On October 21, 2020, China released the first draft of Personal Information Protection Law (hereinafter the "PIPL" or "Draft") for public comments. The PIPL is regarded as the "Chinese GDPR" and widely believed to have significant influence on the development of many industries especially the digital business. To help multinational corporations better understand the PIPL and be well prepared for the coming new era of data protection in China, we will prepare 15 thematic articles on various topics to guide the compliance under the PIPL from a practical perspective.

Cross-border transfer of personal information has always been a great concern for companies operating in China, especially multinationals. At the current stage, personal information can be transferred outside of China upon the data subject's informed consent. Meanwhile, Article 37 of the Cybersecurity Law of China provides data localization and data export security assessment requirements on critical information infrastructure operators ("CIIOs"), which have been expanded to apply to all the network operators, rather than only to CIIOs, by the draft of its implementing provisions1. However, due to the fact that the rules on CIIO identification and security assessment have not yet been finalized, companies are usually confused about China's approach on cross-border transfer of personal information.

The Draft, for the first time, clarifies the conditions to be met for the cross-border transfer of personal information, which are to some extent similar to the GDPR. Hopefully, supported by the law's implementing provisions, entities will have a clear understanding on how to legally transfer data overseas from China in the future.

I. Rules for Cross-border Transfer of Personal Information under the PIPL

According to the Draft, transferring personal information outside the territory of China shall meet three necessary conditions, namely (1) obtaining the personal information subject's separate informed consent; (2) conducting risk assessment and making record; and (3) satisfying one of the four special conditions, as shown in the chart below.

1095870a.jpg

A. Separate Consent

The Draft stipulates that where a personal information controller provides personal information of an individual to a party outside the territory of China, it shall obtain the individual's "separate consent", provided that the individual has been informed of such matters as the identity of the overseas recipient, contact information, purpose and method of processing, type of personal information and the way for the individual to exercise the rights against the overseas recipient.

Such "separate consent" is expected to be further clarified in the future, while it is supposed that separate consent requires consent to be obtained separately for a specific matter, and a package consent covering all the processing purposes will not be allowed.

B. Risk Assessment

As we have discussed in Topic Nine, the Draft requires personal information controllers to assess in advance the risks of certain processing activities that include providing personal information to overseas parties, and to keep a record of the processing. Specifically, the risk assessment shall include (1) the legitimacy, justifiability and necessity of the purpose and method of processing personal information; (2) the impact on individuals and the degree of risks; and (3) whether the security protection measures taken are legitimate, effective and appropriate to the degree of risks. In addition, the risk assessment report and processing record shall be kept for at least three years according to the Draft.

C. Special Conditions

Apart from separate consent and risk assessment, the Draft also provides that when transferring personal information outside the territory of China, at least one of the following conditions shall be met.

  • The first is to pass the security assessment organized by the State cyberspace administration. Such requirement is in line with Article 37 of the Cybersecurity Law of China as aforementioned, and expands the latter's application from CIIOs to CIIOs as well as personal information controllers whose processing of personal information reaches a certain amount to be prescribed by the relevant authority. China has issued the Measures for the Security Assessment on the Cross-border Transfer of Personal Information (Draft for Comments) in 2019, but it is expected that the final version of the measures for security assessment will be released after the approval of the PIPL.
  • The second is to be certified by a specialized agency in respect of personal information protection. However, the Draft does not further explain what is and how to get such a certification, so it remains to be clarified by the law and its supporting rules in the future.
  • The third is to conclude a contract with the overseas recipient specifying the rights and obligations of both parties, and supervise the recipient's processing of personal information to ensure that the recipient's processing meets the standards for protection of personal information as prescribed under the PIPL. The second draft of the PIPL further makes it clear that such contract will be standard contract formulated by the State cybersecurity and information department, which is expected to be similar to the standard contractual clause (SCC) under the EU law.
  • The fourth is to meet other conditions prescribed by laws, administrative regulations or the State cyberspace administration. Such catch-all clause leaves space for other specific conditions on cross-border transfer of personal information, for example, the Administrative Regulations on Human Genetic Resources requires the approval of the Ministry of Science and Technology to be got in advance when transferring human genetic resources abroad.

II. Personal Information Export for International Judicial/Enforcement Assistance

As provided by the International Criminal Judicial Assistance Law of China, without the consent of the competent authority of China, foreign entities/individuals shall not conduct criminal proceedings within the territory of China; and entities/individuals in China shall not provide evidence materials and assistance as well. The Draft, from the perspective of personal information protection, follows such provision by stipulating that when a judicial or enforcement authority from outside the territory of China requests the provision of personal information stored within the territory, it shall not be provided without the approval of the competent authority.

III. "Blacklist" for Cross-border Transfer of Personal Information

As a countermeasure against the malicious processing activities conducted by overseas entities and individuals, the Draft prescribes that for any overseas organization or individual whose personal information processing activities damage the personal information rights and interests of citizens of China, or endanger the national security or public interests of China, the State cyberspace administration may include such overseas organization or individual in the list of restricted or prohibited provision of personal information, announce the same, and take measures such as restricting or prohibiting provision of personal information to such overseas organization or individual.

Meanwhile, according to the Draft, where any country or region takes discriminatory prohibitive, restrictive or other similar measures against China in respect of the protection of personal information, China may take corresponding measures against such country or region as the case may be.

IV. Other Observations

The Draft has shown a clear picture of the requirements on cross-border transfer of personal information, though specific rules of implementation remain to be lay down by the follow-up laws and regulations, such as those for security assessment and certification. As such, companies operating in China could determine the conditions to be met according to their own circumstances. It is worth noting that, except for the PIPL, companies in certain special industries shall also comply with the sectoral requirements as well. For example, as above-mentioned, human genetic resources can only be transferred outside of China upon the relevant authority's approval.

Footnote

1. Namely the Measures for the Security Assessment on the Cross-border Transfer of Personal Information and Important Data (Draft for Comments) released on April 11, 2017; and the Measures for the Security Assessment on the Cross-border Transfer of Personal Information (Draft for Comments) released on June 13, 2019, by the Cyberspace Administration of China.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.