On the 7 July 2022, the Cyberspace Administration of China (“CAC“) promulgated the Measures for the Security Assessment of Outbound Data Transfers (“Measures“), which are due to take effect on 1 September 2022.

The Measures contain 20 Articles that we have grouped into the following 11 themes:

  1. Purpose and scope – Articles 1 & 2
  2. Important data – Article 19
  3. Security Assessment triggers – Article 4 & 14
  4. Data transfer legal documents – Article 9
  5. Ex-Ante Self-assessments – Article 5
  6. Security Assessment applications – Article 6
  7. Security Assessments – Article 3, 8, 10, 11 & 14
  8. Security Assessment timescales – Article 7, 12 & 13
  9. Confidentiality obligations – Article 15
  10. Liability – Article 16, 17 & 18
  11. Effective date and transitional period – Article 20

We explore each theme below before discussing some issues raised at a press conference held by the CAC on 7 July 2022.

Purpose and scope

Article 1 of the Measures states that their purpose is “to regulate outbound data transfer activities, protect personal information rights and interests, protect national security and social and public interests, and promote a safe and free flow of data across borders

Article 2 then provides that the measures apply to Security Assessments of outbound data transfers involving important data and personal information collected and generated by data processors through their operations in China. Accordingly, it seems that the Measures do not apply extraterritorially to personal information collected and generated by data processors from outside of China.

Important data

Important data is presently an unclear legal concept with no overarching definition. At a conceptual level, it seems that the legal obligations relating to important data lie somewhere in the middle of a spectrum between personal information and state secrets.

The Measures define important data in the context of outbound data transfers only. At this time, only one other source of law defines important data, namely the Several Provisions on Vehicle Data Security Management (Trial) (“Trial Provisions“). We compare the definition in the Measures with that in the Trial Provisions, omitting its enumerated examples, below. 

The Measures:

For the purposes of these Measures, the term “important data” means any data, the tampering, damage, leakage, or illegal acquisition or use of which, if it happens, may endanger national security, the operation of the economy, social stability, public health and security, etc.

The Trial Provisions:

The term “important data” refers to any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may lead to endangerment of national security or public interests, or infringement of the lawful rights and interests of an individual or organisation, including…

One might note that both definitions are risk-based but, except for endangering national security, the risks identified vary slightly. What this means in practice and how multiple definitions of important data will interact are unclear.

As the CAC was involved in the drafting of both regulations, the differences seem to highlight the following core definition:

Data that may harm the interests of the nation, public, or persons if breached.

Security Assessment triggers

A data processor must apply to provincial CACs for a Security Assessment in advance of outbound data transfers in the following circumstances:

  • transfers of important data;
  • it is a Critical Information Infrastructure operator (“CIIO“);
  • it is a personal information processor that has processed the personal information of more than 1,000,000 individuals;
  • it has made cumulative outbound transfers of the personal information of more than 100,000 individuals since 1 January of the previous year;
  • it has made cumulative outbound transfers of the sensitive personal information of over 10,000 individuals since 1 January of the previous year; and
  • the transfer falls within other situations prescribed by the CAC.

Whether a company might be identified as a CIIOs remain unclear in many industries. Nevertheless Article 10 of the Regulations on the Security Protection of Critical Information Infrastructure, states that the authorities will inform a company that it is CIIO once identification takes place. Therefore, for practical purposes, companies can consider themselves as not being CIIOs until the authorities tell them otherwise.

It is understood that many companies, and multinationals in particular, would prefer to see a rise in the transfer thresholds that trigger Security Assessments.

Data transfer contracts

The Measures state that contracts, which it refers to as legal documents, between the data exporter and data importer for outbound data transfers should cover:

  • the purpose and method of the outbound data transfer, the data scope, and the data processing purpose and method;
  • the data retention location and duration, and obligations when the data retention period expires, the transfer purpose completes, or the agreement ends;
  • restrictions against onward data transfers to others;
  • security measures to be adopted when a material change occurs concerning the overseas recipient, the destination country’s legal, regulatory and cybersecurity environment, or a force majeure event occurs which makes it difficult to ensure data security;
  • remedial measures, liability for contractual breaches and dispute resolution mechanisms for breaching data security protection obligations; and
  • requirements for proper emergency disposal and ensuring that individuals can safeguard their personal information rights and interests when their data is exposed to risks, such as being tampered with, damaged, leaked, lost, relocated, or illegally acquired or used.

On a related note, on 30 July 2022, the CAC issued the Draft Provisions on Standard Contracts for the Export of Personal Information, which also deal with outbound data transfers and contain a draft Standard Contract for use in situations that would not trigger a Security Assessment under the Measures. While contracts drafted under Article 9 may have some similar features to the draft Standard contract, companies should not automatically assume that signing a Standard Contract would meet the requirements of the Measures or vice versa.

Please see China Releases Draft Standard Contract for Cross-border Data Transfers by Samuel Yang and Cross-Border Data Transfers: A Comparison of the EU And Chinese Standard Contractual Clauses by Samuel Yang and Chris Fung for more information about the draft Standard Contract.

Ex-Ante Self-assessments

After a Security Assessment is triggered, but before a Security Assessment application occurs, a data processor is obliged to conduct a Ex-Ante Self-assessment. Data processors are required to address the following matters during Ex-Ante Self-assessments:

  • the legality, legitimacy, and necessity of the outbound data transfer and the overseas recipient’s data processing in relation to the purpose, scope, method, etc.;
  • the outbound data’s quantity, scope, type and sensitivity, and the risk the outbound data might pose to national security, public interests, and the lawful rights and interests of individuals and organisations;
  • whether the overseas recipient’s responsibilities and obligations, and their management measures, technical measures and capabilities to perform such responsibilities and obligations can ensure the security of the outbound data;
  • the risk of the outbound data suffering data breaches, including unauthorised onward transfers, during and after the outbound data transfer, and whether individuals have unobstructed channels to safeguard their rights and interests in their personal information and other data;
  • whether the data security protection responsibilities and obligations are sufficiently stipulated in the data transfer contract or other documents; and
  • any other matters that might affect the security of the outbound data.

Some of the factors described above are also covered by personal information protection impact assessments (“PIPIAs“) required under the Personal Information Protection Law (“PIPL“). We believe it would be cheaper and more efficient for companies to combine all assessment factors under both the PIPL and the Measures within a single consolidated Ex-Ante Self-assessment.

Security Assessment applications

Applications for Security Assessments should contain:

  • a completed Security Assessment application form;
  • a copy of the Ex-Ante Self-assessment report;
  • a copy of the outbound data transfer contract; and
  • any other materials the CAC requires.

Security Assessments

Article 3 of the Measures provide that Security Assessments of outbound data transfers should combine ex-ante assessments and ongoing supervision, and Ex-Ante Self-assessment and Security Assessment.

The substantive content of CAC Security Assessments overlap significantly with Ex-Ante Self-assessments, except in relation to the following:

  • the impact of data security protection policies, legislation and the cybersecurity environment of the country or region where the overseas recipient is located in relation to the security of the outbound data, and whether the overseas recipient’s data protection level meets the requirements of Chinese laws, administrative regulations and mandatory national standards;
  • compliance with Chinese laws, administrative regulations and departmental rules; and
  • other matters the CAC deems necessary to assessed.

We note that item 1) above seems to describe something like transfer impact assessments under the EU’s GDPR and that data processors are not required to cover such things in their Ex-Ante Self-assessment report.

Given the limited resources of government departments, it is doubtful that they would make such assessments on a case-by-case basis. Therefore, we wonder how such assessments are made, whether a central transfer impact assessment list exists at this time (which one might regard as China’s answer to adequacy decisions), whether such a list will become publicly accessible, and how it will be managed and updated.

The CAC may terminate Security Assessments if it requires additional materials, and a data processor refuses to submit them.

Article 14 of the Measures states that the results of a Security Assessment are valid for two years unless retriggered by any of the following situations:

  • any change to the outbound data transfer’s purpose, method or scope, the data type, or the overseas recipient’s data processing purpose or method which will affect the security of the outbound data or extend retention periods;
  • any change to data security protection policies, legislation, the cybersecurity environment or any other force majeure event where the overseas recipient is located,
  • any change in the actual control of the data processor or overseas recipient or any change to the data transfer agreement affecting the security of the outbound data; or
  • any other circumstances that may affect the security of the data.

Data processors will need to apply for a reassessment after expiration. The CAC have stated that: “When the validity period expires and it is necessary to continue to carry out data export activities, the data processor shall re-apply for evaluation 60 working days before the validity period expires.”

Security Assessment timescales

Security Assessment applications should be submitted to provincial CAC offices, which should conduct a completeness check of the application documents within 5 working days. Thereafter, the national CAC will then review the application documents and decide whether to accept the application within 7 working days, after which the central CAC will begin a substantive review, which should take a maximum of 45 working days from the date of issuing a written acceptance of the application. Accordingly, in normal circumstances, the entire process of applying for and undergoing a Security Assessment might take up to 57 working days (approximately 2.5 months).

However, the Measures allow the CAC to extend the deadline for completing a Security Assessment “as appropriate” if the “case is complicated or there are materials to be supplemented or corrected…” This power to extend deadlines has not explicit upper limit.

Should a data processor object to Security Assessment results, it must apply for a reassessment within 14 working days of receiving the assessment results. Article 15 provides that the results of a reassessment are final.

Confidentiality obligations

Institutions and staff that participate in Security Assessments are legally bound to keep confidential any information that they learn during their Security Assessment work. This includes state secrets, personal privacy, personal information, trade secrets, confidential business information, and other data.

Liability

Where any organization or individual discovers that a data processor has conducted any outbound data transfer in violation of the Measures, they may report it to the CAC.

In the event that the CAC finds out that an outbound data transfer which passed a Security Assessment no longer comply with the Measures while implementing data transfers, it has the power to notify the data processor to stop making such transfers. Should the data processor need to continue making such transfers, it should make “rectification as required” before applying for a reassessment.

The implications of the CAC’s ability to stop previously approved transfers for non-compliance with the measures are unclear at this time. However, it may be the case that the CAC has an implied power of interpretation and construction in relation to data transfer contracts and can determine whether they are being correctly performed.

Violations of the Measures are punishable under the Cybersecurity Law, the Data Security Law, the PIPL, and other laws and regulations depending on the data processor, the data types and the nature of the violation. We note that violations of the PIPL attract the highest penalties, specifically, up to CNY 50 million or 5% of the violator’s revenue in the previous year. We note that on 21 July 2022, DiDi Global was fined CNY 8 billion for various data security violations. This suggests that the CAC is willing to issue large fines for violations of data laws.

Effective date and transitional period

The Measures will come into force on September 1, 2022. Data processors may only make relevant outbound transfers from 1 September 2022 after passing a Security Assessment. More specifically the CAC has stated: “The data processor can carry out data export activities in strict accordance with the declared items after receiving the written notification of passing the assessment.”

First, the application will not be accepted. For those that do not fall within the scope of the security assessment, after receiving a written notification from the national cybersecurity and informatization department, the data processor may carry out data export activities through other legal channels prescribed by law. The second is to pass the safety assessment. The data processor can carry out data export activities in strict accordance with the declared items after receiving the written notification of passing the assessment. The third is failing to pass the safety assessment. If the data export security assessment is not passed, the data processor shall not carry out the declared data export activities.

For outbound data transfers carried out before 1 September 2022, “rectification” shall be completed within 6 months after 1 September 2022. It is unclear if this means that the data processor must pass the Security Assessment within this 6-month grace period, or perhaps the submission of an application for Security Assessment within this period would be sufficient. Nevertheless, given these deadlines, possible delays, the 2022 spring festival holidays and other factors, we recommend that data processors should endeavour to submit their applications for Security Assessments as soon as possible.

Summary

The requirements for Security Assessment apparently add a layer of onerous compliance burdens to the operations of many businesses. The various thresholds of personal information that trigger Security Assessments are low and may affect many multinational companies doing business in China. These new requirements also create some uncertainty, particularly among entities that depend on cross-border transfers of data to conduct business. This uncertainty will not be resolved until the Measures take full effect and the processing of Security Assessments becomes standardised in practice.

