When it comes to cross-border data transfers, the PIPL and GDPR are similar in several ways, but there are still some variances in the specifics. For companies to transmit personal data to a third country or an international body, both laws provide for a transfer method, albeit the PIPL offers fewer options. The PIPL also imposes various cross-border data transfer restrictions based on the status of organizations – specifically, whether the organization transferring personal information overseas is considered to be an operator of critical information infrastructure – and the volume of personal information processed by organizations.
Personal information is defined as electronic (or other recorded) data that relates to a recognized or identifiable natural person, excluding information that has been anonymized. According to the PIPL, an “organization or individual that independently chooses the objectives and means for processing of personal information” is referred to as a personal information processing entity (Article 73). This appears to be the data controller idea under the EU General Data Protection Regulation’s Chinese legal counterpart.
Generally speaking, a processing entity that intends to transfer personal data to organizations outside of China must I inform individuals about the transfers and obtain separate consent (Article 39), (ii) take the necessary steps to ensure that the overseas recipients can provide the same level of protection as required by the PIPL (Article 38), and (iii) conduct a personal information protection impact assessment (Article 55).
For a cross-border data transfer, Article 39 expressly requires companies to seek separate consent, and the language itself does not include any exceptions. Additionally, it’s not obvious if separate consent would still be necessary if it wasn’t the legal justification for processing at the time of collection. For instance, if a corporation processes publicly available information based on Article 13.6, which does not need authorization at the moment of collection, it would be impossible for businesses to get separate consent from data subjects. On this subject, more regulatory advice could be provided in the future. In additionally to the above-mentioned generally applicable standards, Article 38 provides three transfer options for businesses intending to transmit personal information outside of China. The three transfer methods provided by PIPL are certification, standard contractual provisions, and security assessment. The attributes of the operators determine how these mechanisms can be used.
If they intend to send personal information outside of China, operators of critical information infrastructure and those handling a “significant volume” of personal information must go through a security assessment conducted by the Cyberspace Administration of China. The proposed Measures for the Security Evaluation of Cross-Border Data Transfer, which is covered below, outline the proposed procedure for the security assessment. Non-CIIOs that fall short of the criteria outlined in these Draft Measures do not need to undergo a security assessment but must select one of the legal transfer channels listed below:
- Obtaining accreditation in personal information protection from professional organizations in compliance with the CAC’s standards.
- Establishing a contract based on SCCs with the data receiver outside of China.
Article 38 does have a “catch-all” clause that bases a transfer on the fulfillment of additional requirements set out by laws and regulations, but as of yet, it is unknown what those other requirements would be.
CIIOs is the initial class of enterprises under security evaluation. According to Article 40, CIIOs must save all “citizens’ personal information and critical data” created or gathered during domestic activities in China. Unless otherwise mandated by law, designated agencies must complete a security assessment when transnational data transfers are required for operational reasons. Any international transmission of personal data by CIIOs will be the subject of a security evaluation.
Other than CIOs, a Chinese processing organization should request the CAC for a security assessment under Article 4 of the Draft Measures if it:
- Processes the personal data of over a million people.
- Has collectively sent more than 100,000 individuals’ personal information or more than 10,000 individuals’ sensitive personal information.
Following the PIPL, “sensitive personal information” refers to “personal information that, once leaked or used unlawfully, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14.” (Article 28).
MECHANISM OF SECURITY ASSESSMENT
When requesting a security assessment for a cross-border data transfer, data processing firms are required to present the following documentation under Article 6 of the Draft Measures:
- A request forms.
- Self-evaluation report.
- The contract that will be signed between the overseas receiver and the data processing organization, or other legally enforceable papers.
- Additional resources needed for the security evaluation.
Loopholes of the PIPL
Even after the publication of the Draft Measures, there are still many significant concerns surrounding the security assessments. For instance, the duration for computing cumulative transfers is not addressed in the Draft Measures. Furthermore, it is not clear whether group firms with several subsidiaries and affiliates are required to calculate the total number of people whose personal information has been processed or transmitted overseas, or if each subsidiary and affiliate must do so independently. Since the present Draft Measures haven’t been revised since December 2021, we had anticipated a final version to have been published by now. However, this hasn’t happened yet.
The Draft Measures place a strong emphasis on the security evaluation for cross-border data transfers but do not contain any particular guidelines on the data localization requirements. In other words, it is unclear from the Draft Measures whether data localization is a need for cross-border data transfer for businesses that may also be subject to the requirements for data localization. It’s also not clear if businesses that must undergo security assessments run a higher risk of having the data localization rules imposed upon them.
The CAC has not yet provided any more information on the two other transfer procedures as of the current date. Particularly, the CAC has not released any sample or standard contracts that would enable parties to comply with Article 38.3 of the PIPL.
The Certification Specification does not serve as a certification plan outlining all the pertinent controls that a certification body may examine when a firm requests certification. Instead, it just gives a general overview of the standards that would probably be taken into account throughout the certification process. As a result, and in a misleading manner, the Certification Specification does not address several crucial concerns characteristic of certification of this kind, such as identifying accredited certification bodies or outlining how the certification process would be managed by such certification bodies. As a point of reference, Article 9 of the Draft Measures states that the security assessment will take into account whether the contract between the overseas recipient and the data processing entity “fully stipulate(s) the responsibilities and obligations of data security protection,” as explained by the CAC.
The Certification Specification is similar to the GDPR’s EU Binding Corporate Rules (“BCR”) in many ways. For example, both outline specific information that must be included in a contract that is enforceable and legally binding between the parties and is intended for usage by international corporations. There are some noticeable distinctions, though. Notably, the BCR requires the EU party with delegated responsibilities to submit to the jurisdiction of the EU courts or other competent authorities if a non-EU party violates the BCR, unlike the Chinese Certification Specification, which requires the overseas recipient to agree to accept the supervision of the Chinese certification body and “accept the jurisdiction of the relevant Chinese laws and regulations on personal information protection.”