data of 100,000-1,000,000 individuals or sensitive personal data of less than 10,000 individuals outside of China since the beginning of the year.

It is worth noting that these conditions are the same as those for taking the SCCs filing route, making the certification route an effective alternative to the SCCs filing route for data controllers in China.

Overseas data controllers: The certification route is also available to data controllers outside of China that fall under the extraterritorial jurisdiction of the Personal Information Protection Law (“PIPL“), i.e. those processing personal data of residents in China to provide products or services to them or analyze or evaluate their behavior.

The Draft Measures do not specify the volume threshold or other conditions for overseas data controllers to take the certification route. It remains to be clarified whether overseas data controllers with a limited scope of CBDTs (e.g. those not reaching the volume threshold for data controllers in China as outlined above) can be exempted from obtaining certification or following the other legitimizing routes.

From which certification bodies can a data controller obtain the certification?

Certification bodies that have received approval from the State Administration for Market Regulation (“SAMR“) and have completed a filing process with the CAC are qualified to issue the CBDT certification.

What are the evaluation criteria for the certification?

The evaluation for the certification will focus on the following aspects:

• the legality, legitimacy and necessity of the purposes, scope and methods of the CBDT;
• the impact of the personal data protection laws and policies and network and data security environment of the country/region where the overseas data controller/recipient is located on the security of the transferred personal data;
• whether the overseas data controller/recipient’s level of personal data protection meets the requirements under Chinese laws, regulations and mandatory national standards;
• whether the legally binding agreement between the data controller and the overseas data recipient imposes obligations for personal data protection;
• whether the organizational structure, management system, and technical measures of the data controller and the overseas data recipient can adequately and effectively ensure data security and protect individuals’ rights and interests regarding their personal data; and
• other aspects deemed necessary by certification bodies according to relevant standards for personal information protection certification.

Are there special requirements for overseas data controllers pursuing certification?

Yes. An overseas data controller governed by the PIPL seeking certification must submit the application with the assistance of its dedicated institution or designated representative located in China (the presence of which is a requirement under the PIPL).

The Draft Measures also make it clear that overseas data controllers must, like data controllers in China, assume legal responsibilities associated with certification processes, undertake to comply with relevant Chinese data protection laws and regulations, and be subject to the supervision by Chinese regulators and certification bodies.

How are certification processes and results supervised?

The Draft Measures grant supervisory powers to both the SAMR and the CAC. They can conduct random checks on certification processes and results; and evaluate certification bodies. Certified data controllers will also be under continuous supervision by their certification bodies.

If a certified data controller is found to no longer meet the certification requirements (e.g. the actual scope of the CBDT is inconsistent with that specified in the certification), the certification will be suspended or revoked, which action will be made public. 

Are there ancillary rules and standards on the horizon?

Probably yes. The Draft Measures indicate that the CAC will collaborate with relevant regulators to formulate standards, technical regulations, and conformity assessment procedures for CBDT certification and work alongside the SAMR to develop implementation rules and unified certificates and marks for CBDT certification.

Is the certification likely to be recognised in other jurisdictions?

Probably yes. According to the Draft Measures, China will facilitate mutual recognition of personal information protection certification with other countries, regions, and international organizations.

Recommendations

As discussed, the Draft Measures make available a tangible certification route to legitimize CBDTs for data controllers both within and outside of China. Data controllers should carefully evaluate and choose between the three legitimizing routes when engaging in CBDTs, considering their respective pros and cons and suitability for the controllers’ specific patterns of CBDTs. For example, the certification route may be advantageous for complex CBDTs among multiple parties where signing of SCCs is challenging. To make well-informed decisions, data controllers engaged in CBDTs are recommended to closely monitor developments related to the Draft Measures in the months following the conclusion of the public consultation period on 3 February 2025, and remain vigilant for any release of ancillary rules and standards. This is particularly necessary because some important details about the certification route, such as the validity period of the certification and any thresholds for overseas data controllers to take the certification route, remain unclear.

Overseas data controllers processing personal data of residents in China should also be aware of the Draft Measures, as they specifically outline the certification route. This represents a further enhancement of Chinese regulations governing overseas data controllers, following clarifications regarding the procedure for reporting dedicated institutions or designated representatives of overseas data controllers under the Network Data Security Management Regulation that took effect on 1 January 2025 (click here for our summary). Given this trend, overseas data controllers processing personal data of residents in China should consider assessing whether they fall under the extraterritorial jurisdiction of Chinese data protection laws and, if so, evaluating the practical risks of non-compliance with such laws (e.g. the impact of potential service disruptions or access restrictions). If compliance with Chinese data protection laws turns out to be necessary, it is advisable to implement a comprehensive program to navigate how China’s CBDT restrictions and, more broadly, its complex data regulatory framework may apply to the overseas data controller and devise compliance strategies.