Businesses that will likely be subject to the Security Assessment regime should act now –  take stock of their data flows, renegotiate their cross-border data transfer contracts and ensure that their data protection practices align with the requirements of the Measures and other Chinese laws and regulations. Businesses that operate in areas of higher risk may also wish to begin creating contingency plans in case they are prohibited from transferring certain data out of China.

Disclaimer

Nothing in this article is intended to be legal advice to its readers. This article was written for the purposes of academic discussion only. The views of its authors do not reflect the views of regulators.

Background

On 1 November 2021, the Personal Information Protection Law of the People’s Republic of China (“PIPL”) took effect and became the first Chinese law dedicated to protecting the personal information rights of individuals. However,     due to a lack of implementation regulations and clarity, many companies face a situation where they are unsure how to comply with the PIPL in some areas.

Nowhere is this more of an issue than with Article 38 of the PIPL, which provides several conditions (or legal paths)  that must be met before a cross-border data transfer may occur. According to Article 38, entities may send personal data to foreign recipients by taking one of the following legal paths:

Legal Path 1  Government Security Assessment: A security assessment organised by the national cyberspace authority has been passed by the entity in accordance with Article 40 of this Law;

Legal Path 2  Standard Contract: A contract in compliance with the standard contract provided by the national cyberspace authority has been concluded with the overseas recipient, establishing the rights and obligations of  both parties.

Legal Path 3  Certification: the entity has acquired a certification of personal information protection by a           professional certification institution in accordance with the regulations of the national cyberspace authority; and

On Legal Path 1 (Government Security Assessment), please see China Issues Cross-border Data Transfer Security Assessment Rules. For Legal Path 2 (Standard Contract), please see China Releases Draft Standard Contract for  Crossborder Data transfers and Crossborder data transfers: A Comparison of the EU and Chinese Standard

Contractual Clauses.

This article discusses China’s new rules on Legal Path 3 (Certification).

TC260 Issues Rules for Legal Path 3 (Certification)

On 24 June 2022, the National Information Security Standardization Technical Committee (also known as “TC260”)   issued its  “Technical Specifications for the Certification of CrossBorder Processing of Personal Information              (“Specifications”). The  Specifications state the criteria that MNCs or other economic or business entities and            overseas processors should meet to obtain certification as described in Article 38 of the PIPL (i.e., Legal Path 3). At a high level, TC260’s  Specifications seem to describe something like the Binding Corporate Rules (“BCRs”) under the  GDPR.

Please note that the Specifications are not compulsory. In other words, parties to cross-border personal information transfers can decide if they want to go through this Legal Path 3 and obtain certification or go through other Legal    Paths as they think appropriate to legitimatise their cross-border data transfers. However, if they choose to put   themselves under this certification regime, the rules under the Specifications are binding on them and relevant   certification institutions.

Applicability of the Specifications

The  Specifications describe certification scenarios, certification applicants and those who should bear responsibility  for cross-border personal information transfers. Within an MNC, one of its entities in China can apply for certification and undertake to assume legal responsibility for the MNC’s global organisation, while for an overseas entity having a not substantial presence in China, its specialised agency or designated representative in China can apply for   certification and undertake to bear legal responsibility for the overseas entity.

Legally Binding Documents

Parties to cross-border personal information processing activities must sign legally binding and enforceable  documents (“LBDs”) to ensure that the rights and interests of individuals are fully protected. At a minimum, LBDs should contain:

  1. The relevant parties involved in cross-border personal information processing;
  2.  The purpose of cross-border personal information processing and the types and scope of personal information;
  3.   Measures to protect the rights and interests of individuals;
  4.  Undertakings by each party to comply with uniform personal information processing rules and ensure that thelevelof personal information protection is not lower than the standards stipulated by relevant Chinese laws and regulations on the protection of personal information;
  5. Undertakings to accept the supervision of certification bodies;
  6.    Provisions stating that relevant Chinese laws and regulations on the protection of personal information governthe arrangements;
  7.  Details of the organisational bodies that will bear legal responsibility within China; and
  8.  Provisionsforcompliance with other legal and regulatory obligations.

Uniform Processing Rules

Uniform processing rules, described in 4. above, must contain:

  •   Theparticularsof cross-border personal information processing, including the type, sensitivity, quantity, etc., of personal information;
  • The purpose, method, and scope of cross-border personal information processing;
  •   Thestartand end time of overseas storage of personal information and the processing method after expiration;
  • Transitcountries involved in cross-border personal information processing;
  •   Resources and measures required to protect the rights and interests of individuals; and
  •    Rulesforcompensation and disposal of personal information security incidents.

DPO

Both the data exporter and foreign data importer must appoint a person to take charge of personal information protection. The persons in charge must have relevant knowledge and experience and be a part of the decision-  making level of their entity. Their duties include:

  •    Clarifyingorganisationalpersonal information protection objectives, basic requirements, work tasks, and protection measures;
  •  Ensuring the availability of human resources, financial support and materials for personal information protection withinthe organisation;
  •    Guidingandsupporting relevant personnel in carrying out the organisation’s personal information protection efforts and ensuring that personal information protection efforts achieve the expected goals; and
  •    Reportingto the organisation’s leaders on personal information protection and promoting the continuous improvement of personal information protection efforts.

Personal Information Protection Organisation

Both the data exporter and foreign data importer should set up personal information protection internal organisations that are tasked with preventing “unauthorised access and leakage, falsification and loss of personal information” and undertaking the following duties:

  •    Formulatingandimplementing plans for cross-border personal information processing;
  •    Organising and carrying out personal information protection impact assessments (“PIPIAs”);
  •    Supervisingcross-borderpersonal information transfers under rules agreed to by the relevant parties; and
  •    Acceptingandhandling requests and complaints from data subjects.

Personal Information Protection Impact Assessments (PIPIAs)

Specification is provided on what a PIPIA should contain in cross-border transfer scenarios. In particular, a PIPIA must cover:

  1.   Whethertheprovision of personal information to overseas countries complies with laws and administrative regulations;
  2. The impact on the rights and interests of individuals;
  3.   Theimpactof the legal environment and network security environment of overseas countries and regions on the rights and interests of individuals;
  4.  Other matters necessary to safeguard the rights and interests of personal information.

Items 2. and 4. above mirror the requirements of the PIPL, while Items 1. and 3. are more specific to cross-border     transfer impact assessments and suggest the need for specialised country-by-country transfer impact assessments   similar to those used for GDPR purposes. For Item 3 ., we note that the precise meanings of “legal environment” and “network security environment” are currently unclear.

Individual Rights

Individuals have various rights over their personal information under the PIPL. Those rights include a right to access, right to correct, right to complete, right to erasure, right of portability and right to refuse processing. In addition to  those rights, the  Specifications provide that individuals are beneficiaries of LBDs and have the right to request a       copy of the relevant LBD provisions relating to individuals’ legal rights and interests.

Being a beneficiary to LBDs might, theoretically, increase the range of rights available to individuals over and above those found in the PIPL. This is especially so if MNCs operating in multiple jurisdictions take a unified highest            standard approach to personal information protection at a global level.

The right to access relevant LBD provisions raises issues from a confidentiality perspective. Thus, it would be wise to stipulate such matters in a standalone document to ensure that disclosures to individuals remain appropriate.

The  Specifications also provide that individuals should be allowed to litigate in the Chinese courts of their habitual place of residence against the parties to the cross-border data transfers.

Obligations of the Parties to CrossBorder Data Transfers

The provisions within the  Specifications on processor obligations generally reflect the terms of the PIPL. However, further requirements are imposed on parties to cross-border data transfers, including:

  •    Whensituationsarise where it is difficult to ensure the security of personal information transferred across borders, such processing must be “promptly terminated”.
  •   Theresponsibleparty in China should compensate individuals for breaches arising in the context of cross-border data processing activities.
  •   Thepartiesto cross-border data transfer activities should undertake to follow Chinese data protection laws,     accept their application and enforcement, and cooperate with Chinese regulators’ enforcement activities, such as answering their inquiries and accepting routine inspections.

Conclusions

The  Specifications make Legal Path 3 (Certification) of Article 38 of the PIPL possible – though not fully actionable as China has not published a list of certification institutions to handle certification applications from entities.  Nevertheless, the Specifications have provided a skeleton of the certification regime for cross-border data transfers. We believe that the Chinese authorities may issue regulations, and TC260 may also issue further guidance to  substantiate this certification regime.

It should be noted that, while an entity can choose between Legal Path 3 (Certification) and Legal Path 2 (Standard Contract) to legitimatise its cross-border data transfers, Legal Path 1 (Government Security Assessment) is not

optional – as long as statutory triggers exist, an entity will have to participate in a Security Assessment by the CAC

(For more information see China Issues Crossborder Data Transfer SecurityAssessment Rules).

At this stage, it is difficult to forecast if Legal Path 3 (Certification) would be more popular than Legal Path 2   (Standard Contract). In addition to signing a cross-border data transfer contract, the Specifications essentially require that both the data exporter and the overseas data recipients are subject to a set of unified data protection rules   which are aligned with Chinese laws and subject to Chinese regulators’ supervision. We believe the compliance  efforts would be more costly than “simply” signing the Standard Contract. However, it is possible that this   certification path might be welcomed by some companies who see certification as a type of status or quality mark to signal to consumers that their personal information will be protected to higher standards.

As cross-border data transfers are a rapidly developing area of law, MNCs and overseas processors processing the personal information of people in China are advised to monitor developments in this area closely .

On 30 June 2022, the Cyberspace Administration of China (“State Internet Information Department” or “CAC“)  issued the Draft Provisions on Standard Contracts for the Export of Personal Information (“Draft Provisions“) for public consultation. The deadline for feedback is 29 July 2022.

The Draft Provisions contain a draft Standard Contract for the Export of Personal Information (“Standard Contract“).  The Standard Contract consists of nine articles and two appendices.

This article provides an in-depth analysis of the articles in the Draft Provisions and their potential impact on multinational companies.

Provisions on Standard Contract on the Export of Personal Information (Draft for Public Consultation)

Article 1: These Provisions are formulated on the basis of the “Personal Information Protection Law of the People’s Republic of China” so as to standardise personal information export activities, protect personal information rights  and interests, and promote the safe and free flow of personal information across borders.

Article 2: Where personal information processors conclude contracts with overseas recipients to provide personal    information outside the territory of the People’s Republic of China in accordance with subparagraph (3) of the first   paragraph of Article 38 of the “Personal Information Protection Law of the People’s Republic of China”, they shall   follow these Provisions to sign a standard contract for the export of personal information (hereinafter referred to as “Standard Contracts“). Other contracts concluded between the personal information processor and the overseas  recipient related to the outbound activities of the personal information shall not conflict with the standard contract.

Analysis of Articles 1 and 2:

1. Articles 1 and 2 explain the purpose and legal basis for formulating the Draft.

2. Article 2 provides: “Other contracts concluded between a personal information processor and an overseas recipient related to the outbound activities of personal information must not conflict with the Standard Contract. ”

3. This means that, in addition to signing the Standard Contract with an overseas recipient, a Chinese enterprise that chooses to use a Standard Contract also needs to:

a) check other contracts it has signed with the overseas recipient related to the export of personal information to ensure that they do not conflict with the Standard Contract, and supplement or modify such other contracts according to the actual situation; and

b) clearly state in other contracts that in the event of a conflict with the terms of the Standard Contract, the Standard Contract prevails.

Article 3: Those carrying out personal information export activities on the basis of standard contracts shall adhere to a combination of independent contracting with file management to prevent security risks to the export of personal  information and ensure the orderly and free flow of personal information in accordance with the law.

Analysis of Article 3:

1. According to the expression “independent contracting” in Article 3, signing a Standard Contract is not a mandatory legal obligation. However, enterprises should note that for all data export paths permitted under Article 38 of the Personal Information Protection Law (“PIPL”), Chinese enterprises and overseas recipients must either sign (i) Standard Contracts, (ii) other similar contracts or (iii) legally binding and enforceable documents. See our analysis of Articles 4 and 5 below for details.

