1. Legal Background
On 24 February 2023, the Cyberspace Administration of China ("CAC") officially released the final version of the Measures for Standard Contract for the Outbound Transfer of Personal Information (the "Standard Contract Measures"), which includes a template Standard Contract, so that the three major routes for the cross-border transfer of personal information as stipulated in Article 38 of the Personal Information Protection Law ("PIPL") are clear:
(1)passing the mandatory security assessment organized by the CAC ("Security Assessment");
(2)obtaining a personal information protection certificate issued by a qualified institution ("Certification"); and
(3)concluding and filing the Standard Contract formulated by the CAC with the overseas recipient ("Standard Contract")
Multinational Corporations ("MNCs") always lay out branches around the world, based on the company's unified management of employee personal information needs, which will inevitably involve with the issue of the cross-border transfer of employee personal information. Based on our practical experience, a large proportion of MNCs set up entities in China mainly for marketing, and the number of employees involved in the personal information cross-border transfer is usually less than 1,000 and not more than 10,000.
In this article, we will review the scenarios and compliance sore points for MNCs exporting employee personal information, present the reasons for choosing the Standard Contract route and summarise the compliance work that MNCs need to carry out under this route.
2. Scenarios and Compliance sore points of export of employee personal information by MNCS
1.What are the typical scenarios for the cross-border transfer of employee personal information?
The cross-border transfer of employee personal information is the lifeblood of a multinational company, whose parent company manages its global workforce through an integrated global HR system. Without these transfers, the payment benefits, network access, staff management system, succession planning and other core functions would not be possible.
There are two main forms of providing employee personal information abroad: (1) where a domestic company provides employee personal information directly to the foreign company (e.g. via company email, OA system); (2) where a domestic company uses an HR management system with servers located outside the country (e.g. Workday, SAP).
2.What are the compliance difficulties for the cross-border transfer of employee personal information?
(1)Forms of notification and obtaining consent
The cross-border transfer of employees' personal information not only involves with different legal entities within and outside of China, but also usually contains sensitive personal information. Therefore, in accordance with the requirements of PIPL, employees should be informed of the name of the overseas recipient, the purpose of processing, the method of processing, the type of personal information, etc., obtaining consent from employees is necessary as well.
The final version of the Standard Contract Measures eases the separate consent requirement for the cross-border transfer of employee personal information. Specifically, the Standard Contract Measures states that separate consent is only required where the legal basis for processing personal information is based on the consent of the individual. Where the cross-border data transfer is based on other legal bases, such as for the performance of statutory duties or obligations, there would be no obligation under the Standard Contract Measures for the personal information processor to obtain separate consent from the individual.
In practice, due to the differences in organizational structure, employee size, and management logic among MNCs, the form of consent obtained varies. It is necessary to customize a differentiated employee privacy notice by the actual situation of the company, and to upgrade the company system such as the employment contract and employee data protection policy to meet the requirements of compliance.
(2) The legitimacy and necessity of the cross-border transfer of employee personal information
In practice, MNCs often mistakenly believe that they can export all personal information of their employees as long as they have their consent, thus neglecting to follow the principle of necessity. For instance, it is minimally necessary for a head office to require the domestic company to transfer personal information such as names, grades and bank accounts abroad for global payment management, whereas gender and family information is not directly related to the above purposes.
3. Why choose the Standard Contract route?
Due to the high threshold for triggering Security Assessment, the applicable subjects and scenarios are limited as well, Standard Contract has the following advantages compared to Certification:
1. Efficient and convenient, with lower compliance costs. An executed standard contract basically only requires filing, whose cycle is significantly shorter than the reporting and approval cycle of the Security Assessment (5+7+45+15 working days), making it easier to implement for the MNCs;
- The standard contract is the most widely used international route for the cross-border transfer of personal information. Standard Contract draws on the proven practices of the GDPR and facilitates the convergence of compliance systems within MNCs. For instance, based on the need to build a global compliance privacy system, MNCs prefer standard contract route to integrate the personal information protection compliance requirement under PRC law into the global regulatory framework under the GDPR or the compliance framework of their own personal information protection legislation.
