Multinational companies often encounter questions regarding if and when they can transfer personal information1 across borders. The People's Republic of China's Personal Information Protection Law (PIPL) adds new considerations for these inquiries2, such as:

  • Can employers in the China store their Chinese employees' personal information on databases hosted in foreign jurisdictions?
  • Can US-based companies collect Chinese users' personal information to be analyzed on their servers located in the US?
  • Can companies that are compliant with the European Union's General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) transfer personal information beyond the borders of China without taking additional action?

Although the PIPL went into effect in November 2021, numerous elements need to be defined due to the abstract nature of its regulations. This cross-border data transfers blog series intends to shed light on a few of these ambiguities in the coming weeks in three separate blog posts.

  • Part 1: An overview of the respective data transfer mechanisms under the PIPL and the GDPR.
  • Part 2: Highlights of the compliance obligations on cross-border transfers of personal information under the PIPL and the GDPR.
  • Part 3: Insight into the localization requirements and restrictions on responding to requests of foreign judicial or enforcement agencies under the PIPL.

Comparing the three laws

The PIPL parallels the GDPR in various aspects when it comes to cross-border data transfers, but differences still exist in the details. Both laws require a transfer mechanism for organizations to transfer personal information to a third country or an international organization, with the PIPL providing fewer transfer mechanisms. Additionally, the PIPL imposes different cross-border data transfer restrictions based on the status of organizations – i.e., whether the organization transferring personal information overseas is deemed as an operator of critical information infrastructure3 – and the amount of personal information processed by organizations.

Meanwhile, the CCPA, which is a state law, doesn't regulate the transfer of personal information across international borders, but does overlap and possibly conflict with certain PIPL and GDPR cross-border transfer restrictions.4 For instance, the CCPA, as amended by the California Privacy Rights Act ("CPRA"), will soon require companies that hold personal data to meet some of the same contractual obligations as required under the GDPR and PIPL, including contractual addendums between a "business" and its "service providers" (as those terms are defined under the CPRA) that:

  • Specify the limited purpose for the sharing or disclosure of personal information.
  • Obligate the third-party recipients to the same level of privacy protection as the CCPA.5  

In practice, multinational companies subject to both the CCPA and the PIPL may want to consider using existing CCPA addendums as a starting point when meeting contractual requirements for cross-border data transfers under the PIPL.

Part 1: Cross-Border Data Transfer Mechanisms in PIPL and GDPR

One of the most important requirements in the cross-border data transfer frameworks established under the Personal Information Protection Law of the People's Republic of China (PIPL) is that personal information processors6 may transfer the personal information of an individual (not necessarily a Chinese citizen) located within China overseas only if they can base the transfer on a lawful transfer mechanism pursuant to which the cross-border data transfer is being performed.7

Under European Union's General Data Protection Regulation (GDPR), similar principles apply. The GDPR intends to ensure that the transfer of such personal information from the European Union to controllers and processors in third countries – defined as any country outside the European Economic Area (EEA) – don't undermine the level of protection of the individuals concerned.

In the following table, we matched the transfer-mechanisms under Article 38 of the PIPL with those put forward in Chapter V of the GDPR. As noted below, in addition to the transfer mechanisms requirement, the PIPL and the GDPR impose other compliance obligations on organizations transferring personal information overseas, which we examine in the next blog post of this series.

Comparison table of cross-border data transfer mechanisms8

PIPL GDPR
Security assessment administered by government authority
Critical information infrastructure operators and personal information processors processing personal information reaching the threshold provided by the Cyberspace Administration of China (CAC) must locally store personal information collected and generated within China. Where they need to provide the data abroad, they must pass a security assessment administered by the CAC.9

 

On October 29, 2021, the CAC released the draft Security Assessment Measures for Cross-Border Data Transfer (Draft Security Assessment Measures) for public comments, which provide further clarity on the scope, criteria and process for carrying out a security assessment.10 Under the Draft Security Assessment Measures, a security assessment for the cross-border transfer of personal information will be triggered if:

  • Critical information infrastructure operators transfer personal information outside of China.
  • The personal information processor has processed personal information of more than 1 million individuals.
  • The personal information processor has cumulatively transferred personal information of more than 100,000 individuals or has cumulatively transferred sensitive personal information of more than 10,000 individuals.11
No similar requirements exist under GDPR.

 

However, the EU is in the process of updating its rules on cybersecurity for critical infrastructure (e.g., the NIS 2 Directive), but it doesn't envision any state-sponsored security assessment.

International agreements and adequacy decisions
Where treaties or international agreements that China has concluded or acceded to contain relevant provisions, such as conditions on providing personal information outside China's borders, those provisions may be carried out.12

 

As of the date of this post, we're not aware that China has entered into any international treaty or agreement, to which China is a party, for personal information processors to rely on.13

Where the European Commission has decided that a third country or an international organization ensures an adequate level of data protection to data subjects in the EEA, it issues an "adequacy decision."14
Certification
A personal information processor that truly needs to transfer personal information outside China for business's sake or other reasons, may do so after obtaining personal information protection certification from professional institutions in accordance with the rules adopted by the CAC.15

 

Thus far, the CAC has not accredited any professional institutions for the purpose of issuing personal information protection certification, and the rules according to which certifications may be issued haven't been adopted.

Certification mechanisms may be developed to demonstrate the existence of appropriate safeguards provided by data importers, with organizations making binding and enforceable commitments to apply the safeguards, including provisions for data subject rights.

 

As of now, certification mechanisms are rarely used in the data transfer context.