2. For the “file management” requirement, see our analysis of Article 7 below.

Article 4: Where personal information processors meet all the following criteria, they may provide personal information overseas by signing a standard contract:

(1) Non-critical information infrastructure operators;

(2) Handling less than 1 million persons’ personal information;

(3) Cumulative provision of personal information of less than 100,000 people overseas since 1 January of the previous year;

(4) Cumulative provision of sensitive personal information of less than 10,000 people outside the country since 1 January of the previous year.

Analysis of Article 4:

  1. Under Article 4, a processor of personal information who meets the relevant requirements “may”, as opposed

to “must“, sign a Standard Contract to legalise the export of personal information. This is because Article 38 of the PIPL stipulates several different legal paths for personal information to leave China. They include:

(1) Critical information infrastructure operators and personal information processors handling personal  information that reach the number of personal information processors provided for by the state network information departments for outbound conduct shall pass a security assessment organised by the state   network information departments;

(2) Conduct personal information protection certification through professional bodies in accordance with the provisions of the state network information departments;

(3) Conclude a contract with an overseas recipient in accordance with a standard contract formulated by the State Internet Information Department, stipulating the rights and obligations of both parties;

(4) Other requirements provided for by laws, administrative regulations, or the State Network Information Department.

  1. According to the above provisions, Chinese enterprises that are not “criticalinformation infrastructure              operators and personal information processors who process personal information to the amount prescribed by the State Internet Information Department” may (i) sign the Standard Contract or (ii) obtain personal                 information protection certification through a professional body to transfer personal information overseas.
  2.  Therefore, for Chinese enterprises that choose path (ii), signing a Standard Contract is not required. However, it shouldbe noted that although a Chinese enterprise that chooses path (ii) does not need to sign a Standard   Contract, it will still need to sign a “legally binding and enforceable document” with the overseas recipient in      accordance with the Technical Specification for the Certification of Cross-border Processing Activities of  Personal Information, which was officially issued by the National Information Security Standardization Technical Committee (also known as TC260) on 24 June 2022. Such a document should at least specify the following:
  3. a)Personaldata processors and overseas recipients carrying out cross-border personal information processing activities;
  4. b)Thepurpose of cross-border processing of personal information and the types and scope of personal information;
  5. c)Measuresto protect the rights and interests of Personal Information Subjects;
  6. d)Theoverseas recipient undertakes to comply with the unified rules for the cross-border handling of        personal information, and ensures that the level of personal information protection is not lower than the  standards stipulated by the relevant laws and administrative regulations of the People’s Republic of China on the protection of personal information;
  7. e)Theoverseas recipient undertakes to accept the supervision of the certification body:
  8. f)Theoverseas recipient undertakes to accept the jurisdiction of the laws and administrative regulations of the Peoples Republic of China on the protection of personal information;
  9. g)Clearlydefine the organisations that bear legal responsibility within the territory of the People’s Republic of China:
  10. h)Otherobligations stipulated by laws and administrative regulations that shall be 
  11. Article 4 clearly restricts the application of Standard Contracts and prohibits their use in circumstances where:
  12. a)     Criticalinformationinfrastructure operators export personal information;
  13. b)     Personalinformationprocessors have processed the personal information of more than 1 million people;
  14. c)     The cumulative export of personal information exceeds 100,000 people since 1 January of the previous year;and
  15. d)    Thecumulativeexport of sensitive personal information exceeds 10,000 people since 1 January of the previous
  16. 8.     Those circumstances are the personal information export activities of “criticalinformationinfrastructure            operators and personal information processors who handle the number of personal information specified by the state network information department“, as stated in Articles 38 and 40 of the PIPL. Such transfers should be      preceded by an application for a Security Assessment under the Measures for Security Assessment of Data         Export (Draft) (29 October 2021) rather than the signing of a Standard Contract.
  17. Several categories of Chinese enterprises that should apply for security assessments do not need to legalise    theirpersonal information exports by signing a Standard Contract. Instead, and according to the Measures for Security Assessment of Data Export (Draft for Comments), they should sign a contract with the overseas           recipient that includes but is not limited to the following:

(1) The purpose, method, and scope of data exported, and the purpose and method of processing data by overseas recipients;

(2) The place and period of time for which the data is kept overseas, as well as measures for handling     outbound data after the retention period is reached, the agreed purpose is completed, or the contract is terminated;

(3) Restrictive clauses restricting overseas recipients from transferring outbound data to other organisations or individuals;

(4) The security measures that the overseas recipient shall adopt when there is a substantial change in its actual control or business scope, or when the legal environment of the country or region in which it is       located makes it difficult to ensure data security;

(5) Liability for breach of contract and binding and enforceable dispute resolution clauses for breach of data security protection obligations;

(6) When risks such as data leakage occur, properly carry out emergency response, and ensure smooth channels for individuals to safeguard personal information rights and interests.

  1. Article4 is also consistent with Article 38 of the PIPL, which only stipulates that “personal information   processors” may sign the “Standard Contract“. However, it does not explicitly address whether “entrusted   processors” under the PIPL can or should sign the Standard Contract. For readers more familiar with the GDPR, “personal information processors” are roughly equivalent to data controllers, while the concept of “entrusted  processors” is roughly equivalent to data processors.
  2.   In servingclients, wehave observed that some business models involve data transfers from (i) a Chinese   personal information processor to (ii) a domestic entrusted processor to (iii) an overseas sub-processor.  Domestic personal information processors and domestic entrusted processors often disagree over which party should sign the Standard Contract with the overseas sub-processor.
  3.  Webelievedomestic personal information processors should usually bear the primary obligation for signing a  Standard Contract containing a clear mechanism describing the parties’ obligations and responsibilities with an overseas subcontractor to enable a domestic entrusted processor to provide data to said overseas  subcontractor.
  4.  Analternativeapproach would be for a domestic personal information processor, domestic entrusted processor and overseas subcontractor to sign a tripartite Standard Contract. However, this would require further clarity     regarding the mechanism for domestic entrusted processors to provide data to overseas subcontractors and each party’s contractual obligations and responsibilities.

Article 5: Before personal information processors provide personal information overseas, they shall carry out a personal information protection impact assessment in advance, focusing on the following content:

(1) The legality, legitimacy, and necessity of the purpose, scope, and methods of processing personal information by personal information processors and overseas recipients;

(2) The quantity, scope, type, and sensitivity of outbound personal information, and the risks that personal  information may bring to the rights and interests of personal information that may be brought about by the export of personal information;

(3) The responsibilities and obligations undertaken by the overseas recipient, as well as whether management and technical measures and capabilities for performing responsibilities and obligations can ensure the security of outbound personal information;

(4) The risk of personal information being leaked, damaged, altered, or abused after leaving the country, and  whether the channels for individuals to safeguard personal information rights and interests are unobstructed, and so forth;

(5)The impact of personal information protection policies and regulations on the performance of standard contracts in the country or region where the overseas recipient is located;

(6) Other matters that might affect the security of personal information leaving the country.

Analysis of Article 5:

  1.   Article5 refinesthe requirements for personal information protection impact assessments before exporting personal information under the PIPL by providing additional detail and specification.
  2.   It is worth noting that Chinese enterprises need to assess “theimpact of personal information protection policies and regulations of the country or region where the overseas recipient is located on the performance of standard  contracts“, which is not a small task. Going forward, Chinese enterprises will need to rely more heavily on advice from overseas legal professionals and assistance from overseas recipients.

Analysis of Article 6:

  1.   Article6 providesan overview of the Standard Contract. Regarding the specific content of the Standard

Contract, we will analyse and interpret it separately.

Article 7: Personal information processors shall file a record with the provincial-level internet information department for the area where they are located within 10 working days of the standard contract taking effect. The following materials shall be submitted for filing:

(1) standard contracts;

(2) personal information protection impact assessment reports.

The personal information processor is responsible for the authenticity of the materials filed. After the standard contract takes effect, the personal information processor may carry out personal information export activities.

Analysis of Article 7:

  1.     TheArticle7 filing provisions are new legal requirements without any precedent in the PIPL. The Standard Contract and the personal information protection impact assessment report on the export of personal       information will need to be filed with the government.
  2.     Consideringthatmany enterprises will need to make filings, national administrative resources are limited, and other factors, filing management within provincial CACs may only consist of formality reviews. Based on           informatisation trends in China, the CAC may establish an online filing system to facilitate filings.

Article 8: Where any of the following circumstances occur during the validity period of a standard contract, the personal information processor shall re- sign the standard contract and file it for the record:

(1) Where the purpose, scope, type, sensitivity, quantity, method, retention period, storage location, and purpose or method of handling personal information handled by overseas recipients change, or extend the period for personal   information to be retained abroad;

(2) Where changes in personal information protection policies and regulations in the country or region where the overseas recipient is located may affect personal information rights and interests;

(3) Other circumstances that might affect the rights and interests of personal information.

Analysis of Article 8:

  1.    Consideringtherequirements of Articles 5 and 6 above, the content of Article 8 seems reasonable at face value.
  2.    However, determiningwhetherthe “personal information protection policies and regulations ofthe country or  region where the overseas recipient is located” has “changed” and “may affect the rights and interests of  personal information” is a big challenge for even the largest multinational enterprises. It seems that Chinese      enterprises will be expected to keep abreast of changes in policies and regulations related to overseas personal information protection. This may require them to retain overseas legal professionals on an ongoing basis.
Article 9: Institutions and personnel participating in the filing of standard contracts shall preserve the confidentiality of personal privacy, personal information, commercial secrets, confidential business information, and so forth that  they learn of in the course of performing their duties, and must not leak or illegally provide or use them to others.

Analysis of Article 9:

  1.    Some enterprises, especiallymultinationalenterprises, may have concerns about whether the Standard Contract and the personal information protection impact assessment report filing mechanism may cause information leakages. Article 9 seems to be an attempt to pre-empt such concerns.
  2.   Theexpression”confidential business information” has also appeared in the Measures for the Security  Assessment of Data Export (Draft for Public Consultation). How the CAC will define it in practice remains to be seen.
Article 10: Where any organisation or individual discovers that a person handling personal information has violated these Provisions, they have the right to make a complaint or report to the provincial level Internet information  department.

Analysis of Article 10:

  1.    Complaintsandreports may come from a personal information processor’s (possibly disgruntled) employees or Personal Information Subjects.
  2.   Wespeculatethat, in the future, the CAC could publish lists of enterprises that have completed the filing procedures and that Personal Information Subjects could use such lists to determine whether a personal information processor has fulfilled its filing obligations to make targeted reports.
Article 11: Where provincial-level Internet information departments discover that personal information outbound     activities through the signing of standard contracts no longer meet the requirements for security management of personal information export in the course of actual processing, they shall notify the personal information processors in writing to terminate personal information export activities. Personal information processors shall immediately   terminate personal information export activities upon receipt of the notice.

Analysis of Article 11:

  1.   Asmentionedabove, many enterprises may need to make filings, and state resources are limited. As such, filing management by the CAC may only consist of a formality review. However, given the content of Article 11,  provincial-level CACs may also adopt methods such as spot checks, focusing on specific enterprises or industries

and making investigations based on whistle-blowing leads to conduct targeted substantive reviews of outbound personal information transfers.

Article 12: Where personal information processors follow these Provisions to conclude standard contracts with  overseas recipients to provide personal information overseas, and any of the following circumstances occur, the       provincial-level Internet information department is to follow the provisions of the “Personal Information Protection Law of the People’s Republic of China” to order corrections within a time limit; Where they refuse to make  corrections or harm the rights and interests of personal information, order them to stop activities of exporting  personal information, and punish them in accordance with law; Where a crime is constituted, criminal responsibility is to be pursued in accordance with law.

(1) Failing to perform filing procedures or submitting false materials for filing;

(2)Failing to perform the responsibilities and obligations stipulated in the standard contract, infringing on the rights and interests of personal information, causing harm;

(3) Other circumstances affecting the rights and interests of personal information arise.

