China may soon ease PIPL cross-border data transfer requirements, but your privacy compliance strategy should focus on the long term.
Your company operates in China. You compile personal data relating to your Chinese employees and transfer them to your headquarters for HR purposes. You also collect personal information on Chinese customers buying products on your website and make it accessible to global departments outside of China. Since the coming into effect of China’s Personal Information Protection Law (PIPL) in November 2021, you may constantly have been wondering if your cross-border data transfers comply to China’s data privacy regulations.
A complex and uncertain system of laws governing data transfers outside of China
In fact, PIPL is only one of many Chinese data protection laws. It builds on top of both China’s Cybersecurity Law (CSL, 2017) and China’s Data Security Law (DSL, 2021). It applies to any organization processing personally identifiable information from China in China and abroad. Under PIPL, international data transfers are possible following an approval from the Cyberspace Administration of China (CAC). The article 38 of PIPL offers four ways of getting this approval, some of them subsequently completed by five additional measures and guidelines (2022-2023)[1] detailing how to comply and who is concerned.
In a nutshell, if you engage in the cross-border data transfer of a relatively small volume of personal information, you have two options: get certified by a designated institution in accordance with the regulations of the CAC, or sign a contract with the overseas recipient of the data in line with the standard contract formulated by the CAC.
In other cases, you need to pass a security assessment organized by the CAC. This is the highest bar of compliance and applies to companies who are critical information infrastructure operators (CIIO), handle personal information of more than one million people, export personal information of 100,000 people or “sensitive” personal information of 10,000 people, or export “important” data. This gives the CAC room for interpretation, possibly qualifying any data as “important”. Furthermore, in all the above-mentioned cases, the CAC reserves the right to overview all cross-border data transfers and stop them based on a large spectrum of justifications.
Besides a complex and constantly evolving regulatory landscape leaving China’s authorities with many options to oppose a data transfer, you are burdened with two additional facts on your way to compliance. First, the procedures for getting approval from the CAC may be time-consuming, in particular the rigorous security assessment by the CAC. Second, even if you manage to get the CAC’s approval for a data transfer, you still need to obtain consent from the people whose data are being transferred as well (article 39 of PIPL).
With all this information, you may have been confused when drafting your PIPL compliance strategy. To this day, you may not be sure if your data transfers comply, and even if compliance is possible at all.
An upcoming easing of cross-border data transfer requirements
Interestingly, Chinese authorities have recently recognized the challenges faced when exporting data from China. China’s State Council has officially identified cross-border data transfers as one of 24 areas to improve in order to attract foreign investment to China[2]. Therefore, in September 2023, the CAC issued a draft proposition of exemptions from the cross-border data transfer mechanism[3].
You could be freed from the above-mentioned article 38 procedures (security assessment, certification, or specific contract) in the following cases, which were under public discussion until mid-October:
- You could transfer employee data from China if this was necessary for human resources management in accordance with law and lawfully formulated collective contracts
- You could transfer customer data from China for the purpose of entering into and performing a contract to which the customer is a party, such as cross-border e-commerce, cross-border remittance, air ticket booking and visa processing
- You could transfer personal information from China in order to protect the life, health and property safety of people in emergencies
- You would only need to do a CAC security assessment for
- transfers of data for more than one million people, likely beyond the cases mentioned above
- “important” data transfers, where data are not considered “important” unless you have officially been notified of the contrary
This is great news. It means that in many cases, you could continue transferring personal information from China without administrative burden and without risking non-compliance and associated fines.
However, it is currently unclear when these exceptions would be enacted, if at all, and what the final list could look like. Besides, the CAC highlighted two issues that you would still be confronted to. First, specific consent from people whose data are being transferred internationally would still be required under PIPL if consent is the legal basis for the data processing – which may be the case for most processing cases outside of the execution of a contract. Second, and more importantly, the CAC would keep the right to overview all cross-border data transfers, investigate high-risk transfers and even stop them altogether.
So if you think that you may soon once again be able to transfer a good part of your China-generated personal information abroad without constraints, you may not be right.
Keeping data in China, the safest long-term compliance strategy
Working with all this information, how to prepare a good compliance strategy related to China’s personal information protection laws?
On the legal side, you face laws that are complex to understand, constantly evolving, and subject to interpretation by the authorities. Unlike with the GDPR, you can’t tell if you are compliant as of now, and even less in the coming months and years.
Add to this the technical side: in global companies, information circulates. Data reside in both universal platforms for global operations, including HR and customer management, and interconnected local systems. It will be a challenge just to identify all personal information and figure out associated data flows before any specific protection measures can be discussed.
Besides, let’s not forget that the stakes are high: in case of non-compliance, the CAC can restrict your data transfers, fine your company and executives, and even force your business to close in China.
You should take advantage of the fact that the CAC currently focuses on adapting rather than enforcing its personal information protection laws and consider a more long-term compliance strategy. This strategy may consist in ensuring that data actually stay in China instead of being systematically transferred to your headquarters.
In the long term, China undeniably aims for digital sovereignty. Among the many laws published by countries to regulate cyber space and protect personal data, PIPL is unique in that it significantly challenges the information system model of global companies, which consists in a centralized IT concentrating information from all locations. But in a world where geopolitical tensions intensify, we can expect even more calls for IT protectionism.
Therefore, you should see your PIPL compliance strategy reflections as a case study for decoupling of your information system, which you may soon be confronted to at a bigger scale.
[1] 2022: Measures of Security Assessment for Data Export
2023: Measures on the Standard Contract for Outbound Transfer of Personal Information
2023: Regulations on Standardizing and Promoting Cross-Border Data Flows
[2] 国务院关于进一步优化外商投资环境加大吸引外商投资力度的意见
[3] Provisions on Standardizing and Promoting Cross-Border Data Flows (Draft for Comment)