It is also important to remember that the legitimizing routes are not the sole requirement for CBDTs under Chinese law. Regardless of the chosen route, data controllers must implement other compliance measures for CBDTs, including obtaining separate consent from data subjects, conducting personal information impact assessments, and maintaining records of processing activities.

Under China’s data protection law, if a data controller processes any sensitive personal information, it will be subject to stricter obligations. For example, it must obtain the individuals’ separate consent. It must take enhanced technical and organizational measures. More importantly, under the new Chinese regulation governing the cross-border transfer of personal information (see our article here for details), if it transfers even one individual’s sensitive personal information outside China, it will need to file the transfer with the Chinese data regulator. Thus, the accurate identification of sensitive personal information has become increasingly important, and will become more so under proposed new data audit regulations.

The China Personal Information Protection Law (“PIPL“) defines sensitive personal information as any personal information that, once leaked or misused used, may easily lead to the infringement of an individual’s personal dignity or harm to personal or property safety.

The PIPL offers a few samples of sensitive personal information (e.g. biometrics, religious beliefs, medical health, financial accounts, whereabouts, and any personal information relating to minors under the age of fourteen). Recommended national standards such as GB/T 35273-2020 Personal Information Security Specifications (“Specifications“) and GB/T 43697-2024 Rules for Data Classification and Grading (“Rules“) also include non-exhaustive sample lists. During the past years, the identification of sensitive personal information in the market has relied heavily on such samples and lists.

In June 2024, a new Draft Guide for Sensitive Personal Information Identification (“Draft Guide“) was issued for public consultation, which proposes a different approach to identifying sensitive personal information. For example:  

• Facial recognition data: Under the Specifications and the Rules, only facial feature extraction or faceprint constitutes sensitive personal information. The Draft Guide now proposes to expand the scope to cover face images also, based on the rationale that facial feature extraction or faceprint may be generated from face images.

• Health data: Under the Specifications and the Rules, food allergy related data is specifically identified as sensitive personal information, which (unreasonably) subject many restaurants and catering companies to stricter data protection obligations. The Draft Guide now proposes to limit the scope of health data to disease, illness, disabilities and diagnosis- and treatment-related data.

• Finance data: Under the Specification and the Rules, transaction and expense records are identified as sensitive personal information, which may lead to an extreme conclusion that all the shops and malls keeping consumers’ purchase records process sensitive personal information. Under the Draft Guide, transaction and expense records would be removed from the list. Instead, sensitive personal finance information would be limited to bank, securities and fund account or card numbers and passwords, as well as token information and income details related to each specific account or card.

• Other data: The Draft Guide proposes removing communications records and web browsing records from the sensitive personal list, which is helpful especially for companies that monitor and record employees’ work-related emails and messages. The Draft Guide also clarifies that flight and high-speed train travel records fall into the scope of “whereabouts” data and thus constitutes sensitive personal information, whether in a consumer or potentially even employee-travel context.

It is uncertain when the Draft Guide will be finalized, and indeed how much it would be relied upon by the Chinese data regulator considering it would only constitute non-binding recommended guidance. Nonetheless, it is clear that identifying sensitive personal information is no longer a straightforward question, and the context under which personal information is processed will be critical to the assessment. To be fair, the focus on “risk of harm” has always been a key component of defining sensitive personal information in China. Therefore, going forward organisations looking to identify its sensitive personal information should place more focus on the consequences and potential harm to the data subjects if the data in question is breached or misused. A case by case and context-specific analysis will likely be required.

Summary of the key themes of the Draft Regulation:

• Scope of personal data: In addition to the list of “specific personal data” set out in the PDPL, the Draft Regulation introduces a mechanism for the government to expand the scope of “specific personal data”. The Ministry, in consultation with the PDP Agency, may designate other data as “specific personal data” if it has the potential to cause greater harm to data subjects, such as discrimination, material/immaterial loss and contravention of the law. It also clarifies that personal data will cover those in the public domain. This gives the government the flexibility to extend its control over time, which in turn creates uncertainty for businesses.

• Consent to data processing: Similar to the position taken under other data protection laws in Asia, data processing can be based on consent (though other bases of data processing are also available). Where consent is used, the data subject must be provided with a privacy notice and explicit lawful consent must be obtained.

With regard to children or persons with disabilities, consent should be obtained from the parents/guardians of the children and from either the disabled persons or their guardians.

Interestingly, a child is defined as any unmarried person under the age of 18. Controllers are also required to take measures to identify persons with disabilities. These provisions may lead to some uncertainty as to whether mere reliance on a data subject’s declaration is sufficient or whether a more proactive approach, such as verification and active monitoring, is required.