Analysis of Article 12:

  1.    Itisworth noting that a “failure to sign the Standard Contract” is not a violation of these Provisions. However, as discussed above, the legal paths for exporting personal information are limited to those stipulated in Article 38   of the PIPL, which are:

(1) Critical information infrastructure operators and personal information processors handling personal  information that reach the number of personal information processors provided for by the state network information departments for outbound conduct shall pass a security assessment organised by the state   network information departments;

(2) Conduct personal information protection certification through professional bodies in accordance with the provisions of the state network information departments;

(3) Conclude a contract with an overseas recipient in accordance with a standard contract formulated by the State Internet Information Department, stipulating the rights and obligations of both parties;

(4) Other requirements provided for by laws, administrative regulations, or the State Network Information Department.

  1.    IfaChinese enterprise fails to sign a Standard Contract and fails to meet the requirements of other personal      information export routes, it will not be punished for violating the provisions of Article 12. However, it will have violated Article 38 of the PIPL and may need to bear legal liability.
Article 13: These Provisions shall take effect as of

Analysis of Article 13:

  1.   Wehopethat when the CAC issues the final version of the above provisions, it will fully consider the time required for enterprises to comply with the new regulations (legal analysis, translation, negotiation with  overseas recipients, etc.) and provide a reasonable time for enterprises to comply before the official         implementation date.

On 7 July 2022, the Cyberspace Administration of China (“CAC“) issued the Measures for the Security Assessment of  Outbound Data Transfers (“Measures“), which will take effect on 1 September 2022. The Measures underwent three rounds of public consultation in 2017, 2019 and 2021 before they were finalised.

In its final form, the Measures contain 20 articles. We have identified 11 topics within the Measures that cover:

No. Topic Articles
1. Purpose and scope 1 & 2
2. Important data 19
3. Security assessment triggers 4 & 14
4. Data transfer legal documents 9
5. Self-assessments 5
6. Security assessment applications 6
7. Security assessments 3, 8, 10, 11 & 14
8. Security assessment timescales 7, 12 & 13
9. Confidentiality obligations 15
10. Liability 16, 17 & 18
11. Effective date and transitional period 20

In the following, we shall discuss each of the topics that we have identified in turn.

Purpose and Scope  Articles 1 & 2

The stated purpose of the Measures is “to regulate outbound data transfer activities, protect personal information rights and interests, protect national security and social and public interests, and promote a safe and free flow of   data across borders” (Article 1).

Article 2 goes on to state that the measures apply to security assessments of outbound data transfers involving important data and personal information collected and generated by data processors through their operations in     China. Based on Article 2, it seems that the Measures do not apply to personal information collected and generated by data processors from outside of China.

Important Data  Article 19

The Measures contain a definition of important data in the context of outbound data transfers. Important data is a nebulous concept in Chinese laws and regulations which requires further elaboration by the CAC and relevant industry regulators. For now, the term has only been further defined in the field of automotive data and in a few    draft regulations. Below we compare the definition in the Measures with the core of the definition in the Several    Provisions on Vehicle Data Security Management (Trial) (“Trial Provisions“).

Measures for the Security         Assessment of Outbound Data Transfers Several Provisions on Vehicle Data Security Management   (Trial) Comments

For the purposes of these Measures, the term “important data” means any data, the tampering, damage, leakage, or illegal acquisition or use of which, if it happens, may endanger national security, the operation of the economy, social stability, public health and security, etc.

The term “important data” refers to any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may lead to endangerment of national security or public interests, or infringement of the lawful rights and interests of an individual or organisation, including the following data:

[Examples omitted]

Both definitions are risk-based, though the consequences that they consider differ slightly. We have made bold the more significant differences.

As the CAC was involved in the preparation of both regulations, the differences suggest that the definition of important data will generally be: data that, if breached, may endanger the interests of the nation, public or persons.

Security Assessment Triggers  Articles 4 & 14

An entity must declare intended outbound data transfers by a data processor to provincial CACs and seek security assessments if the data processor:

1)   intends to transfer important data;

2)   is a Critical Information Infrastructure operator (“CIIO“) intending to transfer personal information;

3)  is a personal information processor who has processed the personal information of over 1 million people;

4)  has cumulatively made outbound transfers of the personal information of over 100 thousand people since 1 January of the previous year;

5)  has cumulatively made outbound transfers of the sensitive personal information of over 10 thousand people since 1 January of the previous year; and

6)   falls within other situations prescribed by the CAC.

Whether companies will be regarded as CIIOs remain unclear in many industries. Despite the uncertainty in existing and future regulations,a more straightforward judgement would be that a company is not a CIIO unless it has been notified by a competent authority that it has been identified as a CIIO.

It is understood that many companies would prefer to see a rise in the threshold transfer volumes of personal information that trigger security assessments.

Security assessments can also be retriggered in one of the following circumstances:

1)  there is a change in the particulars of processing by the overseas recipient, which will affect the security of the data, or the period for retaining data is to be extended;

2)  there is any change in the data security protection policies and legislation and cybersecurity environment, or a force majeure event occurs where the overseas recipient is located,

3)  there is a change in the actual control of the data processor or overseas recipient or any change to the data transfer agreement, which will affect the security of the outbound data; or

4)   any other circumstance exists that may affect the security of the data.

Data Transfer Legal Documents  Article 9

The Measures state that the legal documents between the data exporter and data importer for outbound data transfers should cover:

1)   the purpose and method of the outbound data transfer, the scope of data, and the purpose and method of the data processing;

2)   the data retention place and period, and obligations when the retention period expires, the transfer purpose completes, or the agreement is terminated;

3)   restrictions against onwards transfers of outbound data to others;

4)  security measures to be adopted when material changes occur in relation to the overseas recipient, the  legal, regulatory environment and cybersecurity environment of the destination country, or a force majeure event occurs that makes it difficult to ensure data security;

5)   remedial measures, liability for breach of contract and dispute resolution in the event data security protection obligations are breached; and

6)  requirements for proper emergency disposal and ensuring the channels and ways for individuals to safeguard their personal information rights and interest when data is exposed to the risk of security breaches.

On a related note, the CAC also issued the Draft Provisions on Standard Contracts for the Export of Personal Information on 30 July 2022, which also deal with outbound data transfers and contains a draft Standard Contract   that was prepared for use in situations that would not trigger the security assessments under the Measures. While they certainly have some similarities, companies should not assume that signing the Standard Contract would meet the requirements in the Measures.

Selfassessments  Article 5

After a security assessment is triggered, but before a security assessment application is made, a data processor    should conduct a self-assessment. Data processors need to address the following factors during self-assessments:

1)   the legality, legitimacy and necessity of the transfer and the purpose, scope and manner of data processing by the overseas recipient;

2)   the quantity, scope, type and sensitivity of the outbound data, and the risks the outbound data might pose to national security, public interests, and the lawful rights and interests of individuals and organisations;

3)  whether the responsibilities and obligations undertaken by the overseas recipient and the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations can ensure the security of the outbound data;

4)   the risk of the outbound data suffering from data breaches, including unauthorised onward transfers, during and after the outbound data transfer, and whether individuals have smooth channels to safeguard their rights and interests in their personal information and other data;

5)  whether data security protection responsibilities and obligations are sufficiently stipulated in the data transfer agreement or other documents; and

6)   other matters that may affect the security of the outbound data transfer.

Some of the factors described above are also subjects of the personal information protection impact assessment  (“PIPIA“) required under the Personal Information Protection Law (“PIPL“). We believe it would be cost-effective for  companies to consider all assessment factors under both the PIPL and the Measures and make one consolidated self- assessment.

Security Assessment Applications  Article 6

Applications for security assessments should contain:

1)   an application form;

2)   a self-assessment report;

3)   a copy of the outbound data transfer agreement; and

4)   other materials required by the CAC.

Security Assessments  Articles 3, 10, 8, 11 & 14

According to Article 3 of the Measure, a security assessment of outbound data transfers should combine ex-ante assessment and ongoing supervision and self-assessment and security assessment.

The substantive content of a security assessment by the CAC overlaps significantly with the above-mentioned self- assessments, except for the following matters:

1)   the impact of data security protection policies and legislation and the cybersecurity environment of the         country or region where the overseas recipient is located on the security of the outbound data; whether the data protection level of the overseas recipient meets the requirements of Chinese laws and administrative   regulations and the mandatory national standards;

2)  the compliance with China’s laws, administrative regulations and departmental rules; and

3)   other matters to be assessed the CAC deems necessary.

We note that item 1) above seems to describe something which is similar to the “transfer impact assessment” in the EU and that data processors are not expected to cover such things in their self-assessment report. As government    departments have limited resources, we doubt that they will make such assessments on a case-by-case basis.  Accordingly, we wonder whether a central transfer impact assessment list exists at this time, whether it will become accessible in the future, and how it will be managed and updated.

The CAC can terminate security assessments if the CAC requires additional materials and a data processor refuses to submit them.

Under Article 14, the results of a security assessment are valid for two years unless a retriggering event occurs. Data processors will need to apply for a reassessment after expiration.

Security Assessment Timescales  Articles 7, 12 & 13

Security assessment applications need to be submitted to the relevant provincial CAC, which should confirm the        completeness of documents within a maximum of 5 working days. Then the application documents will be provided to the central CAC for substantive review, which should take a maximum of 45 working days from the date of issuing a written acceptance of the application. Accordingly, in normal circumstances, the entire process of applying for and undergoing a security assessment might take up to 50 working days (approximately 2.5 months).

However, the Measures allow the CAC to extend the deadline for completing a security assessment “as appropriate” if the “case is complicated or there are materials to be supplemented or corrected…”

If a data processor objects to the assessment results, it should apply for a reassessment within 14 working days of the receipt of the assessment results. According to Article 15, the results of a reassessment are final.

Confidentiality Obligations  Article 15

Institutions and staff that participate in security assessments must keep confidential, as required by law, any   information that they learn during their work. This includes any state secret, personal privacy, personal information, trade secret, confidential business information, and other data.

Liability  Articles 16, 17 & 18

Any person may report violations of the Measures to the CAC.

If the CAC discovers outbound data transfers that have passed a security assessment no longer conform to the  Measures during the implementation of data transfers, it may notify the data processor to terminate such transfers. If the data processor needs to continue making such transfers, it should make “rectification as required” before

applying for a reassessment. The full implications of this are unclear at this time, but it suggests that the CAC may     eventually interpret or construe data transfer agreements and decide whether they are being properly performed,   or they might attach conditions to the transfers following their assessments or both.

Violations are to be dealt with under the Cybersecurity Law, the Data Security Law or the PIPL, and other laws and     regulations depending on the data processor, the data and the nature of the violation. We note that violations of the PIPL may attract the highest penalties, specifically, up to CNY 50 million or 5% of the violator’s revenue in the  previous year.

Effective Date and Transitional Period  Article 20

The Measures take effect on 1 September 2022. This means that any relevant outbound transfers from 1 September 2022 should only be carried out after data processors have passed security assessments. For outbound data transfers carried out before 1 September 2022, “rectification” shall be completed within 6 months after 1 September 2022. It is unclear if this means that the data processor must pass the security assessment within this 6-month grace period, or perhaps the submission of an application for security assessment within this period would be sufficient.     Nevertheless, given these deadlines, possible delays, the 2022 spring festival holidays and other factors, werecommend that data processors should endeavour to submit their applications for security assessments as soon as  possible.

Summary

The requirements for security assessment apparently add a layer of onerous compliance burdens to the operations of many businesses. The various thresholds of personal information that trigger security assessments are low and   may affect many multinational companies doing business in China. These new requirements also create some  uncertainty, particularly among entities that depend on cross-border transfers of data to conduct business. This uncertainty will not be resolved until the Measures take full effect and the processing of security assessments becomes standardised in practice.

Businesses that will likely be subject to the security assessment regime should act now –  take stock of their data flows, renegotiate their cross-border data transfer contracts and ensure that their data protection practices align     with the requirements of the Measures and other Chinese laws and regulations. Businesses that operate in areas of higher risk may also wish to begin creating contingency plans in case they are prohibited from transferring certain   data out of China.

