Practices
Antitrust/Competition
Asset-backed Securities
Banking & Finance
Capital Markets
Compliance & Government Regulatory: Government Enforcement, Anti-Corruption, Data Protection,Customs and Trade Compliance
Dispute Resolution
Energy & Infrastructure
Financial Industry
General Industries
Insolvency & Restructuring
Intellectual Property
Investment Funds
Investment Management
Labor & Employment
Life Sciences & Healthcare
M&A
Private Equity
Private Wealth Management
Real Estate & Construction
Tax
Technology, Media & Telecommunications
Japan Practice
People
Insights
Publications
Articles
About
The Firm
News
Awards & Rankings
Location
ESG
Talents
Careers
Alumni
EN
EN
中文
日本語
EN
EN
中文
日本語

China’s New Notice and Consent Guidelines – Get Ready

Authors:

2023 / 08 / 01

Starting from December 1, 2023, multinational companies (“MNCs”) doing business in China will have to follow a new set of guidelines to establish their official China-oriented “notice and consent” procedures, including those required for cross-border data transfer (“CBDT”).

That is because Chinese regulators have recently released the Implementation Guidelines for Notices and Consent in Personal Information Processing (the “Guidelines”). The Guidelines are non-binding technical standards but affiliated institutions of two key data privacy regulators, Cyberspace Administration of China (“CAC”) and the Ministry of Public Security (“MPS”), participated in the drafting. Thus, the Guidelines are likely to be relied upon by regulators when they interpret the applicable laws and regulations for enforcement purposes.

For MNCs unfamiliar with this new rule – or just needing to know more – here are the key points to consider as we approach the December 1 effective date.

What exactly do the Guidelines require?

In brief, the Guidelines specify when data controllers are required to provide what is called “notice and collect” consent, what must be done for notice and consent to be valid and set out recommendations for certain common business scenarios such as online shopping, internet financing, connecting APP with SDK, and more.

How do the Guidelines impact MNC’s data processing activities?

At a high level, MNC’s China-related data processing activities can be divided into two buckets: (a) CBDT activities,
the processing activities that leverage global IT infrastructure, for example, using a global HR system for employee
profile management or a global CRM system to store and analyze client contact person information. On top of the
Personal Information Protection Law (the “PIPL”), CBDT activities are governed by various CBDT regulations; and (b)
PIPL activities, the domestic data processing activities, for example, operating a WeChat mini-app or Tmall store
leveraging local infrastructures and vendors. PIPL activities are primarily governed by the PIPL.

The Guidelines will impact MNCs on both CBDT activities and PIPL activities.

Impacts on CBDT Activities

We highlight the following impacts of the Guidelines on CBDT activities:

(a) Separate Consent

Most of the CBDT activities would require separate consent from data subjects. The Guidelines make it clear that a data controller must disclose the following items to data subjects to get their separate consent: (i) the identity and contact information of the overseas recipient; (ii) the purpose and method of processing; (iii) the type of personal information to be transferred; (iv) the way to exercise their rights under the PIPL; (v) retention period; and (vi) country of storage. It is worth noting that the PIPL does not require disclosure of retention period and country of storage, so the scope under the Guidelines is broader.

(b) Expanded Covered CBDT Activities

Under the previous rules by CAC2 , covered CBDT activities were limited to (a) a controller-to-controller transfer; (b) a remote access by overseas entities or individuals to in-China data; or (c) any other activities specified by the CAC.

The Guidelines have expanded the covered activities by adding in (a) a direct key-in, i.e., where a data subject provides his/her personal information directly to a foreign-based data controller, for example, keying in his/her data directly to a foreign website to book international airline tickets or overseas hotels; and (b) a controller-to-processor transfer, i.e., where a China-based controller transfers data to a foreign-based processor for data processing, for example, a Chinese company using a US-based SaaS service.

(c) Separate Consent for Direct Key-In

While scoping in direct key-in as a CBDT activity, the Guidelines provided that no separate consent is required for direct key-in if (a) the foreign recipient has published its privacy policy; and (b) there is affirmative action from the data subject, for example, emailing, text messaging, service request or submitting online form.

(d) Separate Consent for controller-to-processor Transfer

While scoping in controller-processor transfer as a CBDT activity, the Guidelines remains silent on whether a
separate consent is required for controller-to-processor transfer but specifies that regulators may formulate new
regulations in the future on this.