• Data subject rights: The Draft Regulation also sets out in detail the rights of data subjects and the timelines for responding to requests. For example, controllers must respond to data subject requests within “3 x 24” hours. This is a very short timeframe that is usually only applied in data breach notification scenarios in other jurisdictions in Asia.  

• Cross-border data transfers: The PDPL already provides that data controllers transferring personal data abroad must ensure that the recipient country has a level of data protection at least equal to that required in Indonesia. 

The Draft Regulation clarifies that the PDP Agency will be the authority to make the determination and the PDP Agency may in the future establish a list of jurisdictions meeting that threshold. If the receiving jurisdiction does not meet the threshold, measures similar to those adopted by other jurisdictions in Asia, such as cross-border agreements, standard contract clauses and binding group company regulations, must be put in place.

We expect the PDP Agency to provide more details on these practices, such as standard wordings and templates, in the future. Nonetheless, if these requirements are not met, the consent of the data subject could be used as a fallback in limited circumstances. In any event, controllers will be required to carry out a risk assessment and a legal instrument assessment prior to the transfer.

• Redress and out-of-court dispute resolution: The Draft Regulation places great emphasis on the redress for data subjects and the alternative dispute resolution mechanism in the event of breach.A data subject has the right to sue for violations, whether based on fault or negligence on the part of the controller, and receive material compensation, such as a sum of money, or non-material compensation, such as remedial measures. In particular, the Draft Regulation expressly gives priority to mediation among other dispute resolution mechanisms, and even provides for a Professional Mediation Institution that is equipped with expertise in data protection and certified in accordance with the Draft Regulation.

Alternatively, breaches of data protection may be punished by administrative fines up to 2% of the annual revenue or annual receipts of the violation. However, it is uncertain whether the percentage cap will be imposed on the local entity or on the group globally.

What next – practical steps

While the Draft Regulation signifies Indonesia’s commitment to strengthening its data protection framework in line with global standards, we expect that compliance with the data protection law in Indonesia could be challenging given the onerous obligations and uncertainty.

Given the PDPL will come into force in October 2024 and it now seems likely that the Draft Regulations will also come into effect at around the same time, we recommend that businesses prioritise the following:

• review existing data flows and the categories of data which are being collected and processed;
• consider existing mechanisms for obtaining consent;
• review processes for responding to data subject requests and data breach notification;
• review processes for conducting data protection impact assessments.

The Draft Measures propose to introduce or flesh out other compliance requirements contained in the PIPL. For example:

• Automated Decision-Making: where a data controller uses personal data to conduct any automated decision making, it must proactively inform data subjects in advance the types of data processed and the potential impact of the automated decision making. It must also conduct security and ethical assessment on the algorithm and parametric models, record all the manual intervention involved in the annotation management and model training processes to prevent manipulation, and enable data subjects to amend or delete customized tags to opt out. This will, therefore, require more in-depth privacy notices than businesses may be used to providing in China.
• Publicly Available Data: where a data controller processes personal data obtained from public resources, it must stop the processing (even if the processing is comparable with the original purpose) once it receives the data subjects’ objection. As such, data controllers shall be more conservative when relying on the lawful basis of “publicly available data” for processing. Assessing the original purpose for which the data was published becomes critical. This is important to note for any data scraping activities.
• Monitoring of overseas data recipients/processors: when determining whether a data controller has taken sufficient measures to ensure its overseas data recipients have satisfied the PIPL data protection standards, the following factors shall be considered: whether the data controller has conducted proper due diligence to check the data protection capability of the overseas recipients, whether the data controller has clearly informed the PIPL requirements and standards to the overseas recipients, whether there are sufficient contractual obligations imposed on the overseas recipients to comply with PIPL requirements, and whether the data controller conducts periodical audits and keeps monitoring the overseas recipients’ processing activities. This aligns with controls to monitor recipients under C2C and C2P transfers in other data protection laws.
• Governance: a data controller must establish a proper internal data protection framework. Must-have supporting policies and procedures include at least: data classification policy, data incident responsive policy, personal information impact assessment policy, data subject request handling procedures and data protection training plans. International businesses should already have tweaked such existing global policies for China purposes.
• Data incident notification: it is clarified that data incidents must be reported to the internal data protection departments or teams within 72 hours, which seems to suggest that the data controller may have a longer time to report incidents to the CAC than under other data protection frameworks.
• Role of the DPO: although the Draft Measures still do not clarify the processing threshold that requires a data controller to appoint a DPO, it provides the that a DPO must have the authority to coordinate the work of data protection team and other internal data protection stakeholders, have the right to raise suggestions and comments before the data controller makes any major decisions concerning data processing activities, and have the power to request suspension of non-compliance processing activities and order internal remediation measures. All these indicate that DPO should be a relatively senior position within an organization.

