.jpg)
In the past, when people have lain awake at night thinking of November 30th, it may have been because they were looking forward to the first international football match (1872, between England and Scotland), or remembering the flames of the fire that destroyed London’s famous Crystal Palace (1936), or celebrating the year that Barbados became independent (1966).
This year, with the possible exception of the Bajans, people are not thinking of any of those things. This year, the most common feeling accompanying thoughts of November 30th outside of Barbados is dread. Because this year, November 30th is the deadline the Chinese government has given businesses moving personal data out of China to complete and submit a cross-border transfer impact assessment.
The assessment starts, innocuously enough, with a document called the Standard Contract. The Standard Contract itself is much like the EU’s Standard Contractual Clauses (SCCs): a set of unmodifiable obligations to be agreed between parties involved in any international transfer. These ones aim to give Chinese data held outside China the same protections with regard to security, transparency, data subject rights, breach notification and so on, as the PIPL grants that data when at home. Protections that are GDPR-like in their rigour and determination.
But after that, the fun starts. Because the Standard Contract does not stand alone. It must be accompanied by a description of the transfer that details the purposes of processing the data, the types of data involved, the methods of processing (i.e. the systems used to handle it), a measure of the quantity of information to be transferred (which might include numbers of data subjects involved and the number of data points per subject), the method used to make the transfer (which might include the IP addresses of the main routers/servers involved as well an estimate of relevant bandwidth), details of any third parties involved (so that’s the company’s behind all your cloud platforms), the location the data will be stored in abroad (IP addresses again), and the retention periods at that location.
Once the description has been done a Transfer Impact Assessment (TIA) must also be completed. This will include extensive information about the corporate entity doing the transfer and any recipients of the data, information security safeguards and destination data protection laws, further information about technology involved and the scope of the personal data handled.
A risk assessment is then required, one that details any risk mitigation measures, and then a power of attorney must be drawn up with a legal representative. This lawyer must be based in China and must be able can vouch for the veracity of all the aforementioned documents by signing a commitment letter guaranteeing that all that you’ve put in it is true and correct. Then and only then can they file the whole submission to the provincial representative of the Cyberspace Administration of China (CAC) local to your Chinese operation.
If you’ve got subsidiaries or different corporate branches this whole process will have to be done for each of them. And if the data to be exported is intended to land in multiple third countries, you may have to do multiple TIAs.
Given the complexity of the international data infrastructure of most large companies (in one small gesture of goodwill, PIPL only requires that you do all this if the data of more than 10,000 people is being transferred), assembling the documentation described above at the level of detail required is no small undertaking.
If you haven’t mapped your international data flows with pinpoint accuracy before tackling this challenge, you certainly will have by the end of it. It’s just another example of how keeping accurate records of processing for your company are not just a cost of doing business but, increasingly, a requirement.