After 14 years of enforcement of China’s Anti-Monopoly Law (the “AML”) since 2008, the Standing Committee of the National People’s Congress of China has amended the AML after a two-year review with several rounds of deliberations and issued a new version (“the New AML”) on June 24, 2022. In addition to updating the rules regulating monopoly agreements and abuse of dominance, noteworthily, the New AML brings substantial changes to the merger control rules and procedures, such as introducing the “stop-the-clock” mechanism, establishing the categorized and classified merger control system and others.

Shortly after the promulgation of the New AML, a package of regulations sprang up, like bamboo shoots. On June 27, 2022, SAMR subsequently published several draft amendments of the implementation regulations for public comments, the draft implementation rules regarding notification threshold (“Threshold Rules”) and review of concentration of undertaking (“Review Rules”) are included. And uncoincidentally, with the aim to echo the categorized and classified merger control system in the New AML, SAMR Announcement Regarding Pilot Delegation of Anti-Monopoly Review of Certain Concentration of Undertakings Cases (the “Announcement”) was issued on July 15, 2022. The table below shows the status of the above four legislations.

No.

 Laws and Regulations Status
1 The New AML Will take effect on August 1, 2022
2 Threshold Rules Under the way of soliciting public comments, ended July 26, 2022
3 Review Rules Under the way of soliciting public comments, ended July 26, 2022
4 The Announcement Will take effect on August 1, 2022

While the Threshold Rules and Review Rules are still at the stage of soliciting public opinions, we believe changes reflected in the above legislation and draft legislations have plentiful implications to companies operating business in or related to China. Therefore, this article intends to snapshot those key changes to China’s merger control regime, to the benefits of companies that are frequently obliged to file the antitrust notification in China.

1.Imminent change of the filing thresholds

The former turnover thresholds have remained unchanged since the AML was promulgated in 2008 despite significant economic growth in China. Therefore, it has been criticized for being too low and thus these comparably low thresholds increased the number of transactions that are obliged to be notified to SAMR each year. This time, SAMR proposes to increase the turnover threshold to adapt to the country’s economic development. In the meantime, it is noteworthy that a brand-new threshold category was introduced. Specifically, the proposed new filing thresholds are:

  • The aggregated global turnover of all concentration undertakings in the last fiscal year exceeds RMB 12 billion(approx. USD 1.8 billion) (increased from RMB 10 billion), and at least two of these undertakings each had a turnover of more than RMB 800 million (approx. USD 120 million) (increased from RMB 400 million) within the territory of the PRC; or
  • The aggregated turnover of all the concentration undertakings exceeds RMB 4 billion(approx. USD 600 million) (increased from RMB 2 billion) within the territory of the PRC, and at least two of these undertakings each had a turnover of more than RMB 800 million (approx. USD 120 million) (increased from RMB 400 million) within the territory of the PRC; or
  • An undertaking that has a Chinese turnover of more than RMB 100 billion(approx. USD 15 billion) in the last fiscal year; and the other undertaking in a merger or the target in an acquisition had a market value or market valuation of more than RMB 800 million (approx. USD 120 million), plus its turnover within the territory of PRC is more than one-third of its global turnover.

With the increase of the turnover thresholds, SAMR may be able to better focus its limited administrative resources on complex cases. Also, it can be estimated that certain small companies with low revenue could be relieved from the filing obligation if the increased turnover thresholds are adopted in the end.

Compliance tips:

  • Companies should be reminded to apply the new filing thresholds after they are finally determined and become effective and pay attention to the rules about transition period.
  • The newly introduced filing threshold would impose large companies with a Chinese turnover of more than RMB 100 billion an additional obligation. They should pay close attention to their transactions with innovative targets who have the required revenue and market value (market valuation) as the transactions in this kind could be largely notifiable before SAMR.

2.Categorized and classified merger control system

The New AML adds a declaratory provision that SAMR should complete and perfect a categorized and classified merger control system, strengthening the review of concentrations in critical areas concerning national development and livelihood.

The Announcement details the above provision and specifies that, SAMR is to start delegating part of its function on reviewing simple cases to five local antitrust regulators, namely the respective Administrations for Market Regulation (“AMR”) of Beijing, Shanghai, Guangdong, Chongqing and Shaanxi Province. The five local AMRs will start to handle simple case filings where one of the notifying parties, the proposed-established JV, or the relevant geographic markets defined have nexus in the respective region as early as August 1, 2022, when the New AML will take effect.

No. Local AMRs Responsible Regions
1 Beijing AMR Beijing, Tianjin, Hebei, Shanxi, Inner Mongolia, Liaoning, Jilin, Heilongjiang
2 Shanghai AMR Shanghai, Jiangsu, Zhejiang, Anhui, Fujian, Jiangxi, Shandong
3 Guangdong AMR Guangdong, Guangxi, Hainan
4 Chongqing AMR Henan, Hubei, Hunan, Chongqing, Sichuan, Guizhou, Yunnan, Tibet
5 Shaanxi AMR Shaanxi, Gansu, Qinghai, Ningxia, Xinjiang

The below chart illustrates the workflow among the notifying party(ies), SAMR and local AMRs who are delegated to review the merger filings.

Compliance tips:

  • This is SAMR’s first try to delegate its merger control review power to local AMRs. The review timeframe for the simple cases delegated should be further observed.
  • It is advisable for notifying parties to keep in mind pre-notification whether their cases can be applied to simple filing procedure and are likely to be delegated to local AMRs; whether the relevant markets defined and the market shares thereof, especially when being asked to segment the relevant markets whether the market shares in the segmented markets can still make the deal applicable for the simple filing procedure.
  • It is not crystal clear whether foreign-to-foreign cases will be delegated to local AMRs in the future, and further observation is necessary.
  • The delegation mechanism is intended to further improve the review efficiency. However, in the beginning stage, it is uncertain yet how long it may take the local authorities to complete the review given their limited experience. But in the long run, we believe this mechanism will further decrease the review time of simple cases.

3.Establishment of a “stop-the-clock” mechanism

The New AML introduces the ‘stop-the-clock’ mechanism to suspend the review process under three circumstances, including (i) where undertakings fail to provide necessary information or documentation; (ii) where new material facts which affect the review of the concentration need to be examined; and/or (iii) where conditions to be imposed on the proposed concentration need to be further evaluated and a relevant undertaking makes a request for suspension.

This amendment will afford SAMR more time and flexibility to review mergers, particularly cases subject to remedy negotiations. Prior to the amendment, the maximum period for review is 180 calendar days, however, in practice, SAMR is unable complete its review in most conditionally approved cases when the 180-day review period expires, thus the notifying parties frequently “pull and refile”. With this amendment, SAMR will have a tool to stop the review clock during the review process.

Compliance tips:

  • The New AML does not contain a maximum length of time in which the merger review can be suspended and the number of times SAMR can stop the clock.
  • It is advisable for notifying parties to leave sufficient time for antitrust clearance in the transaction documents and should be better to make agreement with transaction parties to closely collaborate in RFI responding and document submission.
  • For complex cases, the notifying parties are recommended to assess the potential competition concerns of the transaction before the filing, or even before proceeding substantive transaction negotiation. As such, with strategies to address the potential remedies beforehand, the notifying parties could speed up the case review process rather than being delayed by the “stop-the-clock”.
  • For simple cases, “stop-the-clock” is unlikely.

4.Heavy fines for not filing

Compared to the 2008 version of AML, the merger control-related penalty is significantly strengthened from the perspectives of both the pecuniary penalty and the negative impact on credit records. Under the New AML, the fines for failure to file are divided into two categories: (i) transactions which do not or are unlikely to restrict or eliminate competition; and (ii) transactions which do or are likely to restrict or eliminate competition. An undertaking will face up to a fine of RMB 5 million (approx. USD 0.75 million) if its transaction belongs to the first c category and will face up to 10% of its turnover in the last fiscal year if its transaction belongs to the second category.

In the meantime, Article 64 of the New AML states that “where an undertaking is subject to an administrative penalty due to a violation of this Law, the penalty shall be entered into the undertaking’s credit records pursuant to the relevant provisions of the Law, and the information shall be disclosed to the public.”

Compliance tips:

  • In addition to the largely incremental fines, undertakings are much concerned about the penalty in credit as it will affect a company’s corporate reputation and have a negative impact on the company’s future government procurement and bidding activities, etc. Hence, it is advisable for companies to be more prudent in determining whether a merger notification should be filed.
  •  Undertakings are also recommended to use their subsidiaries instead of parent company to conduct transactions and sign the transaction documents, trying to alleviate any negative credit impacts if penalties are unavoidable.

5.Focus on “killer acquisition”

The New AML clarifies – and arguably encourages – SAMR’s ability to investigate transactions falling under the turnover thresholds but which have or are likely to have the effect of excluding or restricting competition. It also clarifies that SAMR is entitled to impose conditions or prohibit such transactions, or in case the transaction has been closed, request the parties to unwind the transaction.

Regarding the specific procedure, Article 7 of the Review Rules states that if there is evidence that a transaction may exclude or restrict market competition even the mandatory turnover threshold is not met, SAMR has the right to notify by written notice the undertaking and require the undertaking involved to submit a notification within 180 days from the notification date. And further, SAMR clarifies that (i) if the transaction has not been implemented by the notification date, the undertakings must hold on the implementation until receiving clearance; whereas (ii) if the transaction has been implemented by the notification date, SAMR reserves the right to take necessary steps to restore market competition.

Compliance tips:

  • There’s no precedent about how SAMR will probe the “killer acquisition”. Future cases in this regard will need to be further observed.
  • Learning experiences from other jurisdictions in the EU and the US, industries such as high-tech, pharmaceuticals and platform economy could be the main target. Thus, to secure the certainty of the transaction, transaction parties in the above areas could better consult SAMR about whether transactions are notifiable even the pre-assessment showing that the mandatory filing thresholds are not satisfied.

In summary, this briefing provides an overview of the important changes and potential ones to China’s existing merger control rules and procedure. The public consultation for the Threshold Rules and the Review Rules will run until July 26, 2022, after which we expect further revisions to the draft. We are closely monitoring any changes and will provide further updates.

Background

On 30 June 2022, the Cyberspace Administration of China (“CAC“) issued the Draft Provisions on Standard Contracts for the Export of Personal Information (“Draft Provisions“) for public consultation. The Draft Provisions open a lawful path for cross-border data transfers under Article 38 of the Personal Information Protection Law (“PIPL“). The deadline for feedback is 29 July 2022.

The Draft Provisions contain a draft Standard Contract for the Export of Personal Information (“PRC SCCs“), which we shall compare in detail below to the Standard Contractual Clauses for the Transfer of Personal Data to Third Countries under Regulation (EU) 2016/679  issued by the European Commission on 4 June 2021(those standard contractual clauses, the “EU SCCs“; and that regulation, the “GDPR“).

Note on the Terms used

We note that the lexicons used by the PIPL and GDPR vary somewhat. The terms we use to discuss the Chinese SCCs and EU SCCs (collectively or generally, “SCCs“) reflect the terms used in the PIPL and GDPR, respectively. A table of equivalent concepts is provided below:

PIPL GDPR
Personal Information Processor Data Controller
Entrusted Processor* Data Processor
Personal Information Protection Impact Assessment or PIPIA Data Protection Impact Assessment or DPIA
Personal Information Subject Data Subject
Sensitive Personal Information Special Categories of Personal Data
Overseas Recipient Data Importer
Regulator Supervisory Authority

*This is a concept that can be understood in the context of Article 21 of the PIPL but is not explicitly defined in the PIPL.

Use scenarios

The PRC SCCs may only be used in the following relevant cross-border transfer scenarios:

  • Non-critical information infrastructure operators;
  • The Personal Information Processor has handled the personal information of less than 1 million people ;
  • Since January 1 of the previous year, the cumulative amount of personal information provided overseas has not reached 100,000 people ;
  • Since January 1 of the previous year, the cumulative amount of sensitive personal information provided overseas has not reached 10,000 people.