The public consultation on the Draft Measures closes on 2 September 2023

Businesses who must follow the China SCCs route to legitimize their cross-border transfers of personal data must file their signed China SCCs together with the supporting personal information impact assessment (“PIIA”) report with their local CAC branch by no later than 30 November 2023. This requires significant effort, and so businesses must act now to meet the filing deadline.

To recap, the China SCCs route is the relevant route for China entities that are data controllers of China personal information but who do not meet the thresholds whereby the full CAC assessment must be undertaken (for further information on this, click here).

During the past few weeks, more practical guidance has been published by different local CACs, and we have gained insights from businesses already preparing their SCCs and accompanying PIIAs:

• More than 30 local CACs have published hotline numbers. Businesses can ask questions on filing-related matters on a real name basis. Anonymous questions in general are not accepted.
• Many local CACs (e.g. Beijing, Shanghai, Jiangsu, Chongqing, Shandong, Hubei, Jiangxi, Hainan, Heilongjiang, Guangxin, etc.) have published the email addresses to which companies may send the electronic copies of their filing materials. In these provinces, the local CACs’ comments and the companies’ amended materials will mainly be exchanged via emails. Companies only need to submit the hard copy materials after the electronic versions are confirmed by the CACs.
• Different CACs have different opinions on whether a filing on a group basis is acceptable. For example, the Beijing CAC seems to be fine with the group filing approach. If the Chinese headquarter of a multi-national organization is registered in Beijing, it may consider making the filing on behalf of all the other Chinese affiliates with the Beijing CAC. As to how to define the scope of “affiliate” (e.g. whether more than 50% control or other conditions are required), there is no clear guidance yet.

In addition, whether the group filing can work in practice also depends on the local CACs in the provinces where the affiliates are registered. For example, some CACs (e.g. Tianjin) only request a copy of the group filing record in other provinces, while some other CACs (e.g. Zhejiang) request the record/re-submission of the province-specific materials.

• The China SCCs are drafted in a way deeming the Chinese data exporter as a data controller. Thus, it remains uncertain as to whether or how the SCCs should be signed if the Chinese data exporter is a data processor.
• Where the Chinese exporter is the data controller, the same SCCs should be used regardless of whether the overseas importer is a data controller or a data processor – i.e. there is not a separate C2P version of the China SCCs. While in theory the parties may insert additional (but not conflicting) terms in Appendix 2 to the SCCs, we suggest limiting those to the absolutely necessary terms (if any), to avoid delays in the filing or more questions from the local CACs.
• In practice, we are seeing many international businesses identifying their group companies (e.g. the lead entity under their IGDTA) as the primary overseas recipient and vendors contracted at a group level as onward recipients (since in practice vendors engaged locally by the China entity tend to provide domestic only services). In other words, the first-tier transfer is on an intra-group basis. When reviewing the CAC security assessment applications, the CAC seems to be fine with this approach. Following this approach, some businesses are considering putting in place the China SCCs directly between the exporter and the importer, while some other companies are considering supplementing their intra-group data transfer agreement with the China SCCs. The latter seems to be more common in practice at the moment, given the reluctance of big tech vendors at the moment to engage on signing China SCCs except where they have contracted directly with a China entity.
• At the moment, an overseas recipient is not mandatorily required to sign the China SCCs with the subsequent recipient(s) (i.e. for onward transfers). But it remains uncertain as to whether the CAC will adjust the regulatory approach in the future. While this delay is being embraced by vendors, who are keen to avoid signing China SCCs for such onward transfers at the moment, there is an obligation in the China SCCs to flow them down to onward recipients, so while this is not an immediate priority this should not be forgotten entirely.
• Together with the signed SCCs, a personal information protection impact assessment (“PIIA”) report must be submitted to support the filing. The PIIA report requires extensive data mapping, and a significant amount of work to complete. Do not leave it until the last minute – the time to act is now. The PIIA template published by the CAC requires almost the same set of details as in a CAC security assessment (i.e. the approval route). No local CAC has published further explanation on how detailed a PIIA report should be. To cover all the matters included in the template, a PIIA report can easily go beyond 50 pages. It is recommended to reserve at least two months to gather all the required details, coordinate with overseas parties and prepare (and translate if needed) the PIIA report.
• While it is referred to as a filing, the local CACs have the authority and discretion to order specific remediation measures if they identify compliance gaps when reviewing the data processing activities described in the PIIA report. Thus, before making the filing, it is recommended to fix major compliance gaps or (for the gaps that require significant effort to mitigate) at least formulating and describing in the PIIA report clear remediation plans.

