China: New data exit regulations taking effect, violation may face severe punishment
On August 31, 2022, the State Internet Information Office in China released overnight the “Data Exit Security Assessment Declaration Guidelines” (Version 1) to coincide with the implementation of the “Data Exit Security Assessment Measures” as of September 1, 2022. In addition to the aforementioned regulations, the “Personal Information Exit Standard Contract Provisions” has ended its consultation and is also expected to be issued soon. From now on, any enterprise in China must operate in accordance with the requirements of the aforementioned new regulations in case of data exit business, otherwise it will face high fines or even be held criminally responsible.
Simply put, all enterprises engaged in data exit business are within the scope of adjustment of the new regulations. Data exit here mainly refers to: (1) data processors transfer and store data collected and generated in their domestic operations outside of China; (2) data collected and generated by data processors are stored in China and can be queried, retrieved, downloaded and exported by institutions, organizations or individuals outside of China.
Depending on the attributes and volume of outbound data, two separate management models may be triggered, namely: security assessment and personal information outbound filing.
If an enterprise provides important data abroad in violation of the regulations, the relevant competent department shall order it to correct, give a warning, and may concurrently impose a fine of not less than 100,000 RMB and not more than 1 million RMB. The person-in-charge and other persons directly responsible may be fined not less than 10,000 RMB but not more than 100,000 RMB. If the circumstances are serious, the offender shall be fined not less than 1 million RMB but not more than 10 million RMB, and may be ordered to suspend the relevant business, suspend business for rectification, revoke the relevant operation permit or revoke the business license, and the person-in-charge and other persons directly responsible shall be fined not less than 100,000 RMB but not more than 1 million RMB.
If an enterprise deals with personal information in violation of regulations, the competent authority shall order it to correct, give a warning, and confiscate the illegal gains; if it refuses to make corrections, it shall also be fined not more than 1 million RMB; the person-in-charge and other persons directly responsible shall be fined not less than 10,000 RMB and not more than 100,000 RMB. If the circumstances are serious, the competent authority at or above the provincial level shall order it to correct, confiscate the illegal income, and impose a fine of not more than 50 million RMB or not more than 5% of the turnover of the previous year, and may also be ordered to suspend the relevant business or suspend business for rectification, or notify the relevant competent department to revoke the relevant operation permit or business license. The person-in-charge and other persons directly responsible shall be fined not less than 100,000 RMB but not more than 1 million RMB, and may decide to prohibit them from serving as directors, supervisors, senior managers and persons in charge of personal information protection of the relevant enterprises within a certain period of time.
The supervision of data protection is still in its infancy in China and is in the process of continuous exploration. Youly suggests that enterprises pay close attention to the legislative and regulatory developments in relevant fields to ensure that enterprises comply with the law when engaging in data exit activities. Youly is willing to cooperate with enterprises to provide support for the data exit compliance.
Useful tools:
Leave a Reply