On September 28, 2023, Chinese regulatory authorities published Draft Measures on regulating and facilitating cross-border transfers; the measures are open for public consultation until October 15, 2023.
The Draft Measures contain a number of exemptions that may make it easier for U.S. colleges and universities to conduct cross-border transfers of personal information in compliance with PIPL Article 38 requirements. However, each exemption contains limitations and/or ambiguities that U.S. colleges and universities should be aware and cautious of.
Experts are hopeful that the Draft Measures will be finalized ahead of the December 1, 2023 deadline for executing PIPL standard contractual clauses.
Most U.S. colleges and universities attempting to comply with China’s Personal Information Protection Law (PIPL) have encountered scenarios where they have found it impractical or even impossible to comply with the PIPL’s cross-border transfer requirements. These institutions are apparently not alone, as the Cyberspace Administration of China (CAC) has responded to public concerns by drafting measures intended to make cross-border transfers less burdensome (Draft Measures).
PIPL Cross-Border Transfer Requirements
Under PIPL Article 38, to transfer personal information from China to another country, personal information handlers must pass a security assessment conducted by the CAC, obtain personal information protection certification from a local Chinese certification authority, or execute PIPL standard contractual clauses (collectively referred to as Article 38 Safeguards).
When a U.S. institution needs to transfer personal information from China to the U.S. (e.g., to handle admission applications from applicants in China; to provide academic and administrative services to students studying in China; to operate a wholly foreign-owned enterprise, aka a WFOE, in China; etc.), the PIPL requires the U.S. institution to implement an Article 38 Safeguard. Similarly, when a U.S. institution works with a Chinese partner that needs to transfer personal information from China to the U.S. (e.g., to provide a cooperative education program; recruit Chinese students; perform international research; etc.), the U.S. institution must ensure that the Chinese partner has implemented an Article 38 Safeguard to mitigate risks such as financial loss, operational disruption, and reputational damage.
Each Article 38 Safeguard presents unique challenges to U.S. institutions, some of which are insurmountable for most, if not all, colleges and universities. While institutions were initially hopeful that the PIPL standard contractual clauses would serve as a feasible Article 38 Safeguard, many hopes were dashed in February 2023 when the CAC published measures requiring institutions to submit the fully executed standard contractual clauses along with a cross-border transfer impact assessment and other documentation to the CAC for approval.
Thankfully, the CAC has now published Draft Measures containing several exemptions that, once finalized, will allow U.S. institutions to engage in some cross-border transfers without needing to implement an Article 38 Safeguard.
Academic Cooperation Exemption
Don’t celebrate yet—this isn’t nearly as exciting as it sounds. While the Draft Measures contain an exemption for data transferred for the purpose of academic cooperation, the exemption is limited to transfers that do not contain any personal information. With “personal information” being broadly defined as any information related to an identified or identifiable individual, it is hard to imagine any academic cooperative program that does not involve the transfer of any personal information. Plus, this exemption is essentially meaningless for PIPL data privacy compliance purposes because transfers that do not contain personal information were never within the PIPL’s material scope in the first place.
Contractual Necessity, HR Management, and Vital Interests
Setting aside the academic cooperation red herring, institutions with applicants, employees, or students in China will be happy to read that another set of exemptions provides that no Article 38 Safeguard is needed for transfers based on contractual necessity; human resources management; or protection of life, health, and property. In such case, data subject’s consent is also not required under the PIPL.
The contractual necessity exemption applies when personal information must be transferred from China to enter into and perform a contract to which the personal information subject is a party. The Draft Measures provide some examples of situations where this exemption applies, including transfers needed to complete a sale or purchase and transfers needed to process visa applications. The exemption and its examples indicate that the exemption would allow institutions to transfer the personal information of applicants, students, alumni, and other individuals in China when necessary for the provision of the institution’s services without implementing an Article 38 Safeguard.
Furthermore, the exemption may allow institutions to transfer personal information for the purpose of providing essential academic services that institutions agree to provide to prospective and enrolled students (e.g., processing admission applications, issuing grades, transcripts, diplomas, etc.). However, institutions should be cautious when relying on this exemption, as the definition of “necessary” requires further clarification from the CAC. Institutions should also be cautious of overreliance on this exemption, as an Article 38 Safeguard will likely still be needed to transfer students’ personal information in relation to other handling activities that institutions typically engage in, such as handling their personal information in relation to advancement activities or to comply with the institution’s regulatory and accreditation obligations.
The human resources management exemption applies when internal employees’ personal information must be transferred from China for the purpose of human resources management that an institution performs in accordance with applicable Chinese labor laws and employment contracts that comply with such laws.
While this exemption appears broad on its face, it will be of use only to U.S. institutions with legal entities in China, as the exemption applies only to the transmission of employees’ personal information between multinational companies and their PRC (Chinese) entities. Therefore, even if a U.S. institution contracts to employ its faculty with a Chinese partner institution or a Chinese professional employer organization (PEO), the institution will nevertheless need to implement an Article 38 Safeguard to transfer the personal information of faculty, researchers, and others working in China from China back to the U.S. institution.
The vital interests exemption applies when personal information must be transferred from China for the purpose of protecting an individual’s life, health, and property in an emergency. This exemption will come as a relief for U.S. institutions with students studying at Chinese institutions, as the Chinese institutions will be permitted to inform U.S. institutions of emergencies involving a U.S. institution’s students even if the U.S. institution and the Chinese institution have not implemented an Article 38 Safeguard.