On July 24, 2023, the People’s Bank of China (“PBOC”) released the Measures for the Management of Data Security in the Business Areas Falling into PBOC’s Jurisdiction (Draft for Comment) (“Draft Measures”) for public consultation, which closes on August 24, 2023.

The Draft Measures regulate the processing of electronic data collected and generated during the course of business activities that are under the supervision and management of PBOC (“Regulated Data”). Regulated Data includes personal and non-personal data categories, but state secrets are specially carved out from the scope of Regulated Data. Financial institutions and other organizations (“Data Handlers”) processing Regulated Data with the territory of China must comply with the requirements of the Draft Measures.

Such regulated processing activities mainly include those carried out in the following business areas: monetary policy, cross-border RMB transactions, inter-bank transactions, comprehensive financial industry statistics, payment and clearing, currency management and digital RMB, treasury management, credit collection and anti-money-laundering.

Key obligations of Data Handlers when processing Regulated Data include:

Data categorization and grading: Regulated Data shall be categorized based on the underlying business contexts. Regulated Data shall be graded into three grades (namely ordinary, important and core) based on its potential impact to national security. Within each grade, Regulated Data shall further be divided into five different levels according to its sensitivity and availability. The categorization and grading shall be recorded in catalogues and updated regularly. Where Regulated Data is in unstructured formats, or where Regulated Data falling into different categories or grades is processed in the same context, the Data Handler shall implement technical and organizational measures applicable to the category or grade requiring a higher protection level. This is not dissimilar in practice to existing guidelines around categorization of “financial data”.

Full life cycle protection: Data Handlers must obtain the consent of individuals or organizations before processing their Regulated Data (howsoever the data was collected or obtained). Access controls, storage media, backups, encryption, transfer controls and retention period must be determined based on the category, grade and level of Regulated Data. The data protection level cannot be reduced even in the context of intra-group processing. Regular training and periodic audits shall be conducted to ensure the effectiveness of data security measures in place. In general, the compliance obligations of a Data Handler processing Regulated Data at level three or above are significantly heavier the others. At a high level, we anticipate financial institutions will already be doing this, so it will be interesting to see whether more granular security standards will be subsequently published and whether they impose higher requirements than, say, current international best practice standards.

Cross-border data transfer: The Draft Measures do not provide new requirements regarding cross-border transfer of Regulated Data. Instead, the Draft Measures only briefly state that existing rules regarding data localization and cross-border data transfers (e.g. under the PIPL and related measures) continue to apply, save that in addition PBOC’s approval is required if a Data Handler plans to share any Regulated Data with any international organizations or foreign financial services administrative authorities. This latter measure could create practical difficulties when balancing regulatory requests for information.

Detailed technical requirements: The Draft Measures focus on the effectiveness of technical measures implemented to protect Regulated Data. In addition to the basic MLPS (multi-level cybersecurity protection regimes) requirements, the Draft Measures also set out detailed technical requirements concerning data input protocols, watermarks must be used, interface technical specifications, data recovery time and resilience testing requirements, etc. Data Handlers are also required to classify data incidents into different levels and implement level-specific incident responsive measures. Again, it will be interesting to see whether more granular requirements or standards are to be published subsequently, and how they align with current international best practices.

Since the issuance of the PRC Data Security Law (“DSL”), sectoral authorities have been formulating rules to regulate data security matters within their respective jurisdictions. The Draft Measures reflects PBOC’s approach in implementing the DSL requirements within the financial services industry. The focus is in particular on the establishment of data categorization and grading systems within the industry, and the formulation of category and grade specific data security requirements. Data Handlers must record and report their internal data categorization and grading results, which will form the basis for PBOC’s formulation of important data catalogue(s) for this industry – which themselves are highly anticipated.

Before the Draft Measures, PBOC has issued several important financial data security standards, such as the Guidelines on Data Security Classification for Financial Data Security (JR/T 0197-2020) and the Specification on Data Life Cycle Security for Financial Data Security (JR/T0223-2021). The Draft Measures requirements in general are consistent with those earlier standards.

Next steps: Assuming there will not be significant changes to the Draft Measures before they are implemented, it is time for Data Handlers to start – if they have not already done so as part of PIPL compliance programmes – thoroughly mapping out their Regulated Data processing activities, covering both personal data and industry or business data. Based on the mapping results, data categorization and grading work must be started to form the basis for establishment of data protection framework and supporting policies and procedures once the Draft Measures are finalised and come into force.

Vietnam’s long-awaited, first-ever Personal Data Protection Decree (“PDPD”) has finally been passed and is scheduled to take effect from 1 July 2023 (save limited grace period exceptions).

