Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

China: Operationalising PIPL Part two: Data transfers and localisation

While it is great that the Personal Information Protection Law ('PIPL') has been adopted, organisations should consider their new compliance obligations under the same, if they fall under Article 3 of the new legislation. Data localisation and data transfer obligations under the PIPL are of particular importance, and will no doubt impact the global data strategy of some international organisations as well as both data importers and exporters. Dehao Zhang, Counsel at Fieldfisher LLP, discusses this area and its nuances.

Toa55 / Essentials collection / istockphoto.com

What is required by the PIPL regarding data transfers and data localisation?

The PIPL has specialised the obligation in the Chapter 3, which sets rules for providing personal information to somewhere outside of China. Articles 38 – 43 impose rules relating to data transfers and data localisation, with some restrictions.

Articles 38 and 39 can apply to more organisations in general, requiring personal information processors to take measures, including:

  • data transfer risk assessments required by the Cybersecurity Administration of China ('CAC');
  • legal certification;
  • signing the Standard Contractual Clauses ('SCCs') formulated by the CAC; and
  • other measures required by laws, regulations, or the CAC rules.

There is also the requirement to obtain standalone consent based on the provision of a detailed description of the data transfer to the individuals.

Article 40 of the PIPL sets up obligations regarding data localisation and data transfers for critical information infrastructure operators ('CIIOs') and some big personal information processors (to be referred to as 'large processors' hereafter) who process personal information on a large scale and which meets the standards of the CAC, although there is no such rules or standards required or formulated by the CAC as of now.

Article 41 of the PIPL requires that personal information processors shall not provide personal information to foreign public authorities without getting the permission of the Chinese competent authority.

Article 42 authorises the CAC to build up a restricted and prohibited list of personal information transfers. If the organisations or individuals outside of China infringe a Chinese citizen's personal information, or process personal information to damage the national security or public interest, they might be listed in the restricted or prohibited list, and the data will not be transferred or restricted to transfer to them.

Article 43 requires that where any country or region adopts discriminatory prohibitions, restrictions, or other similar measures against the People's Republic of China in terms of personal information protection, the People's Republic of China may take corresponding measures against the country or region based on actual conditions.

Who should comply with the obligation of data localisation under PIPL?

Under Article 40 of the PIPL, only two types of organisations may have the obligations to store the personal information within China:

CIIOs

Regarding the personal information collected and generated from China, CIIOs must store such information in mainland China. It should be noted that this requirement is from Article 37 of the Cybersecurity Law ('CSL'). According to Article 40 of the PIPL, CIIOs must store all the personal information collected and generated from China in mainland China, which is part of data localisation obligation of the CSL.

According to the Article 2 of the Regulations on the Security Protection of Critical Information Infrastructure ('the Critical Infrastructure Regulations'), critical information infrastructure shall refer to the important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defence, science and technology, and other important industries and fields if they are damaged or lose their functions. An alternative criterion is where a data breach may seriously endanger important network facilities, information systems, etc. or national security, national economy and people's livelihood, and public interest. CIIOs shall be the operators of critical information infrastructures.

However, there is an issue as to how to make sure whether an organisation is a CIIO or not. According to Article 10 of the Critical Infrastructure Regulations, the competent authority is responsible for organising the identification of key information infrastructure in this industry and this field in accordance with the identification rules, promptly notifying the operators of the identification results, and reporting it to the Public Security Department. Based on this, we can reasonably expect that CIIOs should be noticed by the competent authority if they meet one or more category of critical information infrastructure.

Large processors as per Article 40

Article 40 of the PIPL requires that if the number of personal information processed meets the standards of the CAC, the personal information processor must store the personal information (collected and generated from China) in China. We might speculate that there are four types of relevant organisations potentially covered by Article 40:

  • an organisation based in China, which processes large number of personal information collected and generated from China;
  • an organisation based outside of China, which processes large scale of personal information collected and generated from China;
  • an organisation based in China, which processes large amounts of personal information internationally, including processing personal information collected and generated from China, but where the number of personal information from China is not so large; and
  • an organisation based outside of China, processing a large scale of personal information internationally, including personal information collected and generated from China, but such personal information from China is not so extensive.

