As explained in our previous blog post, in addition to the requirements for adopting a cross-border transfer mechanism, China’s Personal Information Protection Law (PIPL) and the European Union’s General Data Protection Regulation (GDPR) set out further compliance obligations on the cross-border transfer of personal information.[1]

Before controllers (under the GDPR) or personal information processors (under the PIPL) in China can initiate cross-border data transfers across its borders, certain requirements generally must be satisfied regardless of the transfer mechanism and the status of the personal information processors – e.g., whether or not the personal information processors are operators of critical information infrastructure or process a “large amount” of personal information.

As a general requirement, the PIPL mandates that all personal information processors take necessary measures to ensure that the personal information processing activities of overseas recipients meet the level of protection on personal information protection set forth under the PIPL.[2] In practice, imposing contractual obligations on data importers regarding how they must process the received personal information, and including an audit right for data exporters, are common ways of discharging the obligation referenced in the preceding sentence, based on our observations.

Comparison table of relevant compliance requirements for personal information processors under the PIPL and controllers under the GDPR

PIPL GDPR
Information requirements

Inform data subjects of the name and contact information of overseas recipients, processing purposes and means, the types of personal information to be transferred overseas, and the means and procedures for data subjects to exercise their rights under the PIPL against the overseas recipients.[3]  

Inform data subjects pursuant to Articles 13 and 14 of the GDPR, which include information such as:

  • The recipients or categories of recipients of the personal data.
  • The fact that the controller intends to transfer personal data to a third country or international organization.
  • The purpose(s) of the processing.
Consent

Obtain separate consent from the data subjects.[4]  

The GDPR provides for a two-stage approach to personal information “processing,” in contrast to third-country personal information “transfer.”

First stage: Basic principles of the GDPR must always be observed when personal information is processed (regardless of a transfer to a third country).

Second stage: Only in the case of a cross-border data transfer to a third country must organizations ensure that one of the described transfer mechanisms (adequacy decision, appropriate safeguards or derogations for specific situations) is applicable.

As such, in the second stage, data subjects’ consent must be obtained for cross-border data transfers only when organizations can’t base the transfer on an adequacy decision or appropriate safeguards but must use consent as a derogation for specific circumstances.

Impact assessment

Conduct an internal personal information protection impact assessment[5] prior to the cross-border transfer of personal information (an ex-ante self-assessment similar to the Data Protection Impact Assessment under the GDPR), and keep the assessment reports and the records of the processing activities for at least three years.[6]

The PIPL requires personal information processors to assess the following factors when conducting the personal information protection impact assessment:

  • Whether the processing purposes and means are lawful, legitimate and necessary.
  • Impacts and security risks on the rights and interest of individuals.
  • Whether the security measures adopted are lawful, efficient and in proportionate to the risk exposure.[7]

However, the PIPL doesn’t provide further details on how personal information processors must carry out the above personal information protection impact assessment in practice. China published a non-legally binding national standard (the GB/T 39335 – 2020 Information Security Technology – Guidance for Personal Information Security Impact Assessment[8]), which provides detailed practical guidance on the above security assessment. However, considering that the national standard was released before the enactment of the PIPL and includes a specific carve out for cross-border transfer of personal information, the national standard may only serve as a reference.

The October 2021 release of the draft Security Assessment Measures for Cross-Border Data Transfer (Draft Security Assessment Measures) further complicates the above analysis. Under the draft security review measures, all personal information processors, regardless whether they are subject to the mandatory security assessment administered by the Cyberspace Administration of China (CAC), must carry out a “self-assessment” prior to their cross-border transfer of personal information.[9] This requirement appears to overlap with the personal information protection impact assessment required under Article 55 of the PIPL, but the Draft Security Assessment Measures are silent on how these potential overlapping requirements may be reconciled.

Under the Draft Security Assessment Measures, when conducting the self-assessment, the following factors shall be assessed:

  • The lawfulness, legitimacy, and necessity of the purpose, scope and means of the cross-border transfer and the processing activities by overseas recipients.
  • The amount, scope, types and sensitivity of the data to be transferred, and the risks of the transfer posed to national security, public interest and legitimate rights and interests of individuals or organizations.
  • Whether the organizational and technical measures and capability of the personal information processor can prevent data leakage and destruction at the data transmission stage.
  • Whether the obligations and responsibilities assumed by overseas recipients and the corresponding organizational and technical measures and capability of overseas recipients to perform the undertakings could ensure the security of the data transferred outside China.
  • The risks of leakage, destruction, distortion or abuse after the data is transferred overseas and onward transferred, and whether convenient channels are available for individuals to exercise their personal information rights.
  • Whether the contract between the personal information processor and the overseas recipient has sufficiently specified the obligations and responsibilities with respect to data security.[10]  