The PDPD is the first comprehensive data protection regulation consolidating Vietnam’s existing data protection regulatory framework (which is found across various legal instruments).

Given the tight timelines, businesses which engage in or relate to personal data processing activities in Vietnam, are advised to take prompt action to ensure compliance.

The most notable provisions of the PDPD relate to the compliance requirements in general processing and cross-border transfers of personal data.

Highlights of the PDPD

• Consent: the primary legal basis for processing personal data remains to be consent.
• Data Protection Impact Assessment (“DPIA”) Profile: data controllers are required to prepare and maintain DPIA Profiles for their personal data processing activities. In certain circumstances DPIA Profile may need to be submitted to the regulators.
• Cross-Border Transfer of Personal Data: in order to transfer personal data outside of Vietnam, organisations must complete and submit a Dossier of Impact Assessment for Cross-Border Personal Data Transfer (“TIA Dossier”). The regulators may halt data transfers in situations where an organisation violates national security, submits an incomplete TIA Dossier, or loses or discloses personal data of Vietnamese citizens.
• Data Localisation: surprisingly, the PDPD has not addressed the issue of data localisation. This said, organisations should continue to observe developments on this, and follow existing laws and regulations, notably the interaction between PDPD and the Cybersecurity Law (Decree 53).
• DPO: organisations may need to appoint and register its DPO with the authority, especially if sensitive personal data is processed.
• Data subject rights: certain data subject rights are now subject to a 72-hour handling deadline.
• Data incident: data breach incidents must be notified within 72 hours of the occurrence.

What next – practical steps

In view of the tight timescales to ensure compliance with the PDPD, organisations should speed up in brushing up their existing data privacy programmes and remedy any inconsistencies with the PDPD requirements.

Please contact Carolyn Bigg, Venus Cheung, or Gwyneth To if you have any questions or to see what this means for your organisation.

 On 14 February 2023, the European Data Protection Board (“EDPB”) published the updated and final version of its Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (EDPB Guidelines 05/2021). In comparison to the first version of the guidelines published in 2021, the core messages of the paper remain the same. The EDPB sets out three essential criteria for qualifying a processing of personal data as a transfer to a third country. In the update to its guidelines, the EDPB now specifies these requirements in more concrete terms.

 Transfer to a third country

 Since the GDPR itself does not provide for a definition of the term “transfer of personal data to a third country or to an international organisation” and case law only exists to a limited extent in this regard, the EDPB elaborates three cumulative criteria to qualify a processing operation as a transfer:

1. the controller/processor (“exporter”) is subject to the GDPR for the given processing,
2. the exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”), and
3. the importer is located in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Art 3 GDPR or is an international organisation.

If one of these criteria is not met, the respective processing activity cannot be considered a transfer within the meaning of the GDPR.

Even if in such cases the provisions of Chapter V of the GDPR do not apply, the EDPB expressly points out that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place as they may be associated with certain risks if they take place outside of the EU (e.g. where an employee of an EU controller travels abroad and has access to the data of that controller while being in a third country). This risk may perhaps arise from conflicting national law or disproportionate access rights for the authorities of the third country. A controller must take these risks into account accordingly when initiating a transmission of personal data and take appropriate data security measures.

In this regard, the Committee of Independent German Federal and State Data Protection Supervisory Authorities (Datenschutzkonferenz – “DSK“) – a board consisting of the federal and state data protection supervisory authorities dealing with and commenting on current data protection issues in Germany stated in its resolution from 31 January 2023 on the assessment of access possibilities to personal data for public authorities of third countries under current data protection law (DSK-resolution of January 31, 2023), that the mere risk that public authorities of third countries might request a transmission of personal data to the third country is not sufficient to assume a transfer of data within the meaning of Art. 44 et seqq. GDPR per se.

Both the EDPB and the DSK provide examples of security measures to be taken in such cases. These include, among other things, the implementation of appropriate technical and organizational measures as well as a detailed examination of the law of the third country, any assurances given by the contractual partner and the possibility of complying with them, and the assessment of other risks associated with the transmission.

Specification of the criteria

The EDPB now specifies the above criteria in its second version of the Guidelines 05/2021. For this purpose, the EDPB also elaborates extensive examples of application, which illustrate the interplay between Art. 3 GDPR and Chapter V of the GDPR.

Of particular relevance is the clarification that it is sufficient for making available personal data (criterion 2) if, for example, personal data is accessed remotely from a third country or is stored in a cloud outside the European Economic Area (EEA), and the other criteria are met as well. However, if the data processing is of solely internal nature to the controller, i.e. when the data is not being transferred to another controller or a processor and therefore does not leave the organizational structure of the controller, personal data is not “made available” to another controller/processor. This is illustrated in the example 8.1 in the Guidelines 05/2021.

