China’s Personal Information Protection Law (PIPL) imposes strict rules for transferring personal information out of mainland China (“cross-border transfers”) that may be even more stringent than those contained in the EU’s General Data Protection Regulation (GDPR).
The PIPL, which passed on 20 August 2021 and comes into force on 1 November 2021, requires covered entities to comply with one of four transfer mechanisms, ensure essentially equivalent processing by the importer, provide notice and obtain consent.
The PIPL cannot be read in isolation and requires reference to other Chinese laws, such as the Cybersecurity Law, Data Security Law, and Critical Information Infrastructure Security Regulations.
This article will take an in-depth look at the PIPL’s cross-border transfer rules.
Before We Start…
This article draws from Google’s automated translation of the published PIPL and DigiChina’s translation of the law where appropriate. Where there is significant ambiguity, the original Chinese characters will be provided.
I’ll be referring throughout to “personal information processors” (“PIPs”): the primary type of entity covered by the PIPL (called “personal information handlers” under some translations). PIPs can be considered akin to “controllers” under the GDPR.
The Cyberspace Administration of China (CAC) is China’s central internet regulator, responsible for enforcing the PIPL, among other functions. The CAC is the executive arm of China’s Central Cyberspace Affairs Commission.
Overview of the PIPL’s Cross-Border Transfer Rules
The PIPL sets out its rules for cross-border transfers throughout Chapter III, starting at Article 38.
Essentially, PIPs have four mechanisms available for transferring personal information out of China, examined below, with additional obligations to consider on top.
Article 38 also stipulates that PIPs must take “necessary measures” to ensure that the processing of personal information by overseas recipients meets the personal information protection standards stipulated in the PIPL.
It’s not clear whether compliance with one of the above four mechanisms will in itself constitute a “necessary measure” to ensure equivalent processing standards, other whether such measures should be taken in addition to implementing a cross-border transfer mechanism.
Finally, Article 39 requires PIPs to provide certain information to—and obtain consent from—individuals whose personal data is subject to a cross-border transfer.
The PIPL also notes that China may enter into international treaties that provide different requirements to those identified in Chapter III, in which case PIPs can rely on those provisions instead.
These international treaties could develop into a scheme similar to the EU’s “adequacy” process, where personal data can flow freely to third countries with “essentially equivalent” data protection standards to the EU’s.
Four Mechanisms for Cross-Border Transfers
As mentioned, the PIPL provides four cross-border transfer mechanisms.
PIPs may only transfer personal information out of mainland China if they meet one of the following conditions:
- Passing a CAC security assessment
- Undergoing personal information protection certification by a professional body under CAC regulations
- Entering into a standardised contract, formulated by the CAC, between the data exporter and importer, which sets out the rights and obligations of both parties
- Complying with conditions provided in other laws and regulations or by the CAC
Now let’s take a closer look at the first three of these cross-border transfer mechanisms (the fourth appears to be a ”catch-all” provision)
Security Assessment
Certain types of PIPs, including “CII operators” and “PIPs processing large amounts of personal information” (more information below), must only engage in a cross-border transfer if they undertake a “security assessment.”
The PIPL doesn’t provide any detail about the security assessment, except that it will be organised by the CAC.
China already imposes a rigorous and comprehensive cybersecurity review program for entities covered by its Data Security Law, which passed on 10 June 2021.
Certification
The PIPL does not provide any detail regarding the “certification” cross-border transfer mechanism. The certification process may resemble the MLPS certification process under China’s Multi-Level Protection Scheme.
Article 46 (2) (f) of the GDPR also recognises certification by an accredited body as an international data transfer mechanism.
Standardised Contract
PIPs may transfer personal information outside of mainland China pursuant to a standardised contract formulated by the CAC.
The PIPL does not provide any detail on the “standardised contract” mechanism, except that the contract must set out the rights and obligations of both parties.
