Compliance of Cross-border Data Transfers
In the development of Internet industries such as cloud computing, big data, Internet of Things, artificial intelligence and blockchain, enterprises have a great demand for cross-border data transfers in the course of their daily business. Cross-border data transfers have increased due to the need for unified global management and the R & D, production and promotion of multinational companies. Regulatory frameworks for data localization and cross-border transfers have been developed and improved in various jurisdictions around the world, including China. With the promulgation in China of the Cyber Security Law, the Data Security Law, the Personal Information Protection Law, the Security Assessment Measures for Data Cross-border Transfers and other relevant laws, regulations and national standards, a management system for the cross-border transfer of important data and personal information has been established in China. However, many countries still lack sound systems and detailed requirements for cross-border data transfers, and enterprises are faced with great challenges brought about by this uncertainty.
JunHe has advised many clients in various industries regarding their cross-border data transfers. Based on regulatory requirements, corporate practices and the analysis of legislation and enforcement trends, JunHe can assist clients to implement cross-border data compliance work in a regulatory environment faced with great challenges. The work for cross-border data transfer compliance can lay the foundation for companies to establish a comprehensive and complete network security and data protection compliance system to cope with increasingly stringent security compliance regulatory requirements.
JunHe provides the following services in data cross-border transfer compliance:
Assist companies on data mapping to sort out the data cross-border transfer scenarios
We suggest that companies conduct a comprehensive review and evaluation of their data transfer situation. Our specific work includes:
unHe to prepare a due diligence checklist on data cross-border transfer compliance.
Company to arrange and coordinate with the relevant departments both home and abroad to reply to the DD checklist and designate contact persons for the relevant departments in the project.
JunHe to assist company to sort out data cross-border transfer scenarios according to the DD result and follow-up interviews,such as the type, nature and volume of the data transfer, the purpose and method of the data transfer, the business scenario involved, the data transfer link, and the overseas recipients involved.
Cross-border Data Transfer Compliance Paths (Three Paths: Security Assessment, Standard Contract, Personal Information Protection Certification)
Based on the sorted data cross-border transfer scenarios and in accordance with laws and regulations, a preliminary evaluation will be made on the scale, scope, quantity and nature of data to be exported so as to determine the compliance path and make suggestions for the data transfer, such as:
Whether the data transfer triggers a security assessment, and if a security assessment is triggered, how to make applications
If the data transfer doesn’t trigger a security assessment, which compliance path should be chosen
If the standard contract is chosen as the data transfer compliance path, with which overseas recipients should a standard contract be signed, and how to sign the standard contract
How to carry out a personal information protection impact assessment and the action plan for such assessment
If the certification path is chosen, then the certification schemes and solutions and the compliance work needed to complete the certification shall be confirmed
Assist companies to carry out cross-border data transfer implementation work
Security Assessment
JunHe can assist companies to complete security assessment work of cross-border data transfer, such as :
Make supplemental summaries required for a security assessment according to the preliminary results of the cross-border data transfer of companies
Assist companies to complete self-assessment of cross-border data transfer and prepare self-assessment report
Provide legal opinions and assist with rectifications in respect to compliance gaps discovered during self-assessment
Prepare and sign data transfer agreements and documents
Assist in the preparation of application materials to be submitted to the relevant regulatory authorities, such as the self-assessment report, the data transfer agreement and other application materials
Communicate and coordinate with regulatory authorities and assist in obtaining approval from the regulatory authorities
Standard Contract
JunHe can assist companies to complete compliance work for the standard contract path:
Make supplemental summaries required for personal information protection impact assessment according to the results of preliminary results of the cross-border data transfer of companies
Assist companies to complete personal information protection impact assessment and prepare assessment report
Provide legal opinions and assist with rectifications in respect to compliance gaps discovered during impact assessment
Supplement and assist companies to sign the standard contract;
Assist in the preparation of documents required for filing, including personal information protection impact assessment report and standard contract
Assist in completing personal information protection impact assessment and filing standard contract
Personal Information Protection Certification
JunHe can assist companies to complete personal information protection certification. Services include assisting companies to confirm with the certification agency regarding the implementation plan and procedures of certification, analyze the compliance gaps in the current personal information transfers according to the requirements of personal information protection certification, and put forward rectification suggestions and assist in completing rectification, so as to comply with the personal information protection certification requirements.
Follow up on the development and implementation of future regulations and national standards
It is advisable for company to pay close attention to the revision of data export regulations and national standards and the implementation rules released by relevant regulatory authorities. JunHe could assist in the interpretation and analysis of relevant legislative and regulatory changes and trends.
Recent Representative Cases
Assisted several well-known multi-national corporations to carry out cross-border data transfer security assessments;
Assisted several industry leading multi-national corporations to carry out cross-border data flow compliance assessments, data export impact assessments, and assisted in the negotiation and drafting of cross-border data transfer agreements.