The twelfth and last example elaborated by the EDPB is also of high importance to the data protection practice. In this scenario, a controller based in the EU engages a processor who is also based in the EU but is a subsidiary of a company based in a third country. Understandably, the EDPB does not consider the transfer of personal data by the controller to the processor as a third country transfer. However, this constellation becomes problematic in cases where the processor, in its function as a subsidiary, is also subject to the laws of the third country in which the parent company is located with extraterritorial effect. This may result in authorities of the third country requesting that the personal data processed by the processor on behalf of the controller is being transmitted to the respective authority in accordance with applicable local law of the third country. If the processor complies with this and transmits the data to authorities in the third country, the EDPB considers this to be a third country transfer. If the controller has prohibited such a transfer in the data processing agreement, the processor acts contrary to the instructions of the controller and is itself considered to be the controller for this processing operation pursuant to Art 28 (10) GDPR. The controller is obliged to check in advance whether the commissioned processors are subject to such access rights of third country authorities and, if necessary, to take appropriate technical and organizational measures to ensure that the processing is also carried out in accordance with the provisions of Chapter V of the GDPR.

Conclusion

The legally non-binding Guidelines 05/2021 of the EDPB are to be welcomed insofar as they show in a comprehensible and easy-to-use manner in which constellations a third country transfer is to be assumed within the meaning of the GDPR, in particular taking into account the regulations on the territorial scope of application according to Art 3 GDPR. In addition, they illustrate that there may nevertheless be risks of violations of the GDPR by data controllers in cases in which a data flow to a third country does not qualify as a third country transfer. This constitutes in our opinion a rather abstract risk and shall not lead to equal risk assessment obligations for a controller as for actual third country transfers. However, given the complexity and multi-layered nature of the possible constellations of processing operations, companies are well advised to carefully examine the extent to which personal data is transferred to a third country when involving additional controllers or processors in order to consider and implement appropriate security measures and avoid potential fines. Finally, it is pleasing to note the EDPB’s clarification regarding the fact that the transfer of personal data by a processor based in the EU to an authority in a third country may be contrary to instructions and will, if so, qualify the processor itself a controller under Art. 28 (10) of the GDPR.

More on how to deal with third country transfers and detailed information on DLA Piper’s legal tech tool “Transfer” can be found here.

Summary: The final version of the China SCCs has now been published, meaning those organisations that haven’t had to apply for CAC approval for their cross-border transfers of personal information now have until 1 December 2023 to:

• sign the China SCCs with overseas recipients of personal information; and
• file a copy of the signed China SCCs and accompanying PIIA with the local branch of the CAC.

Otherwise, cross-border data transfers must stop until these steps are taken for those organisations that must follow the China SCCs route).

Additional guidance has been given to support those organisations assessing whether they must follow the CAC assessment/approval or China SCCs routes.

Background: The long-awaited final version of the China standard contractual clauses for cross-border transfers of personal information (“China SCCs”) were finally published on 24 February 2023 by the Cyberspace Administration of China (“CAC”) via the Measures for Standard Contracts for Transferring Personal Information Overseas (“Measures”).

Timing: There is a grace period until 1 December 2023 for personal information controllers to:

• sign the new China SCCs with overseas recipients of their personal information; and
• file a copy of the signed China SCCs, together with the corresponding personal information impact assessment (“PIIA”, China’s version of the GDPR DPIA) completed by the organisation, with the local branch of the CAC.

The Measures will come into force on 1 June 2023, and organisations then have six months from this date to take these steps.

Who must put in place the China SCCs: personal information controllers that do not meet the thresholds for the CAC assessment/approval route, or the CAC certification for non-China personal information controllers, must follow this China SCCs route to legitimise their transfers of personal information outside of Mainland China.

By way of reminder:

• those organisations that must follow the CAC assessment/approval route are: (1) organisations designated as a Critical Information Infrastructure Operator; (2) organisations that export “important data”; (3) organisations that process personal information of more than one million individuals and intend to export some of it; or (4) personal information controllers that transfer overseas (i) personal information of more than 100,000 individuals in aggregate, or (ii) sensitive personal information of more than 10,000 individuals in aggregate, where “in aggregate” means in the period from 1 January of the preceding year; and
• non-China personal information controllers should instead follow the alternative CAC certification route (details not yet published).

Strictly personal information controllers that must follow the CAC assessment/approval route or the CAC certification route need not sign and file the China SCCs. Indeed, as noted below, the China SCCs are drafted assuming that the personal information controller is a Mainland China entity. That said, it would be sensible for such organisations nonetheless to sign the China SCCs with overseas recipients of China personal information as evidence of good practice, even if they don’t need to do so within the grace period or to file them.

