Multinational companies often encounter questions regarding if and when they can transfer personal information[1] across borders. The People’s Republic of China’s Personal Information Protection Law (PIPL) adds new considerations for these inquiries[2], such as:
- Can employers in the China store their Chinese employees’ personal information on databases hosted in foreign jurisdictions?
- Can US-based companies collect Chinese users’ personal information to be analyzed on their servers located in the US?
- Can companies that are compliant with the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) transfer personal information beyond the borders of China without taking additional action?
Although the PIPL went into effect in November 2021, numerous elements need to be defined due to the abstract nature of its regulations. This cross-border data transfers blog series intends to shed light on a few of these ambiguities in the coming weeks in three separate blog posts.
- Part 1: An overview of the respective data transfer mechanisms under the PIPL and the GDPR.
- Part 2: Highlights of the compliance obligations on cross-border transfers of personal information under the PIPL and the GDPR.
- Part 3: Insight into the localization requirements and restrictions on responding to requests of foreign judicial or enforcement agencies under the PIPL.
Comparing the three laws
The PIPL parallels the GDPR in various aspects when it comes to cross-border data transfers, but differences still exist in the details. Both laws require a transfer mechanism for organizations to transfer personal information to a third country or an international organization, with the PIPL providing fewer transfer mechanisms. Additionally, the PIPL imposes different cross-border data transfer restrictions based on the status of organizations – i.e., whether the organization transferring personal information overseas is deemed as an operator of critical information infrastructure[3] – and the amount of personal information processed by organizations.
Meanwhile, the CCPA, which is a state law, doesn’t regulate the transfer of personal information across international borders, but does overlap and possibly conflict with certain PIPL and GDPR cross-border transfer restrictions.[4] For instance, the CCPA requires companies that hold personal data to meet some of the same contractual obligations as required under the GDPR and PIPL, including contractual addendums between a “business” and its “service providers” (as those terms are defined under the CCPA) that:
- Specify the limited purpose for the sharing or disclosure of personal information.
- Obligate the third-party recipients to the same level of privacy protection as the CCPA.[5]
In practice, multinational companies subject to both the CCPA and the PIPL may want to consider using existing CCPA addendums as a starting point when meeting contractual requirements for cross-border data transfers under the PIPL.
Part 1: Cross-Border Data Transfer Mechanisms in PIPL and GDPR
One of the most important requirements in the cross-border data transfer frameworks established under the Personal Information Protection Law of the People’s Republic of China (PIPL) is that personal information processors[6] may transfer the personal information of an individual (not necessarily a Chinese citizen) located within China overseas only if they can base the transfer on a lawful transfer mechanism pursuant to which the cross-border data transfer is being performed.[7]
Under European Union’s General Data Protection Regulation (GDPR), similar principles apply. The GDPR intends to ensure that the transfer of such personal information from the European Union to controllers and processors in third countries – defined as any country outside the European Economic Area (EEA) – don’t undermine the level of protection of the individuals concerned.
In the following table, we matched the transfer-mechanisms under Article 38 of the PIPL with those put forward in Chapter V of the GDPR. As noted below, in addition to the transfer mechanisms requirement, the PIPL and the GDPR impose other compliance obligations on organizations transferring personal information overseas, which we examine in the next blog post of this series.
Comparison table of cross-border data transfer mechanisms[8]
As discussed above, although the PIPL has established a general framework governing the cross-border transfer of personal information, a number of implementing rules are pending finalization. It remains to be seen whether the practices required under the PIPL will follow the European approach of primarily utilizing model clauses for cross-border data transfers. And even if the Chinese government has taken steps to implement the general framework established under the PIPL by publishing the draft version of certain implementing rules (e.g., the Draft Security Assessment Measures), some requirements under these draft rules are still unclear and require further interpretation. Therefore, multinational companies are advised to keep monitoring the developments closely.
There are different approaches to managing the uncertainties under China’s cross-border data transfer framework, including preparing data transfer agreements based on the European SCCs as a template and adding missing provisions as required under the Draft Security Assessment Measures. While these steps could establish a record of good faith efforts toward compliance with the PIPL, such agreements likely will need to be replaced by the standard contract to be released by the CAC.
In addition, to assess whether a mandatory security assessment conducted by the CAC will be required, multinational companies may want to consider developing a data inventory to understand the amount of personal information they process and transfer overseas, and then evaluate whether the proposed threshold triggering a mandatory security assessment has been met.
Our next blog post covers the comparison of key compliance requirements under the PIPL and the GDPR with respect to cross-border data transfers to a third country or an international organization.
[1] The definition of “personal information” under Article 4 of the PIPL is similar to that of “personal data” under Article 4(1) GDPR.
[2] China’s Cybersecurity Law and Data Security Law have also established a framework governing the cross-border transfer of non-personal information (i.e., “important data”), but the precise scope of “important data” remains undefined. For this blog series, we only discuss the requirements for cross-border transfer of personal information.
[3] Under the Regulation on Protection of the Security of Critical Information Infrastructure, “critical information infrastructure” is defined as important network facilities, information systems, etc. in important industries and fields such as public communications and information services, energy, transportation, water, finance, public services, electronic government affairs and national defense technologies, and others which, in the event of damage thereto, loss of function thereof or leak of data therefrom, could seriously jeopardize national security, national economy and people’s livelihoods, or the public interest.
[4] Other US states have also enacted privacy laws, none of which contain restrictions on cross-border data transfers.
[5] CCPA Section 1798.100(d).
[6] Under the PIPL, “personal information processors” are akin to “controllers,” and “entrusted parties” are like “processors” under the GDPR.
[7] Localization requirements under PIPL Article 40 further limit the transfer mechanisms that can be utilized by certain type of personal information processors. We discuss such requirements in detail in the third blog post of this series.
[8] Because the CCPA doesn’t regulate the transfer of personal information across international borders, this table doesn’t discuss the CCPA.
[9] PIPL Article 40.
[10] Because the GDPR doesn’t contain any parallel rules, the details of the security assessment criteria and process established under the draft Security Assessment Measures for Cross-Border Data Transfer aren’t specified here.
[11] Draft Security Assessment Measures for Cross-Border Data Transfer Article 4.
[12] PIPL Article 38.
[13] On November 1, 2021, China officially applied to join the international Digital Economy Partnership Agreement, which promotes collaboration in upgrading digital trade around the world.
[14] Article 45 GDPR.
[15] PIPL Article 38(2).
[16] PIPL Article 38(3).
[17] Draft Security Assessment Measures for Cross-Border Data Transfer Article 9.
[18] There are currently four sets of standard contractual clauses.
[19] PIPL Article 38.
[View source.]