For more information about relevant cross-border data transfers, please see China Releases Draft Standard Contract for Cross-border Data Transfers by Samuel Yang.

It is unclear if the PRC SCCs are customisable. However, Article 38 of the PIPL clearly states that contracts should be “in compliance with the standard contract provided by the national cyberspace authority…” Which could mean that the PRC SCCs should remain unchanged and be used as an intact document.

General observations

We note that the PRC SCCs consist of 9 articles and 2 appendices, while the EU SCCs consist of 18 clauses and 3 appendices. However, such a high-level comparison does not necessarily indicate the substance of either document.

The PRC SCCs can be considered a single document that applies to all relevant cross-border data transfers. They apply to all processors of personal information and do not define Entrusted Processors.

In contrast to the PRC SCCs, the EU SCCs can be considered 4 documents covering 4 different cross-border data transfer scenarios. Those transfer scenarios are: controller to controller; controller to processor; processor to processor; and processor to controller. Users of the EU SCCs require some familiarity with its layout as use requires the selection and deletion of clauses to match the transfer scenario.

Direct Comparison

We have produced the table below to help readers understand the structures of the PRC SCCs and EU SCCs. The table matches various topics identified within each document to specific provisions.

Topic PIPL SCCs GDPR SCCs AnJie’s Comments
Definitions and interpretation. Article 1

Clause 1.

Clause 4.

The PRC SCCs provide 7 definitions and a catch-all. Some definitions refer directly to the PIPL, while others are China-specific. For instance, “Relevant laws and regulations” refers to Chinese laws and regulations only.

While the EU SCCs lack a specific definitions section, Clause 1 therein contains some generic definitions found in most agreements, while Clause 4, an interpretation clause, refers readers to the GDPR for terms defined there.

One thing to note is that Entrusted Processors, a concept that is defined in the context of Article 21 of the PIPL, are not described or referred to in the PRC SCCs. To express this in GDPR terms, the Chinese SCCs do not explicitly recognise the existence of Data Processors.
Sensitive personal information and special categories of personal data Article 1. Module One, Clause 8.6.

The EU SCCs provide an explicit definition without cross-references to the GDPR, while the PRC SCCs refer to the definition under the PIPL.

We note that the relevant definitions under the PIPL and GDPR vary significantly, with the PIPL employing an open risk-based definition (PIPL, Article 28) and the GDPR employing what appears to be a very narrow and closed definition limited by examples.

In practice, this means that sensitive personal information under the PRC SCCs will include other things that are not included in the EU SCCs. For instance, your bank details are not special categories of personal data under GDPR but would be sensitive personal information under the PIPL.
Transparency. Article 2, Item 2

Module One, Clause 8.2.

Module Two, Clause 8.3.

Module Three, Clause 8.3.

The PRC SCCs require personal information processors to inform Personal Information Subjects about the particulars of all overseas recipients.

In contrast, the EU SCCs only explicitly require Data Controllers to inform Data Subjects about the particulars of an overseas recipient where the said recipient is another Data Controller.
Data minimisation. Article 2, Item 1. Module One, Clause 8.3.

Under the PRC SCCs, the burden of ensuring data minimisation is on Personal Information Processors that act as transferors. In contrast, the EU SCCs appear to only burden Data Controllers that act as Data Importers.

Placing the obligation on the party that initially controls that information seems to be a better way of controlling the risks associated with such transfers as a Data Importer cannot abuse data they lack. However, to manage this potential conflict in legal obligations, we imagine that, in the near future, many PRC-EU DPAs will include mutual commitments concerning data minimisation.
Personal Subject or Data Subject (collectively or generally, “Subject”) rights.

Article 2, Item 3.

Article 2, Item 8.

Article 3, Item 2.

Article 5.

Article 6, Item 1.

Clause 3.

Module One, Clause 8.3.

Module Three, Clause 8.3.

Clause 10.

Subject rights vary between the PRC and the EU. Additionally, Subject rights under the PRC SCCs are enforceable against both parties, while under the EU SCCs, the matter of enforceability depends on the nature of the underlying cross-border data transfer scenario.

Both SCCs require a recipient to provide notices or information on its website detailing the contact details for a person who can handle inquiries and how enquiries should be handled.

Both SCCs treat Subjects as third-party beneficiaries with a right to view the relevant SCCs. Moreover, both SCCs allow the principal contracting parties to charge fees or refuse to comply with unreasonable Subject requests.
Due diligence on the recipient. Article 2, Item 4 Clause 8.

Personal Information Processors must, under the PRC SCCs, “use reasonable efforts” to ensure that “the overseas recipient can fulfil its obligations“.

Likewise, the EU SCCs require a Data Exporter to use “reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations…

The use of a reasonable efforts standard by both SCCs is interesting. We note that other parts of both SCCs stipulate best efforts standards, suggesting that the due diligence standards of care are lower than those for other matters.
Secure processing.

Article 2, Item 4.

Article 3, Item 5.

Module One, Clause 8.5.

Module Two, Clause 8.6.

Module Three, Clause 8.5.

Module Four, Clause 8.2.

Generally, the provisions of both SCCs aim to bring about the same or similar outcomes, namely appropriate technical and organisational measures. While the EU SCCs elaborate more on things that should be considered to bring about such outcomes, such additional details are arguably unnecessary.

Concerning access controls, there appears to be broad equivalence between the SCCs. However, the PRC SCCs explicitly require Overseas Recipients to have “a minimum authorised access control policy…

 
Provision of laws and technical standards. Article 2, Item 5. N/A Personal Information Processors must provide Overseas Recipients with a copy of “relevant legal provisions and technical standards” upon request. This does not appear to have an equivalent within the GDPR. Should the exercise of such a right occur in practice, we imagine that foreign recipients might need translations. Procuring such translations, especially technical standards, could be expensive in practice. Contracting parties should consider this in their pricing and negotiations.
Cooperation with regulatory authorities and acceptance of their oversight.

Article 2, Item 6.

Article 3, Item 12.

Module One, Clause 8.9.

Clause 13.

Under the PRC SCCs, both contracting parties agree to respond to the Regulator’s enquiries. Moreover, the Overseas Recipient must agree to cooperate with the Regulator’s inspections, obey the Regulator and provide them with proof that “necessary actions have been taken.” We imagine the PRC SCCs could cause issues if EU blocking statutes exist (which we understand is the case).

Under the EU SCCs, the Data Importer only agrees to make documents available to the Supervisory Authority. While this requirement is less onerous than that found under the PRC SCCs, we note that under the Data Security Law, Article 36, “Any organisation or individual within the territory of the PRC shall not provide any foreign judicial body and law enforcement body with any data stored within the territory of the PRC without the approval of the competent authority of the PRC.
Impact assessment.

Article 2, Item 7.

Article 4.

 Clause 14.

The PRC and EU SCCs require a transferring party to conduct impact assessments for cross-border data transfers. Whilst the obligations of the SCCs do not wholly align, we believe that, in practice, a single assessment form or template could be used to ensure compliance with both sets of SCCs.

As the GDPR and EU SCCs predate the PIPL and the PRC SCCs, we expect that many such forms or templates will likely be variations of styles used in the EU.
Compliance and record keeping.

Article 2, Item 9.

Article 3, Item 10-12.

Module One, Clause 8.9.

Module Two, Clause 8.9.

Module Three, Clause 8.9.

Module Four, 8.3

Under the PRC SCCs, Personal Information Processors are burdened with proving that they have fulfilled their contractual obligation. In the case of disputes between the contractual parties, it is unclear if this would function as a reverse burden of proof. However, such a reverse burden of proof could exist in disputes with Subjects.

Overseas Recipients under the PRC SCCs must provide Personal Information Processors with evidence of their compliance, access to files and documents, facilitate audits, and accept the Regulator’s supervision. Overseas recipients must retain their records for at least 3 years.

Under the EU SCCs, obligations vary depending on the cross-border data transfer scenario, but in all cases involve being able to demonstrate compliance (sometimes to the other party) and making documents available to the regulator upon request. Modules Two to Four require recipients to facilitate audits and, for Modules Two and Three only, specify that audits may occur onsite.
Transfer particulars.

Article 3, Item 1.

Appendix 1

Clause 6.

Clause 8.1.

Annex I.

Annex II.

 Both SCCs rely on an Appendix or Annex to state the particulars of a specific cross-border transfer. They are broadly comparable, except that the PRC SCCs require a clear statement on the quantity of personal information transferred and suggest using the personal information categories listed in recommended national standard GB/T35273.
Access by government authorities at destination. Article 3, Item 7. Clause 15.

The EU SCCs describe how to handle legally binding requests or demands from foreign authorities with jurisdiction over personal information in the destination country. This is a prudent measure to help entities manage conflicting legal systems.

Unfortunately, the PRC SCCs contain no explicit provisions about dealing with legally-binding requests or demands from foreign authorities with jurisdiction over personal information in the destination country. We note that there is an express and general prohibition against providing “personal information to third parties located outside the PRC.” This could cause issues in practice and might deter entities from transferring their data abroad.
Data retention and deletion.

Article 3, Item 4.

Appendix 1.

Module One, Clause 8.4.

Module Two, Clause 8.5.

Module Three, 8.5.

 The provisions under both SCCs are broadly comparable with the exception that, under the PRC SCCs, an Entrusted Processor who is an Overseas Recipient must provide an audit report after deletion or anonymisation.
Data breaches. Article 3, Item 6.

Module One, Clause 8.5.

Module Two, Clause 8.6.

Module Three, Clause 8.6.

Module Four, 8.2.

Under the PRC SCCs, the requirements for handling all data breaches involve taking remedial measures, “immediately” notifying the Personal Information Processor and the Regulator, notifying Subjects if required by law, and documenting all facts about breaches. We do not believe that “immediately” is to be taken literally. However, some industries in China, such as insurance,  have reporting requirements that can be as short as one hour. As such, the meaning of immediately should not be assumed, and a service level agreement may be desirable for some industries.

Obligations concerning data breaches under the EU SCCs can vary depending on the cross-border data transfer scenario and risk level. For instance, transfers between Data Controllers attract the most onerous obligations in the event of high-risk data breaches. In contrast, transfers from Data Processors to Data Controllers only require the Data Processor to notify and assist the Data Controller.
Onward transfers. Article 3, Item 7.

Module One, Clause 8.7.

Module Two, Clause 8.8.

Module Three, Clause 8.8.

There are transparency requirements for onward transfers under the PRC and EU SCCs. See above for more details.

To make an onward transfer under the PRC SCCs, the following conditions must exist: (i) the transfer is necessary, though what that entails precisely is unclear at this time; (ii) the transfer is disclosed to Subjects and, if necessary, with their consent; (iii) the transfer must be subject to a written agreement that provides protection not lower than the standards in PRC law and the assumption of joint and several liabilities for harm to Subject; and (iv) a copy of the onward transfer agreement must be provided to the Personal Information Processor.

Under the EU SCCs, onward transfers much be subject to the EU SCCs or to “a country benefitting from an adequacy decision“, a third party that ensures appropriate safeguards. The transfer is necessary for litigation purposes, or the transfer is required to protect the vital interests of others.
Entrusted Processing & Data Processors. Article 3, Item 8. Modules Two, Three and Four. This is a significant area of divergence as the PRC SCCs does not significantly distinguish between types of entity that process personal information, while the EU SCCs treat Data Controllers and Data Processors very differently depending on the cross-border data transfer scenario.
Sub-processors.

Article 3, Item 8.

Appendix 1.

Clause 9.

Annex III.

Both SCCs seem to allow for sub-processing. However, the PRC SCCs do not explicitly address this particular issue, which means that sub-processing would be treated like any other onward transfer.

As for the EU SCCs, they require sub-processors to be bound by “in substance, the same data protection obligations as those binding the data importer” and allow for (i) specific prior authorisation or (ii) general authorisation from a list.
Automated decision-making. Article 3, Item 9. Clause 10.

Under the PRC SCCs, automated decision-making must be transparent, fair, and equitable. It may not be used to apply unreasonable differential treatment in terms of transaction conditions.

