The Significance of Cross-Border Data Transfer for SMEs and MNCs

Enterprises need to know about security assessment of cross-border data transfer or risk hefty fines and penalties

Personal Identifiable Information (PII), or as some countries would call it, personal data, has become the key for enterprises to offer innovative and customised service offerings internationally. In today’s volatility, uncertainty, complexity, and ambiguity (VUCA) world, regulations of cross-border data usage have become a new policy priority in many jurisdictions. The European Union was one of the first to introduce a new framework for data protection in 2018 – the General Data Protection Regulation (GDPR). Many other countries have since followed suit. China has passed the Personal Information Protection Law (PIPL) with more stringent rules for cross-border data transfers, and closer to the South-East Asia region, Indonesia passed its own Personal Data Protection (PDP) bill in October 2022. Most recently, Vietnam issued its long-awaited, first-ever comprehensive Decree No. 13/2023/ND on the Protection of Personal Data in April 2023. As jurisdictions roll out distinctive standards pertaining to cross-border data flows, it is important to understand the global data flow across borders and gauge the potential impacts of data protection regulations in the jurisdictions.

Many enterprises have asked, “How have the new data regulations changed global businesses, and what are the implications for the broader economy?” In this article, we will discuss the cross-border data transfer trend, highlight some regulatory requirements for cross-border data transfer, present the compliance challenges and provide some guidance to address them.

 

What is cross-border data transfer?

The Cybersecurity Administration of China (CAC) has specific provisions in the PIPL, the Cybersecurity Law (CSL) and the Data Security Law (DS) to require sensitive data, including personal identifiable information that will be transferred abroad must go through security assessment upon meeting certain thresholds and must fulfil several other conditions as specified in the PIPL, DSL and CSL.

In reviewing the provisions outlined in the PIPL, CSL & DSL, cross-border data transfer would include the following situations:

• Personal Information Controlleral¹ (PIC) or Personal Information Processor² (PIP) provides personal information and data directly to recipients located outside of China;
• Overseas entities, organisations and individuals have remote access to data and personal information stored within the territory of China;
• Multi-national companies transmit, from China to overseas, personal information and data they generate or collect in their operations within China;
• PIC or PIP provides data to entities that are located within China but not subject to Chinese jurisdiction or not registered within China.

 

Legal liability - What happens if an enterprise is non-compliant?

Where personal information is handled in violation of the provisions of the PIPL, or the processing of personal information fails to fulfil the personal information protection obligations stipulated in the PIPL, i.e. not a serious offence, the department performing personal information protection duties shall order corrections, give warnings, confiscate illegal gains, and deal with illegal processing. The application of personal information shall be ordered to suspend or terminate the provision of services; if it refuses to make corrections, a fine of not more than 1 million yuan shall be imposed; the directly responsible person in charge and other directly responsible personnel shall be fined not less than 10,000 yuan but not more than 100,000 yuan.

If there is an illegal act as prescribed in the preceding paragraph if the circumstances are serious, the department at or above the provincial level that performs personal information protection duties shall order it to make corrections, confiscate the illegal income, and impose a fine of not more than 50 million yuan or not more than 5% of the previous year's turnover; it can also be ordered to suspend relevant business or suspend business for rectification, notify the relevant competent department to revoke the relevant business license or revoke the business license; the directly responsible person in charge and other directly responsible personnel shall be fined not less than 100,000 yuan but not more than 1,000,000 yuan, and may decide to prohibit They serve as directors, supervisors, senior managers and personal information protection officers of related companies for a certain period of time.

To date, the biggest single fine issued by the data privacy authority for infringing on cross-border data transfer regulation is for 1.2-billion-euro dollars on Facebook.

 

What can an enterprise do to stay in compliance to cross-border data transfer regulation?

For enterprises whose business operations require data transfer across borders, BDO would propose a risk assessment, namely a Privacy Impact Assessment (PIA), on the business processing activities relating to data transfer across borders. This is critical to uncover any business processing activities that might have been unlawfully carried out and non-compliant with the country's regulations.

 

What is a Privacy Impact Assessment (PIA)?

A Privacy Impact Assessment (PIA) is a way for an enterprise to analyse the enterprise's data processing operation and help to identify and minimise data protection risks systematically and comprehensively.

PIAs should consider compliance risks to the jurisdictions where cross-border data transfer occurred, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or society at large, whether physical, material or non-material. To assess the level of risk, a PIA must consider both the likelihood and the severity of any impact on individuals. A PIA does not have to indicate that all risks have been eradicated. But it should help you document them and assess whether any remaining risks are justified.

PIAs are a legal requirement, under the China PIPL, for processing that is likely to be high risk. But an effective PIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals. A PIA may cover a single processing operation or a group of similar processing operations. A group of controllers can do a joint PIA.

It is important to embed PIAs into enterprise processes and ensure the outcome can influence its plans. A PIA is not a one-off exercise. The enterprise should see it as an ongoing process subject to regular review. You must do a PIA before you begin any processing that is "likely to result in a high risk". This means that although you have not yet assessed the actual level of risk, you need to screen for factors that point to the potential for a widespread or serious impact on individuals.

 

Transfer Impact Analysis (TIA)

Upon confirmation of data processing risks, including non-compliance risks of cross-border data transfer, BDO would recommend that the enterprise conduct a follow-up Transfer Impact Assessment (TIA). A TIA will clarify an enterprise's risks for transferring Chinese residents' data to countries without adequacy under the China PIPL's law. Some key questions need to be reviewed by either party transferring the data and receiving the transferred data. The following guidance outlined the steps taken during the Transfer Impact Assessment (TIA) to assess the risks related to cross-border data transfers:

1. Identifying data transfers, including onward transfers and sub-processing chains.
2. Identifying transfer tools that are relied on, such as Standard Contractual Clauses3s (SCC), Binding Corporate Rules4(BCR), code of conduct and etc.
3. Where relying on SCCs or BCR, assessing whether the tool is effective in light of all circumstances of the transfer, including the third country's laws.
4. Adopting supplementary measures where necessary.
5. Considering whether any procedural steps are required.
6. Re-evaluating at appropriate intervals.
    

How can BDO help?

BDO has worked with many Multi-National Corporations (MNCs), helping them to conduct a gap analysis of their data protection policies, procedures and controls, including performing PIA and TIA risk assessments on their business operations across multiple jurisdictions. We worked closely with the appointed Data Privacy Officer and the management team to review and recommend relevant mitigation measures to ensure the enterprise complies with the data protection regulations across these multiple jurisdictions.

Standard Contractual Clauses³ (SCC) - Standard contractual clauses (SCCs) are standardised and pre-approved model data protection clauses that allow PIC and PIP to comply with their obligations under EU/China data protection law. They can be incorporated by controllers and processors into their contractual arrangements with other parties, for instance commercial partners.

Binding Corporate Rules⁴ (BCR) - Binding corporate rules (BCR) are data protection policies adhered to by companies established in the EU/ China for transfers of personal data outside the EU/ China within a group of undertakings or enterprises.

 

References

Data Privacy Regulations

European Union: General Data Protection Regulation (GDPR) - https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en

China: Personal Information Protection law (PIPL) - https://www.china-briefing.com/news/the-prc-personal-information-protection-law-final-a-full-translation/

Indonesia: Personal Data Protection - https://www.aseanbriefing.com/news/indonesia-enacts-first-personal-data-protection-law-key-compliance-requirements/

Vietnam: Decree No. 13/2023/ND on the Protection of Personal Data - https://vietnam-business-law.info/blog/2023/4/21/new-decree-on-protection-of-personal-data-in-vietnam-and-comparison-with-gdpr