Under the GDPR, if the transfer is based on appropriate safeguards – for example, standard contract clauses (SCCs) data exporters and data importers must also take into account the Schrems II judgment, where the Court of Justice of the European Union found that data exporters do need to perform an assessment of the third country to which they are transferring the information to determine if they provide a level of protection essentially equivalent to that guaranteed in the EU. If there are issues with the level of protection, the data exporter will need to establish if there are supplementary measures that can be applied along with the SCCs to maintain the level of protection.[11] If this isn’t possible, the data exporter will need to suspend or end the transfer.

Thus, similar to the ex-ante self-assessment under the PIPL, European organizations must conduct a data transfer impact assessment (DTIA) before they can use SCCs to transfer information to a third country. This requires organizations to conduct a case-by-case assessment and, at a minimum, consider the following:

  • What’s the type and sensitivity of the personal information?
  • Who will be able to process the personal information?
  • What technical measures are used to protect the personal information?
  • Which national laws apply in that jurisdiction, and how are they exercised in practice and in relation to a particular personal data transfer?

DTIAs require a more comprehensive and flexible risk assessment rather than narrowly focusing on the third country’s data protection laws, and they need to be monitored on an ongoing basis and updated in light of any changes in the laws of the third country. Thus, organizations must dedicate even more resources to GDPR compliance and their data transfer mapping.  

Blacklist of foreign organizations and individuals, and countermeasures against other countries

Under the PIPL, should any foreign organizations or individuals conduct personal information processing activities “infringing Chinese citizens’ rights and interests related to personal information,” or “endangering China’s national security or public interest,” the CAC may place such foreign organizations or individuals on a publicly available list – and take measures to restrict or prohibit personal information processors from transferring personal information to them.[12] Therefore, before transferring personal information to recipients outside of China, personal information processors must ensure that the overseas recipients aren’t on the “blacklist” issued by the CAC. (So far, the CAC hasn’t published such a list.)

Moreover, should any countries or regions act in a discriminatory or restrictive manner against China with respect to personal information protection, the PIPL states that China may take “corresponding measures” against such countries or regions.[13] It is unclear how the Chinese government plans to enforce such a provision.

N/A

As the final installment in this series, our next blog post discusses the localization requirements and restrictions on responding to requests of foreign judicial and enforcement agencies under the PIPL.

The content of this blog is not intended to, and does not, constitute legal advice or the provision of legal services or establish an attorney-client relationship. Readers of this website should contact their attorneys to obtain any legal advice or services with respect to any particular legal matter.

Contributors

Allison Kutner

Travis LeBlanc

Daniel Millard

David Navetta

Bartholomaus Regenhardt

Guadalupe Sampedro

Lei Shen

Patrick Van Eecke

Charlie Wood


[1] Because the CCPA doesn’t regulate the transfer of personal information across international borders, this post doesn’t discuss the CCPA.

[2] PIPL Article 38.

[3] PIPL Article 39.

[4] Id. We’ve also seen a different interpretation, which is that separate consent isn’t required. In that interpretation, Article 13 of the PIPL indicates that if a company relies on a non-consent basis for processing certain personal information (e.g., relying on “necessary for the performance of contract” as a lawful basis), it doesn’t need to obtain a separate consent before transferring such personal information overseas.

[5] Under Article 55 of the PIPL, an internal personal information protection impact assessment will be triggered under the following circumstances: (i) processing sensitive personal information; (ii) processing personal information for automated decision making; (iii) entrusting vendors to process personal information, sharing personal information with other personal information processors or publicly disclosing personal information; (iv) transferring personal information outside of China; and (v) other processing activities that may result in significant impact on the rights and interests of individuals.

[6] PIPL Articles 55 and 56.

[7] PIPL Article 56.

[8] Published on November 19, 2020, and effective June 1, 2021, this guidance from China’s State Administration for Market Regulation and Standardization Administration specified that the assessment for the cross-border transfers must refer to other guidance specifically for such situations.

[9] Draft Security Assessment Measures for Cross-Border Data Transfer  Article 5.

[10] Id.

[11] The European Data Protection Board has produced draft recommendations on supplementary measures, which may assist data controllers and processors.

[12] PIPL Article 42.

[13] PIPL Article 43.

Posted by Cooley