Under the EU SCCs, automated decision-making that produces effects concerning a subject or significantly affecting them may not occur unless the Subject consents to such processing or it is permitted under laws with appropriate safeguards.
Choice of law and jurisdiction.

Article 6, Items 2-5.

Article 9, Item 2.

Article 9, Item 5.

Article 9, Item 6.

Clause 11.

Clause 17.

Clause 18.

The EU SCCs stipulate the law of an EU member state or, for Data Processor to Data Controller Arrangements, the laws for a country that allows for third-party beneficiary rights. It gives jurisdiction to the courts of an EU member, including the place where a Subject habitually resides.

The PRC SCCs stipulate Chinese law.

If a Subject, as a third-party beneficiary to the contract, brings an action, they must comply with the Civil Procedure Law of the People’s Republic of China to determine jurisdiction, meaning a Chinese court with jurisdiction will be selected.

In the case of the contracting parties, the contract allows for dispute resolution in a Chinese court with jurisdiction or an arbitral institution in a country that is a member of the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards.
Termination and suspension. Article 7. Clause 16.

Under the EU SCCs, if the Data Importer breaches its obligations, the Data Exporter may suspend the contract until the breach is remedied or the contract is terminated. Several types of breaches or circumstances may trigger termination.

Under the PRC SCCs, Overseas Recipients have similar rights to Data Exporters under the EU SCCs, while Personal Information Processors enjoy 2 additional grounds: (i) breach by the Overseas Recipient of the laws in the country where it is based; (ii) bankruptcy, dissolution or liquidation. Additionally, termination may also occur at the election of either party if a Regulator has issued a decision that makes execution of the contract impossible or if both parties agree to the termination.
Liability for breach of contract. Article 8 Clause 12.

Under the PRC SCCs, “Liability between the parties is limited to the damages suffered by the non-breaching party.” At face value, this appears to exclude liability for lost profits.

Under both SCCs, Subjects are entitled to claim damages as third-party beneficiaries. Where more than one party causes a breach of Subject rights, both are jointly and severally liable to the Subject.
Precedence. Article 9, Item 1. Clause 5. Both SCCs claim to have precedence in the event of a conflict. This could cause difficulties in the event of a dispute involving both the EU and PRC.
Docking clause. Clause 7. No such mechanism exists under the PRC SCCs, which appear to be drafted for a scenario involving 2 contracting parties. Such a mechanism would be desirable for more complex processing scenarios.
Other matters agreed by the parties. Appendix 2 The PRC SCCs contain a blank page at their rear. This suggests that the CAC expects contracting parties to have additional needs. However, based on current cross-border data transfer practices, we suspect the PRC SCCs will function as an appendix or annex rather than the main agreement.

Implications

The PRC SCCs bear some similarities with the EU SCCs but differ on some key points. Multinationals with operations in the PRC and EU that wish to rely on SCCs may need to find ways to deal with those differences and conflicts or find alternative legal paths for their cross-border data transfers.

The likely alternative for many multinationals would be to obtain “certification of personal information protection” that has been “given by a professional institution in accordance with the regulations of the national cyberspace authority” under Article 39 of the PIPL. The National Technical Committee on Information Security of Standardization Administration (also known as “TC260”) has recently issued guidance on achieving such certification but more clarity is needed on things such as who are those “professional certification institutions” and how to start the certification journey.

Finally, for those who are able to use the PRC SCCs, we have observed that many multinationals annex the EU SCCs to their own customised global data transfer agreements, and we suspect the same will happen to the PRC SCCs in time.

Nearly fourteen years after its current Anti-Monopoly Law (“AML”) came into effect, China spares no efforts in strengthening antitrust enforcement and tightening relevant rules and regulations. Following the unprecedented Alibaba fines and a series of sector guidelines, that effort culminated this week, when the Standing Committee of the National People’s Congress (“NPC”) passed a new AML of amendments (“New AML”) to the current AML, with a few revisions to the previous draft (“Previous Draft”, together with an even earlier draft by State Administration for Market Regulation, the “Draft AML Amendment”) issued on 23 October 2021. Although a bill of law usually takes three rounds of deliberation before passage in China, it is possible to have a piece of legislation passed after two rounds where consensus could be achieved among relevant stakeholders; the New AML appears to be such an exception.

Beyond all doubt, the New AML, once becomes effective, will better arm the newly-established State Anti-Monopoly Bureau for a more challenging decade ahead. Having codified the current Chinese practices and adopted some foreign experience, the New AML aims to keep up with developments and market conditions that have transformed the way businesses are operated these days. While e-commerce and platform economy receive the most attention, sectors including people’s livelihood, finance, technology, and media are also highlighted. For many others, the new AML, while providing clearer procedure guidance, will take away the filing thresholds of safe harbour and impose harsher penalties for violations; antitrust and competition compliance will be put on the agenda, if not yet, for many undertakings, particularly those in key sectors.

I. The Main Aspects of the Draft AML Amendment

  • Focus on platform economy:Out of fear of the competitive expansion of tech giants, it is universally acknowledged that legislative actions need to be taken to address the perceived enforcement gaps between the old school antitrust rules and the new types of anti-competitive conduct that emerged in the digital era. After the 2021 Guidelines for Anti-Monopoly in the Field of Platform Economy (“Platform Guidelines”), the New AML provides both some general terms that prohibits the increasingly aggressive application of the abuse of dominance by platform entities and tailored clauses that list the exact forms of such conducts.
  • Tougher penalties with broadened targets: To secure the deterrence effects of the new AML, the New AML and Draft AML Amendmentpropose to increase the maximum level of fines for the relevant violations, especially gun-jumping, non-implementation of monopoly agreements and behaviours led by trade associations. Although the penal sum varies among different drafts, the final number set in the New AML is still several times of that under the current AML. Remarkably, the New AML creates a punitive penalty which multiplies fines by up to two to five times of the original penalty where the violation is serious. Those that do not generate any revenue in the previous financial years, too, cannot escape. In addition, it intends to impose liabilities on facilitators as well as legal representatives and the person in charge of or directly responsible.
  • Weakening stance against RPM: Distinct from its European and American counterparts, resale price maintenance (“RPM”) has long been an enforcement priority in China with a dichotomy method adopted by antitrust enforcers and Chinese courts; the Chinese antitrust enforcement authorities take the “prohibition + exemption”, a semi-per se illegal approach and Chinese courts choose a road that is akin to rule of reason. While the Supreme People’s Court of China attempted to justify the difference in its renowned Yutaijudgement, the New AML clearly discloses the Chinese policymakers’ preference toward the rule of reason approach by putting the burden of proof on the concerned undertakings to show that it does not eliminate or restrict competition and repositioning the definition of “monopoly agreement”.
  • Official introduction of safe harbour rules for monopoly agreements: Although safe harbour is not a new thing in China’s antitrust practice, previously it can only be found in some sector guidelines; the New AML now recognises the legitimacy of such block exemption in vertical agreement ina higher-level of law; details of the implementation rules, are yet to be established by the enforcement authority.
  • Expansion of the enforcement authority’s jurisdiction:Concerns over concentrations involving undertakings, notably in the digital or pharmaceutical sectors, that have or may have anti-competitive impacts in the relevant markets, albeit with limited income, have grown in the past few years. The New AML tries to fill the gap by conferring on enforcer authority to review transactions that fall below filing thresholds.
  • Establishment of a “stop-the-clock” mechanism:Currently, notifications filed in China have to be pulled and refiled after a maximum of 180 days review period; this process can be repeated in complicated cases, especially the ones approved with conditions. The New AML draws lessons from other jurisdictions and introduces the ‘stop-the-clock’ mechanism to suspend the review process under certain circumstances.

II. An In-Depth Look at the New AML

While largely in line with the previous draft, some proposed amendments, considering opinions from different sides, made under the New AML are novel; the detailed revisions are explained as follows:

  • Erosion of safe harbour:In the Previous Draft, a safe-harbour clause is introduced to provide a higher-level legal basis for exempting certain agreements, horizontal and vertical alike, with concerned parties’ market share lower than (unspecified) thresholds set by enforcement authorities. However, the New AML now limits the application of safe harbour to vertical agreements alone, which are usually considered to be less anti-competitive than horizontal agreements among competitors. That said, the safe harbour clauses under existing sector guidelines remain valid. The change implies a cautious and stringent position taken by the legislator.
  • Further refinement of platform economy rules:China makes no secret its ambition to tackle platform giants. A clause is included under the general provisions in the Previous Draft to prohibit undertakings from abusing data, algorithms, techniques, capital advantages and platform rules to eliminate or restrict competition. Despite the existence of the Platform Guidelines, the New AML further specifies some platform-specific anti-competitive conduct which mirrors the Platform Guidelines, on top of the general prohibition clauses under the chapter of abuse of dominance responding to the intensified antitrust scrutiny trend in the past year.
  • Soft landing of “killer acquisition” investigation:Some stakeholders and scholars suggested the rules for reviewing transactions falling below filing thresholds should be further clarified. The New AML addresses this by allowing the enforcement authority to request the parties to transactions to file; the enforcement authority shall initiate an investigation if the parties fail to do so. This rule should benefit both transaction parties and enforcement authorities; the parties will have more mobility while the enforcer could save constrained enforcement resources.
  • Altered enforcement authority:To reflect the elevation of the seniority of the market regulator’s antitrust unit, the State Anti-monopoly Bureau, the New AML now specifies the antitrust enforcement authority of the State Council to assume the power thereunder. The deputy ministerial-level enforcement authority, will now have more tools in its kits to carry on its duty.
  • Interplay between the judiciary and law enforcement:While the current AML and earlier versions of its draft amendment are almost enforcement-exclusive, the New AML supplements a general clause that requires the reinforcement of antitrust judicial activities and a fair and efficient approach by courts in hearing antitrust cases. It also calls for improving the interplay between the judiciary and law enforcement.

III. Looking Ahead

On 24 June 2022, the Standing Committee of the NPC officially passed the much-awaited AML Amendment. The potential impact on the competition landscape of the new AML, together with its supplementary rules, would be wide-ranging. Harsher penalties, expanded jurisdiction, altered procedures and standards are reasons why the new AML merits close attention from undertakings doing business in China and related to China; we will keep our clients apprised of any further updates.

 

What is Director and Officer Liability Insurance?

Directors and officers (“D&Os”) assume liability for many of their company activities, especially when their company is publicly listed. In many cases D&Os face significant legal exposure based simply on their signature, role and title, or status as a controlling person. This means that no matter how effectively, carefully, or in good faith their decisions are made, D&Os face the risk of being sued.

D&O insurance is designed to cover this risk. Namely, to protect executives, directors, as well as the companies they serve, against liability arising from actions taken in the course of doing business or managing the companies. This can include the legal costs and damages from being sued by plaintiffs or prosecuted by regulators, the costs of settling such actions, or other forms of liability.

D&O insurance first emerged on the Lloyds of London insurance market in the 1930s and while not mandatory, it is common with private and publicly traded companies alike.

With the listing of more and more Chinese companies in foreign markets, an increasing number of such companies now acquire D&O insurance. Within mainland China, due to revisions to the Securities Law of the People’s Republic of China and ensuing securities litigation, D&O insurance has also captured the attention of Chinese D&Os.

How Does Director and Officer Liability Insurance Work

When a crisis hits, a typical D&O policy covers both the corporate entity in addition to individual D&Os. Possible areas of coverage include insurance for investigations, tax liability, securities, and employment claims. Among these potential sources of liability, securities claims tend to raise the greatest exposure.

When a securities claim arises, D&Os are designed to cover “wrongful acts”. Depending on the language in D&O policies, this typically covers the kinds of mistakes, poor judgment, or negligence that lead to shareholder litigation. However, these “wrongful acts” normally do not include D&Os’ intentional or fraudulent acts.

What are the Limitations of Liability Insurance for D&Os?