- Open and flexible dispute resolution, which not only allows the parties to choose between litigation and arbitration, but also open the choose of international arbitration institution. The design of this clause not only solves the problem of the recognition and enforcement of domestic court decisions abroad, but also meet the preferred choice of the dispute resolution method by overseas companies.
In summary, the Standard Contract route is more suitable for the scenario of cross-border transfer of personal information of employees within MNCs with small data volume and low risk..
4. What are the processes to complete the Standard Contract route?
(i)Preliminary work
1. Data sorting
Due to the restrictions on the conditions of using the standard contract route, in the case of cross-border transfers of employee personal information, the domestic company needs to sort out its basic situation to determine whether it meets the threshold for security assessment, including whether the company is a critical information infrastructure operator (“CIIO”); whether the company has handled personal information of more than 1 million people, whether the company has transferred personal information of a total of more than 100,000 or sensitive personal information of a total of more than 100,00 abroad in the last two natural years. Otherwise, the security assessment would be triggered and the standard contract route cannot be used.
2. Completion of Personal Information Protection Impact Assessment ("PIA")
(1) Establishing a PIA working group;
(2) Carrying out the PIA on its own or hiring a third-party agency (such as a law firm);
(3) Key matters involved in the PIA:
a. Whether the purposes and methods of processing are lawful, legitimate and necessary;
b. The impact of the size, scope, type and sensitivity of the outbound information on individuals' rights and interests and security risks;
c. Whether the protection measures taken are lawful, effective, and commensurate with the degrees of risks, such as whether the data security management capability and technical protection measures of the overseas recipient match the degrees of risks;
d. Whether there are smooth channels for individuals to protect their rights and interests of their in personal information, etc.
(4) Produce a PIA report (PIA reports and records on processing shall be preserved for at least three years)
(ii) Concluding a standard contract
Given that the terms of a standard contract cannot be modified and that other cooperation agreements signed by the parties cannot conflict with the standard contract, special attention should be paid to conflicts and compatibility between agreements within MNCs before concluding a standard contract, e.g. to check the compatibility of different agreements, in particular the conflict of rights and obligations of the parties, the application of the law and the responsibility for regulatory response, etc.
(iii)Supervision and management
1. Post filing
(1) Materials: the executed standard contract and the PIA report;
(2) Process: within 10 working days from the effective date of the standard contract, undergo recordation formalities with the cyberspace administration of the province or equivalent where it is located;
(3) Re-filing: under any of the following circumstances during the validity of the standard contract, MNCs shall conduct a new PIA, retroactively conclude a standard contract or conclude a new one, and perform the corresponding recordation procedures:
a. There is any change to the purpose, scope, type, sensitivity, manner, or storage location of personal information transferred aboard, or any change in the purpose and method of processing personal information by the overseas recipient, or an extension of the overseas retention period of personal information;
b.There is any change to personal information protection policies and regulations in the country or region where the overseas recipient is located, which may affect the rights and interests in personal information;
c. Other circumstances that may affect the rights and interests in personal information.
(4) Filing cycle: According to our practical experience, it is expected to take 3-4 months to complete the above procedures.
2. Continuous monitoring
(1) Continuously monitoring the processing activities of the overseas recipient and keeping audit records;
(2) Establishing and maintaining appropriate channels to respond promptly to requests from personal information subjects for individual exercise of rights, provision of copies of contracts, etc;
(3) Accepting enquiries from regulators, providing relevant information, cooperating with supervision and inspection, etc.
In general, for the aforementioned MNCs with smaller data volumes and lower risks, it is less likely to trigger a security assessment, and concluding a standard contract or carrying out certification are two more appropriate routes. However, taking into account the feasibility of the Certification, the cost of compliance and the acceptance of overseas entities, we believe that the Standard Contract route is more suitable for MNCs providing employee personal information abroad at this stage.