Information Generated and Collected Outside China
Another exemption provides that no Article 38 Safeguard is needed to transfer personal information generated and collected outside China. This exemption is particularly helpful to institutions that collaborate with partners in China, as it relieves them of the need to implement an Article 38 Safeguard to transfer personal information generated and collected within the U.S. (or anywhere else outside China). For example, when a U.S. institution has human subjects research data that was generated and collected within the U.S., the exemption allows the institution to collaborate with a research partner in China to analyze and return the data to the U.S. institution without implementing an Article 38 Safeguard.
Transfers Involving Under 10,000 Individuals
One of the potentially broadest exemptions requires no Article 38 Safeguard when an institution estimates that its transfers will involve less than 10,000 individuals per year. Since the threshold is based exclusively on the number of individuals and is not based on the type of personal information transferred, it makes no difference whether the transfer includes sensitive personal information. As long as an institution’s transfers of personal information (including sensitive personal information) from China involve under 10,000 individuals per year, the transfers are exempt from Article 38 requirements under the Draft Measures. However, the Draft Measures do not specify whether an institution's estimate must be based on the number of individuals involved in transfers across a calendar year, a fiscal year, or a rolling year. Until Chinese regulatory authorities publish guidance on this exemption, institutions should err on the side of caution by performing calculations under any possible interpretation and implementing an Article 38 Safeguard if any calculation adds up to 10,000 or more individuals.
The 10,000-individual threshold is based on the number of individuals involved in transfers from one exporter to any importer. Thus, the exemption is particularly limiting insofar as U.S. institutions receive personal information from large Chinese organizations (e.g., large recruitment agencies), as such organizations may easily exceed the 10,000-individual threshold when considering all individuals whose personal information is transferred on behalf of all the organization’s foreign clients. In such cases, U.S. institutions will need to implement an Article 38 Safeguard to allow the transfer of personal information from the Chinese organization to the U.S. institution, regardless of how many individuals are involved in transfers from the Chinese organization to the U.S. institution.
Information not on the Negative List
It remains to be seen whether the final exemption will be broad, narrow, or something in between. This exemption allows, but does not require, the Chinese Pilot Free Trade Zones (PFTZs) to independently determine and list types of data that require an Article 38 Safeguard to transfer from China, thus establishing what the Draft Measures have named a “Negative List,” and it exempts transfers of any data not included on the Negative List. It is not yet known if or when the PFTZs will create the Negative List, as the Draft Measures do not impose any deadline, so institutions should closely follow developments from the CAC to understand which types of data may be included on the Negative List and thus exempt from Article 38 requirements.
While the Draft Measures provide several potential avenues for exemptions to the Article 38 requirements, colleges and universities should be mindful of the fact that the exemptions may not be applied to transfers involving any data that is considered Important Data. However, the Draft Measures do provide some much-needed clarification regarding Important Data. The 2021 Outbound Data Transfer Security Assessment Measures (2021 Measures) limit the Article 38 Safeguard options available to personal information handlers that transfer Important Data from China. Specifically, the 2021 Measures require them to pass a security assessment conducted by the CAC (i.e., they cannot use PIPL standard contractual clauses or obtain personal information protection certification to comply with PIPL Article 38). This begs the question—what is Important Data?
The 2021 Measures define Important Data as “data that, if it is altered, destroyed, leaked, illegally acquired or illegally used, etc., may harm [China's] national security, economic operations, social stability, public health or security, etc.” This vague and potentially broad definition has caused concern among many U.S. institutions, particularly research institutions, regarding whether the data they transfer from China falls under the scope of Important Data and thus requires them to undergo a potentially invasive CAC security assessment. While the 2021 Data Security Law requires local governments or departments, as well as relevant industries, to develop Important Data catalogs listing the types of data that qualify as Important Data, currently, the important data catalogs for most industries are still in a draft stage or, in some cases, are completely undeveloped. Thankfully, the Draft Measures clarify that unless relevant government bodies or departments have (1) notified the institution that the data qualifies as Important Data, or (2) publicly disclosed that the data qualifies as Important Data, then the 2021 Measures do not require the institution to pass a CAC security assessment.
What to Expect Next
The Draft Measures are open for public consultation until October 15, 2023. After the first round of public consultation, the CAC could finalize the Draft Measures or call for an additional round of public consultation. With the looming December 1, 2023 deadline for executing PIPL standard contractual clauses when needed as an Article 38 Safeguard, experts are hopeful that the Draft Measures will be finalized before then.
Recommendations for U.S. Colleges and Universities
For transfers that currently require PIPL standard contractual clauses as an Article 38 Safeguard but will be exempt under the Draft Measures, prepare standard contractual clauses, cross-border transfer impact assessments, and other necessary documents now so that they are ready to submit to Chinese regulatory authorities ahead of the December 1, 2023 deadline, if needed.
Hold onto the prepared materials, and closely monitor developments related to the Draft Measures leading up to the December 1, 2023 deadline. If the Draft Measures are not finalized before the December 1, 2023 deadline, then submit the prepared standard contractual clauses, cross-border transfer impact assessments, and other necessary documents before the December 1, 2023 deadline to comply with PIPL Article 38 cross-border transfer requirements.
After the Draft Measures are finalized, be aware and cautious of each exemption’s limitations and ambiguities, and err on the side of caution until official guidance is published.