China SCCs apply to C2C and C2P transfers: Unlike the GDPR, the SCCs do not differentiate between controller-to-controller or controller-to-processor transfers.

The obligation to sign and file the China SCCs is on the Chinese personal information controller. It appears that, in a C2C situation, both personal information controllers (assuming both are Chinese entities and are subject to the China SCCs route) have their own obligation to file the signed China SCCs (together with each of their independent PIIAs conducted for the transfer).

It is unclear from the Measures whether personal information processors must sign and file the China SCCs with their sub-processors. While we await guidance on this, it is advisable as a matter of good practice to flow down the China SCCs to those sub-processors.

China SCCs cannot be negotiated but can be added to: Similar to the GDPR SCCs, the China SCCs must be executed “as is”. This is good news for personal information controllers who will be seeking to sign the China SCCs with the big technology vendors, as it should expedite the signing process.

On the other hand, unlike the GDPR SCCs, organisations may negotiate additional (i.e., enhanced) terms with overseas data recipients, provided that these do not conflict with the China SCCs. However, in practice, we anticipate many data processors will be reluctant to sign terms over and above the China SCCs.

Filing practicalities: Organisations must submit a filing to the local CAC branch, including:

• the signed China SCCs – Chinese language; it is unclear whether bilingual versions will be accepted; and
• the corresponding PIIA,

within 10 business days of the China SCCs taking effect (i.e., from the signing or effective date of the China SCCs stated on the signed version).

So effectively a filing will be needed for each overseas transfer/recipient.

Details of the in person or online filing procedure have not yet been published.

It is unclear whether “any other agreements” related to the transfers must be filed. We had previously understood that just the signed China SCCs would need to be filed, meaning that including the China SCCs in a standalone supplement to the global DPA or underlying agreement would be sensible, to manage risks of disclosing additional or commercial terms unnecessarily to the CAC. It is unclear whether that approach is sustainable, or whether the CAC will expect the full agreement, or a partially redacted version of the full agreement, to be disclosed as well. We hope the CAC will publish guidance on this sooner rather than later, given the potential impact on confidentiality clauses and contract structuring.

Updated filing if transfers change: Unlike the CAC assessment/approval route, there is no time limit on the validity or legitimacy of the China SCCs once signed and filed. However, organisations must sign a supplemental or new set of China SCCs, and refile them with the local CAC branch with a refreshed PIIA, if there:

• is a change in purpose, scope, category, degree of sensitivity, method, storage location or term of the personal information transferred overseas; or
• is a change in the processing purpose or method of the personal information by the overseas recipient; or
• is a change in the personal information protection policies or regulations of the jurisdiction of the overseas recipient that may affect the rights and interests of personal information – effectively meaning organisations must monitor changes to overseas data protection laws, and undertake mini-TIAs within their PIIAs, to assess whether regulatory changes overseas might have such an effect; or
• other circumstances which may affect the rights and interests of data subject.

This effectively means active monitoring of processing activities, overseas recipients, and the laws in the jurisdictions they operate, is necessary. We anticipate many local and China data protection teams will need to add to existing resources or head count to incorporate this into their data protection compliance programmes.

China SCCs are not the only compliance steps: signing and filing the China SCCs alone do not legitimise the cross-border transfers of personal information. Do not forget:

• separate, explicit consent for the cross-border data transfer (on top of general consent to data processing and other separate consents for processing of (inter alia) sensitive personal information);
• undertaking a PIIA; and
• putting in place technical, organisational measures to ensure the data is processed to standards akin to China data protection laws (such as due diligence, ongoing vendor monitoring etc,).

The Measures specifically mentions the requirement for separate consent when transferring personal information overseas for processing activities which rely on the legal basis of consent. We await clarification from the CAC as to whether or not the separate consent requirement will be exempted for processing activities based on (the limited) alternative legal bases in the PIPL.

CAC assessment/approval route clarification:  For those organisations that have already considered whether or not they must follow the CAC assessment/approval route, the CAC has clarified that organisations may not seek to circumvent the CAC assessment route by falsely structuring the volume of personal information processed, splitting across multiple organisations or legal entities. Organisations that have not yet submitted their CAC assessment applications before the 1 March 2023 deadline are, therefore, strongly advised to reconsider their internal assessments as to whether or not they meet the relevant thresholds.

Next steps

Organisations must execute the China SCCs as a priority, or risk having to stop cross-border transfers of China personal information. We are creating a template China SCCs addendum for organisations to use, so please contact us for support.

Please contact Carolyn Bigg (Partner) if you have any questions or to see what this means for your organisation.