Standard model clauses

Also, a personal information processor that truly needs to transfer personal information outside China for business's sake or other reasons, may do so after entering into a contract with overseas recipients of the personal information based on a standard contract to be released by the CAC.16

The CAC is still in the process of formulating the standard contract, and the first draft is expected to be released for public comments soon.

Although the details of the standard contract remain unclear, the Draft Security Assessment Measures indicate the key provisions that may be adopted under the standard contract17 – namely, the contract between the personal information processors transferring personal information outside of China and the overseas recipient must include provisions on data protection obligations of the parties, including but not limited to:

  • The purposes for and means of the transfer, the scope of personal information to be transferred, and the purposes and means of the processing activities of the overseas recipient.
  • The location and period of retention outside of China, and the measures to be adopted after the retention period or the contract term expires, or the processing purposes are fulfilled.
  • Restrictions on the overseas recipients' onward transfers of the personal information to other organizations or individuals.
  • Security measures to be taken by the overseas recipient in the event of a material change in its actual control or business scope, or a change of the legal environment of the country or region in which the overseas recipient is located, so that data security can no longer be assured.
  • Liability for breach of security obligations, and binding and enforceable dispute resolution clauses.
  • In the event of a data breach or other risks, the parties must properly implement emergency response measures, and must ensure that convenient means are available for individuals to safeguard their personal information rights and interests.
Often the most relevant and appropriate safeguard for many organizations, standard contractual clauses (SCCs)18 are model data protection clauses that have been approved by the European Commission and enable the free flow of personal information when embedded in a contract. The clauses contain contractual obligations on the data exporter and the data importer. Insofar as rights are provided for individuals, individuals can directly enforce those rights against the data importer and the data exporter.
Binding corporate rules
N/A Binding corporate rules may be used to form a legally binding internal code of conduct operating within a multinational group that applies to transfers of personal information from the group's EEA entities to the group's non-EEA entities, which are approved by the competent data protection authority.
Other transfer mechanisms
A personal information processor that truly needs to transfer personal information outside China for business's sake or other reasons, may also do so after meeting other transfer mechanisms as provided by laws, regulations or rules promulgated by the CAC.19 It is also possible to implement codes of conduct. However, in practice, there hasn't been widespread adoption in the data transfer context.

 

Only in the absence of all the above transfer mechanisms does the GDPR allow for derogations – which permit transfers in specific situations, such as where consent is obtained, for the performance or conclusion of a contract, for the exercise of legal claims, to protect the vital interests of a data subject who can't give consent, or for important reasons of public interest.


As discussed above, although the PIPL has established a general framework governing the cross-border transfer of personal information, a number of implementing rules are pending finalization. It remains to be seen whether the practices required under the PIPL will follow the European approach of primarily utilizing model clauses for cross-border data transfers. And even if the Chinese government has taken steps to implement the general framework established under the PIPL by publishing the draft version of certain implementing rules (e.g., the Draft Security Assessment Measures), some requirements under these draft rules are still unclear and require further interpretation. Therefore, multinational companies are advised to keep monitoring the developments closely.

There are different approaches to managing the uncertainties under China's cross-border data transfer framework, including preparing data transfer agreements based on the European SCCs as a template and adding missing provisions as required under the Draft Security Assessment Measures. While these steps could establish a record of good faith efforts toward compliance with the PIPL, such agreements likely will need to be replaced by the standard contract to be released by the CAC.

In addition, to assess whether a mandatory security assessment conducted by the CAC will be required, multinational companies may want to consider developing a data inventory to understand the amount of personal information they process and transfer overseas, and then evaluate whether the proposed threshold triggering a mandatory security assessment has been met.

Footnotes

1.  The definition of "personal information" under Article 4 of the PIPL is similar to that of "personal data" under Article 4(1) GDPR.

2.  China's Cybersecurity Law and Data Security Law have also established a framework governing the cross-border transfer of non-personal information (i.e., "important data"), but the precise scope of "important data" remains undefined. For this blog series, we only discuss the requirements for cross-border transfer of personal information.

3.  Under the Regulation on Protection of the Security of Critical Information Infrastructure, "critical information infrastructure" is defined as important network facilities, information systems, etc. in important industries and fields such as public communications and information services, energy, transportation, water, finance, public services, electronic government affairs and national defense technologies, and others which, in the event of damage thereto, loss of function thereof or leak of data therefrom, could seriously jeopardize national security, national economy and people's livelihoods, or the public interest.

4.  Other US states have also enacted privacy laws, none of which contain restrictions on cross-border data transfers.

5.  CPRA Section 1798.100(d).

6.  Under the PIPL, "personal information processors" are akin to "controllers," and "entrusted parties" are like "processors" under the GDPR.

7.  Localization requirements under PIPL Article 40 further limit the transfer mechanisms that can be utilized by certain type of personal information processors. We discuss such requirements in detail in the third blog post of this series.

8.  Because the CCPA doesn't regulate the transfer of personal information across international borders, this table doesn't discuss the CCPA.

9.  PIPL Article 40.

10.  Because the GDPR doesn't contain any parallel rules, the details of the security assessment criteria and process established under the draft Security Assessment Measures for Cross-Border Data Transfer aren't specified here.

11.  Draft Security Assessment Measures for Cross-Border Data Transfer  Article 4.

12.  PIPL Article 38.

13.  On November 1, 2021, China officially applied to join the international Digital Economy Partnership Agreement, which promotes collaboration in upgrading digital trade around the world.

14.  Article 45 GDPR.

15.  PIPL Article 38(2).

16.  PIPL Article 38(3).

17.  Draft Security Assessment Measures for Cross-Border Data Transfer  Article 9.

18.  There are currently four sets of standard contractual clauses.

19.  PIPL Article 38.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.