The following is an article by the EU SME Centre published in EURObiz, the bimonthly magazine produced by the European Union Chamber of Commerce in China.
Read EURObiz online here: https://www.eurobiz.com.cn/

The following is an article by the EU SME Centre published in EURObiz, the bimonthly magazine produced by the European Union Chamber of Commerce in China.
Read EURObiz online here: https://www.eurobiz.com.cn/
In line with the concept of cyber sovereignty, where the Chinese Government has the ultimate authority over cyberspace, China developed and strengthened its governance system for cybersecurity, data and PI protection for any company operating within the territory of China – including foreign enterprises. At the same time, the three main laws have an extraterritorial reach, extending their scope to overseas entities based abroad. Hence, EU SMEs falling under their scope, even without a legal presence in China, will need to comply with Chinese laws and the related regulations and standards.
The specific obligations and requirements stipulated by these laws and relevant standards distinguish among different subjects and roles, specifically:
Foreign-invested companies operating in China with EU companies as shareholders may fall under the scope of these definitions, though—especially in the case of CII operators—few SMEs are likely to be affected.
In addition, different definitions, classifications and grades of data and PI are stipulated by the legal framework and require specific levels of security and protection mechanisms implemented by the relevant processors.
It is essential for foreign-invested companies operating in China with EU companies as shareholders to familiarise themselves with the latest specific requirements and procedures for transferring overseas data and PI processed in China, which vary depending on the nature of the processor and the type of data. Three legal mechanisms for lawful transfers of data and PI outside of China have been laid down by law.
The cross-border transfer of certain data and personal information outside of China requires prior Chinese Government approval through a CAC security assessment for:
After conducting a self-assessment evaluating the risks involved in the transfer, the applicant needs to undergo a formal security assessment on national level conducted by the CAC. This will be carried out within 45 working days—or even more in complex cases—and will focus on seven key targets, such as the purpose, scope and method of data transfer, the impact of the legal environment of the receiver’s country on the security of the data, and the alignment of the receiver’s protection level with Chinese laws and regulations. Afterwards, the applicant is formally notified on whether a re-examination will be necessary or if approval has been granted to sign the relevant contract and begin the cross-border transfer process.
In circumstances where a security assessment prior to cross-border data transfer is not mandatory, PI exporters that process PI should follow the Standard Contract Provisions issued by the CAC. At the time of writing, only draft versions of the specific requirements and obligations has been made available, but they imply that eligible PI processors must first conduct a PI protection impact assessment. This risk self-assessment seems to follow the same six elements that are required for the CAC security assessment. In addition, the contract signed with the overseas receiver must follow six standard provisions, or ideally, the standard template provided by the CAC can be used. Within 10 days of the enforcement date of the contract, the PI exporter must file the results of the impact assessment and a copy of the signed contract with their local provincial-level CAC.
As an alternative to the Standard Contract Provisions, non-CII operators processing PI below the threshold of one million individuals may choose to apply for a certification for a cross-border transfer of personal information. Specifically, certification can be obtained for:
The application for certification is submitted by the China-based subsidiary, which acts as the PI exporter, or by a designated agent in China for foreign companies subject to the PIPL’s extraterritorial clause. The certification process focusses on both the PI processor acting as the exporter and the offshore PI receiver, and usually reviews four key elements: (i) the legally-binding agreement signed by both parties; (ii) the two parties’ compliance in appointing a responsible officer and setting up relevant departments; (iii) their abidance with the same PI cross-border processing rules; and (iv) a PI security impact assessment that must be carried out before the data transfer. As of September 2022, no list of designated certification bodies has yet been released, and further uncertainties remain. This method of cross-border PI transfer is therefore currently not an option for SMEs.
The new governance framework for cybersecurity, data security and personal information protection brings a paradigm shift in the way EU companies have been operating their businesses in China. Depending on their specific businesses, market share, risk tolerance and integration within the Chinese ecosystem, as well as the level of integration of their China-based activities into global value chains, EU SMEs may face many changes and uncertainties in order to comply with the CSL, DSL and PIPL. Violating the obligations and requirements of cybersecurity, data and PI protection may trigger administrative, civil or even criminal liabilities – depending on the specific circumstances and the impact on the rights of China’s citizens, organisations, public interest, and national security. Hence, a series of actions must be taken to ensure EU SMEs’ compliance and to prevent disruptions to their businesses in China.