On May 23, 2023, China circulated the Information Security Technology－ Implementation Guidelines for Notices and Consent in Personal Information Processing, which are effective from December 1, 2023.
The Implementation Guidelines provide more details about the notice and consent required for cross-border transfer of personal information.
On May 23, 2023, the National Information Security Standardization Technical Committee (“TC260”) released the Information Security Technology－ Implementation Guidelines for Notices and Consent in Personal Information Processing (GB/T 42574-2023) (“Implementation Guidelines”), which take effect December 1, 2023.
The Implementation Guidelines apply to the protection of personal rights and interests of personal information handlers when carrying out personal information handling activities. Nonetheless, the Implementation Guidelines do not constitute a mandatory standard and instead provide a reference for supervision, inspection, and evaluation of personal information handled under China’s Personal Information Protection Law (“PIPL”).
For cross-border data transfer, a personal information handler is required to obtain the data subject’s separate consent, in addition to conducting a personal information protection impact assessment and implementing one of three main cross-border data transfer mechanisms (i.e., passing a security assessment organized by the Cyberspace Administration of China, obtaining personal information protection certification issued by an authorized institution, or incorporating standard contractual clauses into a contract with the overseas recipient). Article 39 of the PIPL requires that a personal information handler providing personal information to any party outside China (1) notify the data subject of the overseas recipient's name and contact information, purposes and methods of handling, categories of personal information to be handled, the methods and procedures for individuals to exercise their rights under PIPL over the overseas recipient and (2) obtain the data subject’s separate consent.
Section 9.3.6 of the Implementation Guidelines proposes additional detailed requirements, including:
A personal information handler providing personal information to an overseas recipient shall inform the data subject of the identity, contact information, handling purpose, handling method, type, storage time, storage area of personal information (at minimum specifying the country or region), and the way in which the data subject may exercise relevant rights over the overseas recipient, and obtain the data subject 's separate consent;
If the business function related to outbound personal information in a product or service can be separated from other business functions, personal information handlers should distinguish the business function related to outbound personal information from other business functions, so that individuals can provide separate consent for outbound personal information;
If individuals decline to give consent for business functions relating to outbound personal information, the typical use of other service functions shall not be affected;
When collecting personal information, individual consent must be obtained separately and in advance for the transfer of personal information. If other conditions for cross-border transfer are met, individual consent need not be obtained again for subsequent transfer;
If laws and regulations stipulate that providing personal information to overseas entrusted handlers also requires individual consent, such separate consent may be made in accordance with #1)-#4).
If an individual voluntarily sends his or her personal information to the overseas recipient through email, SMS, a click-to-run service, or online submission—or direct confirmation after understanding the personal information handling rules published by the overseas recipient—he or she shall be deemed as having given separate consent.
Implications for U.S. Colleges and Universities
To ensure compliance with PIPL, U.S. higher education institutions should disclose personal information handling rules (e.g., PIPL privacy policies) and obtain all necessary consents (including the separate consent required for cross-border transfer) before collecting any personal information from Chinese individuals. Common situations in which U.S. institutions of higher education might be subject to the notice and consent requirements of PIPL include, for example, receiving applications from Chinese students, conducting research that utilizes Chinese individuals’ personal information, or administering advancement efforts with alumni resident in China.
U.S. colleges and universities that receive personal information from individuals in China are likely to find the Implementation Guidelines helpful to their compliance efforts, since the guidelines: (1) state that consent to cross-border transfer may be given at the time the personal information is initially collected from the individual (i.e., the personal information handler may collect both consents at the same time, thus reducing administrative burden); and (2) clarify that separate consent to the cross-border transfer of personal information is deemed to have been given when an individual in China gives his or her personal information voluntarily to the overseas recipient through electronic means. For example, if a prospective student in China submits his or her personal information to the U.S. institution’s website (after being provided with any required notices), then the prospective student will be deemed to have given consent to the cross-border transfer of that information without having to complete a separate consent form agreeing to the overseas transfer. Of course, and as mentioned above, institutions must ensure that any transfer of personal information out of China complies not only with notice and consent requirements but also with separate requirements set forth in the PIPL and other Chinese data security laws regarding personal information protection impact assessments and cross-border data transfer mechanisms.