With China’s PIPL (Personal Information Protection Law), restrictions on cross-border data transfers have been tightened. They remain authorized but are very supervised, with some stricter data localization rules. There are three main mechanisms to export data: security assessment, certification and standard contractual clauses.
More details can be found in the research article “China Data Flows and Power in the Era of Chinese Big Tech” that I co-wrote with Prof. Gregory Voss, to be published in the Northwestern Journal of International Law & Business.
1. PIPL clarifies data localization and data transfer obligations
The Chinese Cybersecurity Law of 2016 had introduced in China the need to pass a security assessment before transferring data out of China. But apart from vaguely listing certain conditions triggering the obligation, the law did not specify anything more. Two draft guidelines had been published but never finalized. Companies, therefore, faced great legal uncertainty, particularly on data localization issues.
With the entry into force of the PIPL in 2021, these conditions have become clearer. It was now known that data transfers outside China could be carried out in three ways. Either via a certification mechanism similar to the Binding Corporate Rules of the GDPR; via standard contractual clauses which, here too, recall the equivalent European mechanism; or via a security assessment, this time specific to Chinese law. The PIPL also requires a Personal Information Protection Impact Assessment (PIPIA) before any data transfer, similar to our European DPIA.
However, many details were still missing to enable these obligations to be applied and, above all, to know to whom and when they were actually applicable. Since the summer of 2022, the data transfer mechanism in China is now clearer.
2. Certification (Chinese BCR): unlikely to be widely used in practice
In Europe, BCRs are a way for multinationals to transfer data between their different entities. However, they are little used in practice, in particular because of the difficulty of bringing a BCR project to fruition, which must ultimately be approved by a data protection authority such as the CNIL in France.
In China, the intra-group data transfer mechanism introduced by PIPL is a certification. Draft guidelines were published (link in Chinese) on June 24, 2022 by the TC260. This details the elements, in particular contractual, to be put in place and reiterates the need to carry out a PIPIA. A certification body will have to validate the project. However, to date, no certification body has yet been designated.
It is still only a draft, but the certification mechanism isn’t welcomed with great enthusiasm by some observers, who consider it potentially expensive and difficult to set up.
3. PIPL’s Standard contractual clauses: similar to GDPR’s SCCs
The draft PIPL Standard Contractual Clauses was published (link in Chinese) by the CAC on June 30, 2022, for public consultation. As the deadline for submitting comments has passed since July, a new version should arrive soon. The rules first recall in which cases an organization can use these clauses for a data transfer. Otherwise, a security assessment will be necessary. Thus, companies can use Chinese SCCs if they are not critical information infrastructure operators, that have exported the data of less than 100,000 people since January 1 of the previous year or less than 10,000 people in case sensitive data.
In the same way as for certification, a PIPIA must be carried out, analyzing in particular the regulatory context of the country where the data is sent. The Chinese SCCs form a unique whole: to date, they do not include the distinction that exists in Europe between transfers from manager to manager, from manager to subcontractor, etc. Other differences relate in particular to the obligation of notification, stricter obligations for onward transfers, or more constraints in the provision of information to foreign authorities.
4. State-led security assessment for a data transfer: cumbersome but often mandatory
In China, unlike in Europe, certification or SCCs are possible means of data transfer only for cases considered to be the least risky. Outside of these situations, a security assessment conducted by the State is mandatory. Guidelines have been adopted and have been applicable since September 2022.
4.1. When is the security assessment mandatory?
The guidelines are specific on the thresholds above which a security assessment is necessary. Many multinationals are concerned.
- When the data handler provides “important data” abroad;
- Operators of critical information infrastructures and data handlers processing the personal data of more than one million people and exporting personal data abroad;
- Entities providing abroad the personal information of more than 100,000 people or the “sensitive data” of more than 10,000 people since January 1st of the previous year;
- Other circumstances where the State Cybersecurity and Informatization Department provides a data export security assessment should be requested.
4.2. What is the content of a PIPL security assessment?
The content of the assessment is quite similar to that of a PIPIA (Chinese DPIA). This is a risk analysis that includes the level of protection offered in the destination jurisdiction of the data, in addition to the compliance of the data importer. This level is assessed against that guaranteed by the PIPL; which is reminiscent of the term “substantially equivalent level of protection” used in the context of the GDPR.
It is important to note here that, unlike the GDPR, the PIPL considers the consequences on China’s national security and economic and political stability in its security assessment. Thus, some data may be sensitive for individuals but also for the Chinese state. A PIPL training will allow you to become fully aware of these Chinese nuances.
Many administrative details are given (documentation to be provided, deadlines, etc.) including in additional guidelines also published in 2022. If successful, the authorization is valid for two years.
5. The path to PIPL compliance, data transfer and data localization
Obviously, the subject of data transfers out of China only arises after verification of the compliance of the processing with the PIPL as a whole. Without this, there is no chance of being able to export Chinese data. It is therefore essential that the stakeholders in China, but also those who will receive the data (in France, for example), undergo adequate PIPL training. Without proof that the data will be received by people trained in the PIPL, there is little chance of being authorized to take them out of mainland China.
As we can see, data localization rules in China are strong. Transfers are very restricted. There are many similarities with the European rules, but the Chinese differences are very significant. They can drastically affect the data exchanges of a multinational.