This cross-border transfer mechanism is similar to the GDPR’s “standard contractual clauses” (SCCs), which are drawn up by the European Commission to be inserted into contracts between EEA-based data exporters and third-country-based data importers.
Recall that the PIPL also requires that exported data is processed to the standards of the PIPL. This provision is reminiscent of the EU’s requirement that data exporters apply any “supplementary measures” necessary to protect personal data transferred under SCCs.
Notice and Consent
Under Article 39 of the PIPL, PIPs must provide certain information to individuals before transferring their personal information overseas.
PIPs must provide the following to an individual before engaging in a cross-border transfer of their personal information:
- The name of the overseas recipient and their contact information
- The purpose of the processing
- The processing method
- The types of personal information to be transferred to the overseas recipient
- The procedures for exercising the individual’s PIPL rights
PIPs must also obtain the individual’s “individual consent” (的单独同意, sometimes translated as “separate consent”).
The PIPL’s rules on consent are set out at Articles 14-16. The PIPL’s definition of consent appears to be relatively strong, much like that contained in the GDPR.
Rules for “CII Operators” and PIPs Processing Large Amounts of Personal Information
By default, under Article 40 of the PIPL, special cross-border transfer rules apply to the following types of PIP:
- Operators of critical information infrastructure (“CII operators”)
- PIPs processing large amounts of personal information
These types of PIPs must not transfer personal information out of mainland China unless they “really need to” (Google’s translation of 确需向). Before engaging in a cross-border transfer, these types of PIPs must undertake a security assessment (see above).
Other laws and regulations, or the CAC, may provide that the security assessment is unnecessary, in which case it will not need to be undertaken.
It’s not clear whether other types of PIPs can voluntarily undertake a security assessment in order to facilitate a cross-border transfer.
Operators of Critical Information Infrastructure (“CII Operators”)
“CII operator” is not defined in the PIPL. But the term “critical information infrastructure (CII)” is defined in China’s Cybersecurity Law and its associated CII Security Regulation [Chinese].
These laws define CII as “important industries and fields” where damage, loss of function, or data leakage may result in risks to national security, national welfare, the people’s livelihood, or the public interest, including:
- Public communication and information services
- Energy
- Transportation
- Water conservancy
- Finance
- Public services
- e-government
- National defence
- Science and technology
The Cybersecurity Law already obliges CII operators to conduct a security assessment before transferring personal information outside mainland China.
PIPs Processing Large Amounts of Personal Information
PIPs processing more than a particular amount of personal information, to be determined by the CAC.
The threshold is actually not described as “large” in the PIPL but is instead defined as an amount of personal information to be prescribed by the CAC. This threshold is not specified in the PIPL.
State Agencies
Article 37 requires certain state-connected organisations to undertake a risk assessment before transferring personal information outside of mainland China.
The “risk assessment” provision applies to “organisations authorised by laws and regulations to manage public affairs to process personal information in order to perform statutory duties.”
This provision appears to apply more broadly than some of the PIPL’s other provisions, which apply specifically to state agencies (or “state organs,” 国家机关). Therefore, some private businesses may be required to comply with this cross-border transfer rule.
Summary
Before undertaking a cross-border transfer of personal information under the PIPL, the data exporter must:
- Comply with one of the four cross-border transfer mechanisms:
-
Security assessment (mandatory for certain types of PIPs)
-
Certification
-
Standardised contract
-
Complying with other laws or regulations
-
-
Ensure that the personal information will be processed in accordance with the PIPL by the data importer
-
Provide information about the cross-border transfer to the affected individual
-
Obtain the individual’s consent
China’s PIPL at PrivSec Global
PrivSec Global is the biggest data protection, privacy, and security conference on the planet, bringing together subject matter experts, industry leaders and academics from around the world for two days of up-to-the-minute content, advice and guidance.
We’re planning a session on China’s PIPL to help delegates understand the full implications of this vitally important data protection law.
No comments yet