Support Centre

China - Federal

Summary

Law: Personal Information Protection Law ('PIPL') (Enforcement date of 1 November 2021)

Regulator: The Cyberspace Administration of China ('the CAC').

Summary: On 20 August 2021 China approved the PIPL, the first comprehensive data protection legislation in the region. The Law entered into effect on 1 November 2021 and established personal information processing rules, data subject rights, and obligations for personal information processors, among other things. In addition to the PIPL, the NPC has also approved, on 10 June 2021, the Data Security Law, which entered into effect on 1 September 2021. The Data Security Law regulates data processing activities associated with personal and non-personal data.

There are also provisions related to personal data protection in several other pieces of legislation; most notably the Cybersecurity Law 2016 which came into effect in 2017 (official Chinese version available here; unofficial English available here) ('the Cybersecurity Law') which provides certain general requirements, and the regulations for the protection of children's personal information (only available in Chinese here) which contains obligations relating to the processing of children's personal data stipulated. In addition, there are numerous non-binding guidelines and standards, which provide best practice recommendations for the handling of personal data. The most notable of these is Standard GB/T 35273-2020 on Information Security Technology - Personal Information Security Specification.

Insights

The Cybersecurity Law ('CSL'), the Data Security Law ('DSL') and the Personal Information Protection Law ('PIPL'), which have been promulgated and implemented in the past few years, constitute the basic framework of China's cybersecurity and data protection legal regime. These laws significantly impacted many companies' business operations and legal compliance work. All three laws have provisions that put forward general principles regarding outbound data transfer and require a security assessment for outbound data transfer ('the Security Assessment') by the Chinese authorities in certain situations.

In light of this, on 7 July 2022, the Cyberspace Administration of China ('CAC') issued the Measures for the Security Assessment of Data Exports ('the Measures'), which elaborated and expanded on the general principles of security assessment for outbound data transfer as stipulated by the three laws. The Measures came into effect on 1 September 2022, right after the CAC issued the Guidelines for Data Export Security Assessment Declaration (1st edition) ('the Guidelines') on 31 August 2022, which provide detailed guidance on how data processors should apply for the security assessment and carry out the related preparations. Generally speaking, the Measures and the Guidelines pose significant challenges for businesses that must apply for the security assessment. Samuel Yang and Hanxuan Yang, from AnJie Law Firm, analyse some common obstacles and challenges faced by data exporters and propose some possible countermeasures.

On 31 August 2022, hours before the Security Assessment Measures for Cross-border Data Transfer ('the Measures') officially came into effect, the Cyberspace Administration of China ('CAC') released the Guidelines on Application for Security Assessment for Cross-border Data Transfer (First Edition) ('the Guidelines') which reiterate the application scope and the data export assessment procedures under the Measures, and also outlines in detail the documents to be submitted for such procedures. A long-awaited structural template for the self-assessment report was also issued at the same time. This provides a much clearer picture for companies to follow in order to legally share and transfer data across the border of the People's Republic of China ('PRC'). The Measures set an explicit deadline (i.e. by the end of February 2023) for companies to fulfill their legal obligations including the assessment. As preparation for the required formalities could potentially become quite complicated in practice due to (unfortunately the still remaining) vagueness and ambiguity of these requirements, it is recommended to prepare for this immediately to avoid potential compliance exposure. Dr. Michael Tan, Julian Sun, and Kyle Tong, from Taylor Wessing LLP, summarise some highlights as follows for your easier reference.

Relevant Chinese data protection supervisory authorities, including the Cyberspace Administration of China ('CAC'), the Ministry of Industry and Information Technology ('MIIT'), and the National Information Security Standardisation Technical Committee ('TC260'), have all been very active with issuing a range of guidelines, measures, and provisions relating to data protection and cybersecurity. Generally, the applicable publications supplement laws such as the Personal Information Protection Law ('PIPL') and the Data Security Law ('DSL') by providing further detail regarding the mechanisms and processes outlined in the legislation. In order to help companies keep up-to-date with the latest guidance, OneTrust DataGuidance has summarised the relevant publications issued in the past year, including any draft documents.

On 26 May 2022, the National Information Security Standardisation Technical Committee ('TC260') released, for public consultation, the draft Requirement for Privacy Agreement of Information Security Technology Internet Platforms and Product and Services ('the Draft Requirements'). The Draft Requirements provide an in-depth picture of the content of privacy policies, methods of access, and procedures relating to updating privacy policies. OneTrust DataGuidance Research provides an overview of the key-developments contained within the Draft Requirements.

