Localization requirements
China’s Personal Information Protection Law (PIPL) requires that operators of critical information infrastructure (e.g., China Mobile) and personal information processors that process personal information in an amount that reaches “the threshold specified by” the Cyberspace Administration of China (CAC) store personal information collected and generated in China locally.[1] These entities can only export personal information when it is necessary (this may include for a business purpose) and after passing a security assessment administered by the CAC.[2]
As discussed in our first blog post of this series, in October 2021, the CAC released for public comment the draft Security Assessment Measures for Cross-Border Data Transfer, which provide further clarity on the scope, criteria and process for carrying out a security assessment. Under the such draft, the threshold specified by the CAC is set as:
- The personal information processor has processed personal information of more than 1 million individuals.
- The personal information processor has cumulatively transferred personal information of more than 100,000 individuals or has cumulatively transferred sensitive personal information of more than 10,000 individuals.
Notably, sectoral regulations may also impose data localization requirements on specific sectors. For example, the Provisions on the Management of Automotive Data Security (for Trial Implementation), effective October 1, 2021, impose localization requirements on the “important data” processed by “automobile data processors.”[3] Such important data include, among other things, “personal information of more than 100,000 individuals.”[4]
Responding to requests by foreign judicial and enforcement agencies
The PIPL also introduces a “blocking statute” that restricts personal information processors from providing personal information stored within China to foreign judicial or enforcement agencies. Under the PIPL, without the prior approval of a competent Chinese authority, no personal information processors are allowed to respond to requests of foreign judicial or enforcement agencies for providing personal information stored in China.[5]
However, the blocking statute under the PIPL leaves several key questions unanswered, including what personal information might be considered as “stored” in China (i.e., whether personal information that’s already legally transferred to overseas and subsequently stored outside of China is in scope), and what is the process for obtaining approval for providing personal information to foreign judicial or enforcement agencies.
Companies with a US presence may recognize that this restriction could conflict with US compelled disclosure laws, such as the Clarifying Lawful Overseas Use of Data (CLOUD) Act,[6] the Foreign Intelligence Surveillance Act of 1978[7] and the Electronic Communications Privacy Act.[8] Under these laws, companies that receive valid legal process (e.g., a subpoena) must comply with those requests for data or face civil or criminal penalties. These requirements apply regardless of the nationality of the data subject and where the data is stored. The CLOUD Act provides a way for companies to challenge requests for stored communications and requires courts to conduct a limited comity analysis when determining whether to block such requests. However, in our view, it is unlikely that a US court would consider PIPL compliance a valid reason to not comply with the US legal process. Also, if the data is stored concurrently in China and the US – for example, if the data originated in the US or was transferred there via a valid PIPL cross-border data transfer – the court could require the data to be produced from US storage.
The European Union’s GDPR doesn’t contain specific provisions on requests from authorities for personal information. However, companies that transfer personal information to third countries may do so on the basis of a data transfer mechanism under the GDPR – the standard contractual clauses (SCCs) – which contain detailed provisions in the event of a request from a public authority that, among other obligations, oblige the data importer (i.e., the recipient of the personal information in the third country) to notify the data exporter (and, where possible, the data subject) of such a request, and to review and potentially challenge the legality of such request.
It remains to be seen how Chinese and US authorities intend to enforce these seemingly disparate requirements. Operationally, some companies may seek to add clauses to data processing agreements that mirror those contained within the SCCs. These clauses would require US-based data processors to make best efforts to decline requests from US authorities that conflict with the PIPL, and to notify the personal information processors when receiving and responding to such government requests.
——
This is one in a series of blog posts Cooley is publishing regarding privacy and cybersecurity regulation in China. Additional information can be found in these posts:
- China’s New National Privacy Law: The PIPL
- Cooley Privacy Talks: UK Privacy Update
- PRC’s New Efforts to Facilitate Data Trading: Shanghai Data Exchange Kicks Off Trading
Cooley keeps a close eye on China’s ongoing efforts to modernize its cybersecurity, data and privacy legislation, with a focus on facilitating data stewardship and practical ways to implement compliance solutions. Companies doing business in China would be well advised to employ data protection counsel with a global perspective.
Reach out to any of the contacts listed below to discuss how ongoing changes to China’s privacy and security regulations might impact your business.
The content of this blog is not intended to, and does not, constitute legal advice or the provision of legal services or establish an attorney-client relationship. Readers of this website should contact their attorneys to obtain any legal advice or services with respect to any particular legal matter.
Contributors
[1] PIPL Article 40.
[2] Id.
[3] Provisions on the Management of Automotive Data Security (for Trial Implementation) Article 11.
[4] Provisions on the Management of Automotive Data Security (for Trial Implementation) Article 3.
[5] PIPL Article 41.
[6] 18 USC § 2523.
[7] 50 USC § 1801 et seq.
[8] 18 USC § 2510 et seq.