Inform data subjects of the name and contact information of overseas recipients, processing purposes and means, the types of personal information to be transferred overseas, and the means and procedures for data subjects to exercise their rights under the PIPL against the overseas recipients. 3

As such, in the second stage, data subjects' consent must be obtained for cross-border data transfers only when organizations can't base the transfer on an adequacy decision or appropriate safeguards but must use consent as a derogation for specific circumstances.

Second stage: Only in the case of a cross-border data transfer to a third country must organizations ensure that one of the described transfer mechanisms (adequacy decision, appropriate safeguards or derogations for specific situations) is applicable.

First stage: Basic principles of the GDPR must always be observed when personal information is processed (regardless of a transfer to a third country).

Conduct an internal personal information protection impact assessment5 prior to the cross-border transfer of personal information (an ex-ante self-assessment similar to the Data Protection Impact Assessment under the GDPR), and keep the assessment reports and the records of the processing activities for at least three years.6 The PIPL requires personal information processors to assess the following factors when conducting the personal information protection impact assessment: Whether the processing purposes and means are lawful, legitimate and necessary.

Impacts and security risks on the rights and interest of individuals.

Whether the security measures adopted are lawful, efficient and in proportionate to the risk exposure.7 However, the PIPL doesn't provide further details on how personal information processors must carry out the above personal information protection impact assessment in practice. China published a non-legally binding national standard (the GB/T 39335 - 2020 Information Security Technology - Guidance for Personal Information Security Impact Assessment8), which provides detailed practical guidance on the above security assessment. However, considering that the national standard was released before the enactment of the PIPL and includes a specific carve out for cross-border transfer of personal information, the national standard may only serve as a reference. The October 2021 release of the draft Security Assessment Measures for Cross-Border Data Transfer (Draft Security Assessment Measures) further complicates the above analysis. Under the draft security review measures, all personal information processors, regardless whether they are subject to the mandatory security assessment administered by the Cyberspace Administration of China (CAC), must carry out a "self-assessment" prior to their cross-border transfer of personal information.9 This requirement appears to overlap with the personal information protection impact assessment required under Article 55 of the PIPL, but the Draft Security Assessment Measures are silent on how these potential overlapping requirements may be reconciled. Under the Draft Security Assessment Measures, when conducting the self-assessment, the following factors shall be assessed: The lawfulness, legitimacy, and necessity of the purpose, scope and means of the cross-border transfer and the processing activities by overseas recipients.

The amount, scope, types and sensitivity of the data to be transferred, and the risks of the transfer posed to national security, public interest and legitimate rights and interests of individuals or organizations.

Whether the organizational and technical measures and capability of the personal information processor can prevent data leakage and destruction at the data transmission stage.

Whether the obligations and responsibilities assumed by overseas recipients and the corresponding organizational and technical measures and capability of overseas recipients to perform the undertakings could ensure the security of the data transferred outside China.

The risks of leakage, destruction, distortion or abuse after the data is transferred overseas and onward transferred, and whether convenient channels are available for individuals to exercise their personal information rights.

Whether the contract between the personal information processor and the overseas recipient has sufficiently specified the obligations and responsibilities with respect to data security.10