D&O insurance does not cover against all types of liabilities. A number of exclusions exist to limit insurer liability, which can greatly affect coverage and settlements of shareholder litigation. Conduct exclusions exist to prevent benefits for intentional wrongdoing, like a criminal or fraudulent act, (including fraud on the market). In some cases, inappropriate conduct can lead to termination of coverage. Many policies also include a “prior knowledge” exclusion, which prevents claiming losses from lawsuits involving matters D&Os knew or should have known about prior to litigation. In some cases, the exclusion can only be triggered by a judicial ruling (“final non-appealable adjudication”, or some variant thereof).

In China, there is fierce debate over whether D&O covers losses resulting from government penalties. Decision-makers within China’s insurance market hope for court precedent that could clarify this issue, especially with regards to proper application of the insurable interest in D&O insurance.

What Laws Govern Chinese D&O Liability Insurance?

Chinese entities raising funds through IPOs abroad increasingly turn to PRC insurers for their D&O insurance needs. In many cases, such entities earn their revenue in China but are structured as a variable interest entity (“VIE”) headquartered in a tax haven such as the Cayman Islands or British Virgin Isles. When a foreign securities claim arises, these policies become notable in that they typically engage both Chinese and foreign law.

This leads to insurance policies that are veritable chimeras — a Cayman head (which might face bankruptcy proceedings following a fraud on the market claim), a Chinese body (governing the policy itself), and an American tail (for example, governing settlement allocation when a class action settles). To illustrate, whereas nowadays most securities litigation is heard before US district or state courts in New York, Chinese D&O policies usually set an arbitration center in Beijing or Shanghai as the forum for policy disputes, with PRC law as the governing law.

This can lead to extremely complex proceedings, where disagreements arise on how a Chinese court or tribunal should determine allocation of damages under US law. Oftentimes, Chinese arbitration of D&O claims involves US lawsuits where multiple defendants decide to settle with the plaintiffs. This leaves important issues of allocation unresolved, with no foreign court having definitively determined the portion of liability for each defendant, only some of whom are the insureds or covered under the D&O policy. Therefore, in addition to the underlying Chinese laws, it is crucial to also grasp rules surrounding the applicable laws of the jurisdiction where the VIE is headquartered and where the insured entity is listed, especially US securities laws.

Conclusion

Like their common law precursors, Chinese D&O policies protect against securities claims, including when D&Os commit “wrongful acts”. However, this cover does not extend to fraudulent or criminal conduct, and policies may also exclude wider categories of behaviour.

Importantly, litigating these policies rarely relies on only the laws of one jurisdiction, due to the fact that Chinese D&O policies typically interact with Chinese, US, and even Cayman or British Virgin Islands laws governing a VIE’s incorporation. They are instead more like chimeras, and far more complex than US publicly-listed companies’ domestic D&O policies.

AnJie’s insurance team

Ranked Band 1 by Chambers for insurance, AnJie is well known for its insurance & reinsurance practice. AnJie’s insurance team, as one of the largest in China, is composed of more than 50 seasoned, multilingual Chinese lawyers and foreign legal advisors. AnJie’s insurance partners are located in the firm’s Beijing, Shanghai, Shenzhen, Hong Kong, Haikou, and Nanjing offices, providing legal services to our clients across the nation and beyond. Since 2013, AnJie and its insurance team partners have been continuously recognized as Key Recommended Law Firms and Lawyers by leading international rating agencies and professional publications such as Chambers and Partners, Who’s Who Legal, Legal500, and Asialaw.

[1]Some policies also include fees for crisis management, including emergency consulting and public relations services.

AnJie Partners Zhan Hao and Song Ying were once again invited to pen the China chapter for Global Legal Insights: Cartels 2022 (“Cartels 2022”), which has been published recently. Cartels 2022, published by the Global Legal Group (“GLI”), aims at providing global legal professionals with an overview and insights into the laws and practices relevant to cartels (referred to as “monopoly agreements” in China) in different jurisdictions.

Based on the relevant rules and enforcement practices of monopoly agreements in China, Zhan Hao and Song Ying, who were recommended as antitrust and competition attorneys by Chambers & Partners, Who’s Who Legal, the Legal 500 and other leading rating agencies, introduced in detail the regulatory framework, general legal system and typical monopoly agreements cases from 2020 to 2022, deeply analyzed the latest enforcement policy, administrative investigation process and compliance standards, and shared insights together with their outlook on future legislative and enforcement developments.

GLI is a leading global legal media organization providing legal analysis and industry solutions to top corporate executives, legal counsel, law firms and government agencies worldwide, and has been an important platform for the international legal community to connect and share. The invitation to the AnJie antitrust team for many years is a recognition by the market of its strength in the field and pushes the team to continue to lead the way in the antitrust and competition law profession.

Foreign investor seeking to exit from its foreign invested enterprises (including joint venture companies and wholly foreign owned companies) (“FIE”) in China may consider transferring all its shares in the FIE to others, requesting the FIE to return capital by reducing the FIE’s registered capital or voluntary dissolution of the FIE. This article will focus on the introduction of voluntary dissolution under the current Chinese legal mechanism.

The dissolution of a FIE used to be a time-consuming and complicated procedure according to the previous laws and practice. However, in the wake of promulgation of several policies and regulations, the dissolution procedure has been simplified as the required time and costs are significantly reduced. In the recent FIE dissolutions that we have helped with, it took approximately 3 to 5 months to complete the entire process.

The entire process of voluntary dissolution is generally comprised of three major procedures, namely dissolution, liquidation and deregistration as follows:

  1. Dissolution
  • Resolutions on Dissolution and Liquidation Committee Formation

The dissolution shall commence upon its highest authority (normally the shareholders’ meeting or the sole investor) adopting a resolution on the voluntary dissolution.  Pursuant to the Company Law, the resolution regarding dissolution shall be approved by shareholders representing at least two-thirds of the voting rights. That been said, we understand according to the articles of association of most FIEs, dissolution must be approved by all shareholders unanimously.

The resolution regarding the dissolution shall state (i) the cause of the dissolution (for example, expiration of operation term, serious loss or revoking of business license by government); and (ii) the formation of a liquidation committee, as well as the appointment of members and principal of the liquidation committee.

The laws do not provide for any requirement on the members and principal of the liquidation committee. Normally, the committee is comprised of 2 to 3 members including 1 principal; the principal can be the chairman of board or the general manager, while other members may include directors and finance head of the FIE. The shareholders of the FIE may also designate external legal counsel or accountants to be the members of the liquidation committee. If the FIE is a joint venture company, each shareholder would better appoint its own representative to the liquidation committee.

  • Announcement of Formation of Liquidation Committee

The FIE should then announce to the public the formation of the liquidation committee and the information about the members of the liquidation committee through the national enterprise credit information publicity system within 10 days of the liquidation committee’s establishment.

  1. Liquidation

In accordance with the Company Law, the day on which the liquidation committee is formed is the commencement date of the liquidation. The liquidation committee should carry out the following liquidation activities since then:

  • Notification to Creditors

The liquidation committee should notify creditors within 10 days of its formation. In addition, the liquidation committee should additionally make a public announcement via the national enterprise credit information publicity system within 60 days of its formation. The purpose of both the direct notification and the public announcement is to request the FIE’s creditors to register their rights with the FIE for settlement.

  • Inventorying of Assets (including Existing Contracts)

The liquidation committee should run an inventory of all remaining assets and existing contracts, and then prepare balance sheets and property inventories. The liquidation committee may engage an appraiser to appraise the assets to build up value basis for disposal of the assets later.

In order to save costs and time spent on the liquidation procedure, it is advisable for FIE to start to dispose assets and terminate the business contracts even before the FIE enters into the dissolution and liquidation procedures

  • Termination of Employment of Employees

The FIE shall notify its employees of the decision and shall discuss with them in respect of the termination date and the severance payment on a timely and transparent basis.

To facilitate implementation of liquidation, the FIE may want to maintain one or two staffs who are familiar with the financial situations of the FIE until the completion of the liquidation procedure, because he/they will be required to assist the liquidation committee to handle the liquidation works, especially balance sheet preparation, assets disposal and tax clearance.

  • Preparation of Liquidation Plan

After the liquidation committee clearly understand the status of the FIE’s assets and creditor’s rights and indebtedness (including the ones arising from employment and business contracts), the liquidation committee shall prepare a liquidation plan setting forth, among other things, liquidation expenses and costs, taxes to be paid, list of creditor’s rights and indebtedness, list of assets, disposal plan for assets and indebtedness, plan of termination of employment.

The liquidation plan is not required to be filed with the governmental authority but shall be approved by the FIE’s shareholders.

  • Implementation of Liquidation Plan

Once the liquidation plan is approved by the shareholders, the liquidation committee shall carry out the liquidation as per the plan.

The account balance and the proceeds from the disposal of the assets must be used to settle outstanding costs and debts in the following order:

  • liquidation expenses;
  • employees’ salaries, social insurance fees and severance fees;
  • outstanding taxes; and
  • other indebtedness.

Please be advised that tax clearance is usually the most complicated and time-consuming step in the entire liquidation procedure. As soon as the liquidation starts, the liquidation committee shall apply for a pre-review of the outstanding liabilities to the tax bureau. The tax bureau would issue a “One-Time Notice of Tax Matters” setting forth all the outstanding tax liabilities owed by the FIE. The liquidation committee should settle these liabilities one by one according to the notice. In the course of this process, the FIE shall be prepared to answer questions in relation to the balance sheet and/or make up taxes in arrears as per tax bureau’s requests.

  • Liquidation Audit

Since the foreign exchange administration will require the liquidated FIE to provide a liquidation audit report when it distributes remaining fund to foreign shareholders, the liquidation committee shall engage a qualified auditor to conduct an audit and issue an audit report.

  • Liquidation Report

After the tasks above have been completed, the liquidation committee shall prepare a liquidation report setting forth, among the other things, the situation and the result of the actual implementation of the liquidation plan. The liquidation report needs to be approved by the shareholders and submitted to the registration authorities for recordation.

  1. Deregistration

After the liquidation, the FIE shall carry out the following deregistration with various relevant governmental authorities:

  • deregistration with corporate registration authority;
  • social insurance deregistration;
  • housing fund deregistration;
  • deregistration of enterprises for foreign exchange receipts and payments for trade of goods; and
  • deregistration with customs.

These de-registration processes are often relatively simple and straightforward. The liquidation committee can normally complete the processes by only submitting a few application forms to the relevant authorities or filling out forms online.

In addition, after the completion of the deregistration with the corporate registration authority as mentioned above, the FIE will need to handle the following matters simultaneously at its bank in order to distribute the remaining fund to the FIE’s foreign shareholders:

  • cancellation of foreign exchange registration with the foreign exchange administration;
  • provision of the “Notice of Company Deregistration” issued by the corporate registration authority and the liquidation audit report issued by auditor; and
  • closure of the bank accounts after the remaining fund has been distributed.
  1. Conclusion

In the circumstances where a FIE encounters deadlock between shareholders, lack of market competitiveness, significant increase in expenses and costs or regulatory obstacles, voluntary dissolution may become an inevitable exit option. A more effective and streamlined dissolution mechanism has been adopted by the recent laws and practices. A FIE can be dissolved and deregistered within a period much shorter than the time required under the previous mechanism; and the documents required for dissolution and deregistration become less. Despite of the simplification, foreign investor seeking exit via voluntary dissolution still needs to ensure its strict compliance with the procedures set forth in the applicable regulations as failing to do so, it would expose itself to several and joint liabilities towards the FIE’s indebtedness.

* * *

Please contact the authors listed below if you request additional information or have any questions regarding the issues raised in this brief:

Simon Li

Liting Ren

 

+86 10 8567 2989

 

 +86 10 8531 1450

lixiameng@anjielaw.com

 

 renliting@anjielaw.com

 

This publication has been prepared for clients and professional associates of AnJie Law Firm.

While every effort has been made to ensure accuracy, this publication is not an exhaustive treatment of the area of law discussed and AnJie Law Firm accepts no responsibility for any loss occasioned to any person acting or refraining from action as a result of the material in this publication.  Please seek the services of a competent professional advisor if advice concerning individual problems or other expert assistance is required.