(e) Business Segregation

The Guidelines encourage a data controller to separate its CBDT business from other businesses, if possible, to facilitate obtaining separate consent for CBDT and minimize the impact on the scope of services available if a data subject refuses to consent. This requirement, if interpreted strictly, implies that, for example, if an international hotel group uses one centralized reservation system for the reservation of both China domestic hotels and overseas hotels, it is encouraged to separate the reservation system for China domestic hotels from the system for overseas hotels. This way, declining a request for consent to CBDT will not render the customer unable to book a domestic hotel. As the Guidelines do not make the separation mandatory, how this plays out remains to be seen.

Impacts on PIPL Activities

For PIPL activities, the Guidelines provide for detailed explanations for an extensive list of control points related to
notice and consent and set out how notice and consent should be built for different business scenarios. We
highlight the following:

  • a. Expanded circumstances requiring notice: The Guidelines deem generation of meta data and derived data as data collection activities necessitating notice. For example, if a supermarket collects a customer’s behavior data like food preferences, to train its algorithm which predicts that the customer may be pregnant, targeted marketing based on such insights would require notice and consent from the customer. Corporate restructurings may trigger notice to data subjects when changes impact existing data processing activities, imposing additional covenants in M&A deals. Third-party access to data base through SDK or API also necessitates notice and consent, calling for greater consideration in marketing campaigns.
  • b. Roadmaps on how to build special control points: The Guidelines provide detailed instructions for building (i) separate consent; (ii) notice and consent for third-party transfer; (iii) notice and consent for minors under 14 years old; (iv) notice and consent for scenarios common for MNCs that include, among others, personalized marketing, use of domestic cloud services, online shopping; and (v) mechanisms to facilitate refusal of consent and withdrawal of consent and to retain the evidence of consent/withdrawal and for how long.
  • c. Narrowed-down alternative lawful bases for data processing: The Guidelines outline specific criteria for the establishment of contractual necessity, statutory obligations, emergencies, media reporting and public information that could be leveraged as alternative lawful bases in lieu of consent. These granular provisions have further limited the data controller’s discretion to interpret these lawful bases as a walkaround to consent.
  • d. Soft opt-in: In practice, obtaining consent for all processing activities may not be practical. The Guidelines appear to have taken this into account and set out a “soft opt-in” mechanism for reference. If a data subject is provided with a privacy notice or the scope of data processing activities are a matter of common sense (e.g., using a SIM card), the data subject does not have to opt-out or take affirmative actions to use the service; he or she will be deemed to have consented. However, this mechanism is not a panacea as most data processing activities in China would require explicit consent, written consent or even separate consent in some cases. Unless there are specific-use cases expressly endorsed by the regulators in published cases, the regulators are likely to take a more conservative approach over “soft opt-in” to avoid any circumvention. How this mechanism plays out remain to be seen.

In sum, these new requirements pose a challenge over how MNCs design their China-facing privacy policies and notice and consent interface, as the control points are way more granular than before such that the companies have less room to maneuver. Building up a privacy compliance program as close as possible to the Guidelines will be critical to ensure a satisfactory defense against any regulatory enforcement or consumer complaints.

What happens on the effective date?

On December 1, 2023, all of the above requirements kick in, which means it is advisable for MNCs to have systems in place to ensure the compliance with the Guidelines or risk enforcement by CAC or MSP. MNCs may also be required to ramp up their notice and consent procedures in order to complete CBDT security assessment and China SCCs filing.

In light of these impending changes, our recommendations on how to take steps and prepare for compliance with the Guidelines are:

  • Applicability. MNCs should conduct a comprehensive assessment to ascertain whether any of their data processing scenarios may trigger obligations or control points under the Guidelines. This includes, maintaining a laundry list of scenarios where separate consent may be triggered but have not yet been built.
  • Data Inventory. MNCs should understand what data they are collecting and where it lives, while also strategizing on how to minimize data collection, if possible. We believe, at this stage, many MNCs have already completed data inventories in connection with their CBDT. Nevertheless, it is crucial to also scrutinize domestic data processing activities for PIPL compliance.
  • Consumer-facing Updates. MNCs should review their China-facing privacy policies and notice and consent interface to ensure they are up to date, and that entities are prepared to operationalize and put into effect the procedures for consumers to take advantage of their privacy rights under the Guidelines (e.g., consent withdrawal)
  • Internal Updates. MNCs should review and update their vendor contracts to address requirements under the Guidelines and conduct employee training to minimize enforcement risks. MNCs should also ramp up their privacy impact assessment (“PIA”) protocols to capture these new requirements on notice and consent.
Previous:Restricting Absolute Immunity - China Promulgates Foreign State Immunity Law
Contact Us Location Subscribe
Privacy Policy & Disclaimers
沪ICP备05009743号-1 ©2025 FANGDA PARTNERS. ALL RIGHTS RESERVED 上海市方达律师事务所版权所有
·