It seems very unclear as to whether the third and fourth entities from the above are included or not by the Article 40. In this regard, it is better to wait for the explanation or guidance of data authorities or the Supreme Court of the People's Republic of China. Given that this problem will directly alter the personal information collect strategy of international organisations, it is also good to have a plan B for this problem before it becomes a risk.

Except for those who need to comply with the data localisation obligation, it should be noted that data localisation is not equivalent to an absolute rule providing that data is not allowed to be transferred. In other words, although there are data localisation obligations, the data can also be transferred if this is necessary; however, in this case, organisations should pass the risk assessment of CAC. This is however a familiar step for transferring data which predates the PIPL. The risk assessment of the CAC for data transfers is still a very tricky problem for organisations, and it is also better to wait for formal guidance to be issued.

What should the organisation prepare for the transfer obligation?

Organisations must know their obligations are not entirely covered by Articles 38-42, otherwise they may ignore some important issues and obligations. Before the data transfer from China to other areas or countries, organisations must do as follows:

  • find the data to be transferred, and analyse the data's nature, including the purposes, manner of processing, and scope of data categories, to find what is necessary for the purposes and the security measures;
  • assess whether there is any further limitation or restriction of data transferring, especially whether such data recipient (or the area/country) is in the restricted or prohibited list or not, or whether such data can be transferred or not, since there are also other data localisation requirements of China besides the PIPL;
  • assess the legal basis of the data transfer, as the data transfer is also a kind of processing, thus must have a legal basis under Article 13 of the PIPL;
  • if the legal basis is consent, then a standalone consent form and detailed information to be informed to individuals should be prepared well before the transmission according to the Article 39 of the PIPL, with the information to be noted including:
    • the name of the data recipient outside of China, and their contact information;
    • processing purpose, method, and types of personal information; and
    • the methods and procedures for individuals to exercise their rights to the data recipient under the PIPL.
  • if the legal basis is not consent, according to the Article 13(2), consent is no need, no matter a standalone consent or other form of consent, but the detailed information of the data transfer said above should be provided to the individuals in the privacy notice;
  • no matter what legal basis is relied on, one of the legal arrangements under the Article 38 must be prepared before the transferred:
    • risk assessment of CAC under Article 40;
    • get certification in accordance with the rules of CAC;
    • sign the SCCs formulated by the CAC with the data recipient outside of China, arrange the contractual rights and obligations in the clauses; and
    • other conditions or provisions required by laws, regulations, or the rules of the CAC.
  • No matter what legal basis is relied on, according to the Article 55 of the PIPL, the Personal Information Protection Impact Assessment (similar to a Data Protection Impact Assessment) should be conducted before the data transfers, and the assessment should include:
    • whether the processing purpose and processing method of personal information are legal, proper, and necessary;
    • impact on personal rights, and security risks of the transfer; and
    • whether the protection measures adopted are legal, effective, and compatible with the degree of risk.

The report of the assessment and the result of processing should be stored for at least three years.

Other concerns

There are still some points which remain unclear under the new law, since the PIPL is not effective until 1 September of 2021 and no case law has been made under it. Besides that, the data authorities are also working on their legal duties such as studying or formulating the rules or methods to enforce the law and, for most organisations, it is better to do their best to comply with the more clearly expressed requirements first. At very beginning of the enforcement of a new law, the authorities will address some basic obligations and clear requirements first, and so organisations should not focus on the murkier requirements nor assume they can comply with all the requirements at once, but only do what they can do at first.

Dehao Zhang Counsel 

[email protected]

Fieldfisher LLP, Beijing