Compliance of Cross-border Data Transfers

With the rapid development of cloud computing, big data, IOT, block chains and other digital innovations and the increasing needs of multinational companies for centralized management, R&D, production and marketing, the demands to conduct cross-border data transfer are high in companies’ daily operations. Various jurisdictions around the world including China are developing and improving regulatory framework for data localization and data export. For the first time in China, the Cybersecurity Law (effect in 2017,”CSL”) imposes general obligations on the data localization and data export on critical information infrastructure operators. The subsequent draft regulations and national standards, which have been issued and revised several times, have expanded the applicability scope of those obligations. However, due to the rapid changes of the regulations and the lack of specific rules, companies are facing great challenges and uncertainties in compliance with cross-border data transfers regulations.

In practice, JunHe has extensive experience in providing legal advices on data export to customers from various industries. JunHe could assist customers to live with the uncertain regulations, and help to achieve compliance based on our deep understanding of relevant laws, regulations, company practices and the analysis of legislative trends. The work done for the data export compliance will also place companies in a better position to establish a comprehensive cybersecurity and data protection system, and to better deal with the increasingly stringent regulatory requirements.  

JunHe provides the following specific services on the compliance for cross-border data transfer:

Conduct data mapping and set up data inventory

We recommend that the client conducts data mapping on data exports through the following steps:

  • JunHe prepares a DD questionnaire on data export compliance

  • The client arranges and coordinates the relevant departments’ responses to the questionnaire, and designate a representative from each relevant department for this compliance program

  • Formulate the mapping results, including an inventory on the nature and quantity of data to be exported, the circumstances and plans of data export, and the overseas recipients

Preliminary assessment for compliance risks

Conduct an internal assessment based on the above results and the (draft) regulations, and compliance plans and other recommendations will be proposed based on the preliminary assessment results.

  • Export of personal information

Key assessment points include: whether the export complies with laws and regulations; whether the client has reached an appropriate and effective agreement with the recipient; whether the client has a record of damaging the legitimate rights and interests of personal information subjects and/or causing major cybersecurity incidents; and whether the personal information is lawful and legitimate.

  • Export of important data

Key assessment points include: whether the export purpose satisfies the requirements of legality, appropriateness and necessity; the security risks of the cross-border transfer; the attributes of the data and the likelihood and the possible impact of a security breach.

Conduct formal security assessments

JunHe could assist clients in conducting the formal assessment for data export through the following steps:

  • Conduct self-assessment and provide legal advice according to specific requirements of the effective regulations

  • Prepare for and execute relevant agreements and documents regarding data export

  • Formulate various internal policies on data export

  • Assist in the pre-assessment and trial assessment of the data export and set up relevant assessment mechanisms

  • Assist in the preparation and review of application document to government authorities, such as declaration forms, transmission contracts and reports on security risks and safeguard analyses 

Follow up on future regulations and national standards

JunHe could assist in the interpretation and analysis of relevant legislative and regulatory changes and trends in the future. 

Recent Representative Cases

  • Provide assistance for overall CSL compliance, data protection, and data export; draft and review relevant legal documents for a number of well-known multinational banks, investment management agencies, payment platforms

  • Provide advice on personal information protection, App compliance and cross-border data transfer to several famous multinational internet companies and e-commerce platforms

  • Provide advice on personal information protection, CSL compliance and data export to several world-renowned medical groups, high-tech chemical companies, and advanced agricultural products and service providers

  • Provide advice on CSL compliance, data protection, and cross-border data transmission to a number of cosmetics, fashion, apparel, luxury, entertainment, and catering companies