As an important part of China's enhanced cybersecurity regulatory regime, Multi-Level Protection Scheme ('MLPS') is not a new concept and can be dated back to multiple administrative rules issued in 1994 and 2007 (generally known as MLPS 1.0 rules), under which a network operator is required classify its information systems into five levels and adopt proper cybersecurity measures. Barbara Li, Partner at PwC Mainland China and Hong Kong, discusses the updated MLPS 2.0 and its requirements.

On 30 June 2022, the Cyberspace Administration of China ('CAC') released the long-awaited draft Personal Information Export Standard Contract ('the Standard Contract'), together with the draft Rules on the Standard Contract ('the Rules'). An analysis of the application and requirements of the Standard Contract to a business' cross-border data transfer strategy is critical as signing a Standard Contract is anticipated to be the most popular approach enabling international transfers of personal information out of mainland China. Alex Roberts and Yang Fan, from Linklaters, and Tiantian Ke, from Zhao Sheng Law Firm, look at key aspects of the latest draft of the Standard Contract and draw comparisons with the EU 2021 Standard Contractual Clauses ('the EU SCCs').

On 30 June 2022, the Cyberspace Administration of China ('CAC') released the Standard Contract Provisions for the Export of Personal Information (Draft for Comment) ('the Draft Standard Contract Provisions'). The Draft Standard Contract Provisions are intended to implement Article 38(1)(3) of the Personal Information Protection Law ('PIPL') and provides for one of the lawful methods for the transfer of personal information outside of China. The Draft Standard Contract Provisions contain a standard contract akin to Standard Contractual Clauses ('SCCs') and establish requirements for personal information processors as well as overseas recipients. In part two, OneTrust DataGuidance Research examines the standard contract provisions provided by the CAC.

The Cyberspace Administration of China ('CAC') has adopted the Measures for Security Assessment of Data Exports ('the Measures'), which makes the data transfer mechanism under Article 38(1) of the Personal Information Protection Law ('PIPL') an effective mechanism for critical information infrastructure operators ('CIIOs') and organisations that meet the threshold of the CAC. As required by the Measures, such CIIOs and organisations have six months to comply with its requirements and assess their data transfer practices in relation to the Measures, which creates urgent work for the privacy teams in such organisations. Dehao Zhang, Counsel at Fieldfisher China, discusses the Measures and their requirements.

Since the Personal Information Protection Law ('PIPL') came into force on 1 November 2021, the Standard Contractual Clauses ('SCCs') for cross-border data transfers as referred to in Article 38 of the PIPL have been pending. This puts companies in a very tricky position, wherein they have the statutory obligation to follow the SCCs while no such SCCs are available. Fortunately, this will be changed soon. On 30 June 2022, the Cyberspace Administration of China ('CAC') presented to the public a draft of the prescribed format for SCCs under the PIPL1. The deadline for public comments is 29 July 2022, meaning that the SCCs are likely to be officially launched very soon. Dr. Michael Tan, Julian Sun, and Kyle Tong, from Taylor Wessing LLP, discuss the draft SCCs and their importance.

On 30 June 2022, the Cyberspace Administration of China ('CAC') released the Standard Contract Provisions for the Export of Personal Information (Draft for Comment) ('the Draft Standard Contract Provisions'). The Draft Standard Contract Provisions are intended to implement Article 38(1)(3) of the Personal Information Protection Law ('PIPL') and provides for one of the lawful methods for the transfer of personal information outside of China. The Draft Standard Contract Provisions contain a standard contract akin to Standard Contractual Clauses ('SCCs') and establish requirements for personal information processors as well as overseas recipients, notably the obligation to carry out Data Protection Impact Assessments ('DPIAs'). OneTrust DataGuidance Research breaks down the Draft Standard Contract Provisions, featuring expert insights from Dehao Zhang, Counsel at Fieldfisher China.

On 26 June 2022, the National Information Security Standardization Technical Committee of China promulgated its guidelines on the Cybersecurity Standards Specification for the Certification of Cross-Border Processing of Personal Information ('the Specification'). The Specification provides implementation rules for one of the methods of lawfully conducting cross-border data processing activities, i.e. third party certification. The Specification contains the applicable scenarios, ways to obtain certification, basic principles, basic requirements, and special requirements for securing data subjects' rights. Ziqing Zheng, Partner at Zhong Lun Law Firm, discusses the Specification and its content.

Following the Personal Information Protection Law ('PIPL') coming into effect, most organisations, especially those international companies who conduct business in China, have enthusiastically complied with the PIPL. However, some articles of PIPL are very high level and general, which may need to be supplemented by further guidance from legislators or data protection authorities in China. For example, some requirements seem impractical, such as those regarding data localisation, data transfers, and data protection officer ('DPO') requirements, which may cause misunderstanding or difficulty for compliance efforts. Dehao Zhang, Counsel at Fieldfisher, provides some practical advice to help organisations stay compliant.