As explained in our previous blog post, in addition to the requirements for adopting a cross-border transfer mechanism, China's Personal Information Protection Law (PIPL) and the European Union's General Data Protection Regulation (GDPR) set out further compliance obligations on the cross-border transfer of personal information.1
Before controllers (under the GDPR) or personal information processors (under the PIPL) in China can initiate cross-border data transfers across its borders, certain requirements generally must be satisfied regardless of the transfer mechanism and the status of the personal information processors - e.g., whether or not the personal information processors are operators of critical information infrastructure or process a "large amount" of personal information.
As a general requirement, the PIPL mandates that all personal information processors take necessary measures to ensure that the personal information processing activities of overseas recipients meet the level of protection on personal information protection set forth under the PIPL.2 In practice, imposing contractual obligations on data importers regarding how they must process the received personal information, and including an audit right for data exporters, are common ways of discharging the obligation referenced in the preceding sentence, based on our observations.
Comparison table of relevant compliance requirements for personal information processors under the PIPL and controllers under the GDPR
Inform data subjects of the name and contact information of overseas recipients, processing purposes and means, the types of personal information to be transferred overseas, and the means and procedures for data subjects to exercise their rights under the PIPL against the overseas recipients.3
Inform data subjects pursuant to Articles 13 and 14 of the GDPR, which include information such as:
Obtain separate consent from the data subjects.4
The GDPR provides for a two-stage approach to personal information "processing," in contrast to third-country personal information "transfer."
First stage: Basic principles of the GDPR must always be observed when personal information is processed (regardless of a transfer to a third country).
Second stage: Only in the case of a cross-border data transfer to a third country must organizations ensure that one of the described transfer mechanisms (adequacy decision, appropriate safeguards or derogations for specific situations) is applicable.
As such, in the second stage, data subjects' consent must be obtained for cross-border data transfers only when organizations can't base the transfer on an adequacy decision or appropriate safeguards but must use consent as a derogation for specific circumstances.
Conduct an internal personal information protection impact assessment5 prior to the cross-border transfer of personal information (an ex-ante self-assessment similar to the Data Protection Impact Assessment under the GDPR), and keep the assessment reports and the records of the processing activities for at least three years.6
The PIPL requires personal information processors to assess the following factors when conducting the personal information protection impact assessment:
However, the PIPL doesn't provide further details on how personal information processors must carry out the above personal information protection impact assessment in practice. China published a non-legally binding national standard (the GB/T 39335 - 2020 Information Security Technology - Guidance for Personal Information Security Impact Assessment8), which provides detailed practical guidance on the above security assessment. However, considering that the national standard was released before the enactment of the PIPL and includes a specific carve out for cross-border transfer of personal information, the national standard may only serve as a reference.
The October 2021 release of the draft Security Assessment Measures for Cross-Border Data Transfer (Draft Security Assessment Measures) further complicates the above analysis. Under the draft security review measures, all personal information processors, regardless whether they are subject to the mandatory security assessment administered by the Cyberspace Administration of China (CAC), must carry out a "self-assessment" prior to their cross-border transfer of personal information.9 This requirement appears to overlap with the personal information protection impact assessment required under Article 55 of the PIPL, but the Draft Security Assessment Measures are silent on how these potential overlapping requirements may be reconciled.
Under the Draft Security Assessment Measures, when conducting the self-assessment, the following factors shall be assessed:
Under the GDPR, if the transfer is based on appropriate safeguards - for example, standard contract clauses (SCCs) - data exporters and data importers must also take into account the Schrems II judgment, where the Court of Justice of the European Union found that data exporters do need to perform an assessment of the third country to which they are transferring the information to determine if they provide a level of protection essentially equivalent to that guaranteed in the EU. If there are issues with the level of protection, the data exporter will need to establish if there are supplementary measures that can be applied along with the SCCs to maintain the level of protection.11 If this isn't possible, the data exporter will need to suspend or end the transfer.
Thus, similar to the ex-ante self-assessment under the PIPL, European organizations must conduct a data transfer impact assessment (DTIA) before they can use SCCs to transfer information to a third country. This requires organizations to conduct a case-by-case assessment and, at a minimum, consider the following:
DTIAs require a more comprehensive and flexible risk assessment rather than narrowly focusing on the third country's data protection laws, and they need to be monitored on an ongoing basis and updated in light of any changes in the laws of the third country. Thus, organizations must dedicate even more resources to GDPR compliance and their data transfer mapping.
|Blacklist of foreign organizations and individuals, and countermeasures against other countries|
Under the PIPL, should any foreign organizations or individuals conduct personal information processing activities "infringing Chinese citizens' rights and interests related to personal information," or "endangering China's national security or public interest," the CAC may place such foreign organizations or individuals on a publicly available list - and take measures to restrict or prohibit personal information processors from transferring personal information to them.12 Therefore, before transferring personal information to recipients outside of China, personal information processors must ensure that the overseas recipients aren't on the "blacklist" issued by the CAC. (So far, the CAC hasn't published such a list.)
Moreover, should any countries or regions act in a discriminatory or restrictive manner against China with respect to personal information protection, the PIPL states that China may take "corresponding measures" against such countries or regions. It is unclear how the Chinese government plans to enforce such a provision.
As the final installment in this series, our next blog post discusses the localization requirements and restrictions on responding to requests of foreign judicial and enforcement agencies under the PIPL.
1 Because the CCPA doesn't regulate the transfer of personal information across international borders, this post doesn't discuss the CCPA.
2 PIPL Article 38.
3 PIPL Article 39.
4 Id. We've also seen a different interpretation, which is that separate consent isn't required. In that interpretation, Article 13 of the PIPL indicates that if a company relies on a non-consent basis for processing certain personal information (e.g., relying on "necessary for the performance of contract" as a lawful basis), it doesn't need to obtain a separate consent before transferring such personal information overseas.
5 Under Article 55 of the PIPL, an internal personal information protection impact assessment will be triggered under the following circumstances: (i) processing sensitive personal information; (ii) processing personal information for automated decision making; (iii) entrusting vendors to process personal information, sharing personal information with other personal information processors or publicly disclosing personal information; (iv) transferring personal information outside of China; and (v) other processing activities that may result in significant impact on the rights and interests of individuals.
6 PIPL Articles 55 and 56.
7 PIPL Article 56.
8 Published on November 19, 2020, and effective June 1, 2021, this guidance from China's State Administration for Market Regulation and Standardization Administration specified that the assessment for the cross-border transfers must refer to other guidance specifically for such situations.
9 Draft Security Assessment Measures for Cross-Border Data Transfer Article 5.
11 The European Data Protection Board has produced draft recommendations on supplementary measures, which may assist data controllers and processors.
12 PIPL Article 42.
13 PIPL Article 43.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.