{"id":21998,"date":"2023-12-15T15:00:00","date_gmt":"2023-12-15T14:00:00","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=21998"},"modified":"2023-12-20T15:06:54","modified_gmt":"2023-12-20T14:06:54","slug":"impact-of-pipl-evolution-on-your-privacy-compliance-strategy","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/12\/impact-of-pipl-evolution-on-your-privacy-compliance-strategy\/","title":{"rendered":"Impact of PIPL evolution on your privacy compliance strategy"},"content":{"rendered":"\n

China may soon ease PIPL cross-border data transfer requirements, but your privacy compliance strategy should focus on the long term.<\/span><\/h3>\n

Your company operates in China. You compile personal data relating to your Chinese employees and transfer them to your headquarters for HR purposes. You also collect personal information on Chinese customers buying products on your website and make it accessible to global departments outside of China. Since the coming into effect of China\u2019s Personal Information Protection Law (PIPL)<\/strong> in November 2021, you may constantly have been wondering if your cross-border data transfers comply to China\u2019s data privacy regulations.<\/p>\n

\u00a0<\/p>\n

A complex and uncertain system of laws governing data transfers outside of China<\/h2>\n

In fact, PIPL is only one of many Chinese data protection laws. \u00a0It builds on top of both\u00a0China’s Cybersecurity Law<\/strong>\u00a0(CSL, 2017) and\u00a0China’s Data Security Law\u00a0<\/strong>(DSL, 2021). It applies to any organization processing personally identifiable information from China in China and abroad. Under PIPL, international data transfers are possible following an approval from the Cyberspace Administration of China (CAC). The article 38 of PIPL offers four ways of getting this approval, some of them subsequently completed by five additional measures and guidelines<\/strong> (2022-2023)[1]<\/a> detailing how to comply and who is concerned.<\/p>\n

In a nutshell, if you\u00a0engage in the cross-border data\u00a0transfer of a relatively small volume<\/strong> of personal information, you have two options: get certified by a designated institution in accordance with the regulations of the CAC, or sign a contract with the overseas recipient of the data in line with the standard contract formulated by the CAC.<\/p>\n

In other cases, you need to pass a security assessment<\/strong> organized by the CAC. This is the highest bar of compliance and applies to companies who are critical information infrastructure operators (CIIO), handle personal information of more than one million people, export personal information of 100,000 people or \u201csensitive\u201d personal information of 10,000 people, or export \u201cimportant\u201d data. This gives the CAC room for interpretation<\/strong>, possibly qualifying any data as \u201cimportant\u201d. Furthermore, in all the above-mentioned cases, the CAC reserves the right to overview<\/strong> all cross-border data transfers and stop them based on a large spectrum of justifications.<\/p>\n

Besides a complex and constantly evolving regulatory landscape leaving China\u2019s authorities with many options to oppose a data transfer, you are burdened with two additional facts on your way to compliance. First, the procedures for getting approval from the CAC may be time-consuming<\/strong>, in particular the rigorous security assessment by the CAC. Second, even if you manage to get the CAC\u2019s approval for a data transfer, you still need to obtain consent<\/strong> from the people whose data are being transferred as well (article 39 of PIPL).<\/p>\n

With all this information, you may have been confused when drafting your PIPL compliance strategy. To this day, you may not be sure if your data transfers comply, and even if compliance is possible at all.<\/p>\n

\u00a0<\/p>\n

An upcoming easing of cross-border data transfer requirements<\/h2>\n

Interestingly, Chinese authorities have recently recognized the challenges faced when exporting data from China. China\u2019s State Council has officially identified cross-border data transfers as one of 24 areas to improve in order to attract foreign investment to China[2]<\/a>. Therefore, in September 2023, the CAC issued a draft proposition of exemptions<\/strong> from the cross-border data transfer mechanism[3]<\/a>.<\/p>\n

You could be freed from the above-mentioned article 38 procedures (security assessment, certification, or specific contract) in the following cases, which were under public discussion until mid-October:<\/p>\n