Feature Articles on China’s Personal Information Protection Law (3) – Special Regulations and Requirements on Cross-Border Data Transmission (Mainland China)

Joyce Wen, Elva Chuang and Teresa Huang[1]

In this globalized world, cross-border transfer of information is not only common but even critical for companies, whether multinational or domestic, that wish to leverage customer base or service providers outside their own national borders.  Entities that wish to conduct cross border transfer of personal information of citizens of the People’s Republic of China will need to ensure that they comply with the requirements and restrictions under the newly promulgated “Personal Information Protection Law of the People’s Republic of China (“PIPL”)”. This article aims to explain in detail the relevant rules on cross-border information transfer in the PIPL so as to help businesses avoid its legal risks.

1. The Four Legal Requirements for Cross-border Information Transmission

According to Article 38 of the PIPL, if the personal information processor indicated in the PIPL plans to  transfer personal information abroad, it must meet one of the following legal requirements before doing so: (1) pass the security assessment by the National Network Information Department; (2) follow the regulation under the National Network Information Department to get approval from a professional institution regarding its personal information protection; (3) enter into a standard contract formulated by the National Network Information Department with the foreign receiving party specifying the rights and obligations of both parties; or (4) other conditions set forth by the law, administrative regulations, or the National Information Department.

However, it should be noted that under certain circumstances, cross-border transfer of certain information must pass the security assessment by the National Network Information Department.  As stipulated by Article 40 of the PIPL, operators of critical information infrastructure[2] and processors who process personal information exceeding the number prescribed by the National Network Information Department shall, in principle, store the personal information collected and produced in the country domestically. If such processors really need to transmit personal information abroad, unless stated otherwise by the law, administrative regulations, or National Network Information Department, they have to pass the security assessment via the National Network Information Department.  Currently, the central authority has yet to provide a clear statement regarding the number of personal information at which security assessment is required. Nonetheless, we can temporarily use as reference Article 9 of the “Measures for Outbound Security Assessment of Personal Information and Critical Data (Draft for Comment),”[3] which states those who transfer personal information whose size exceeds 1000GB to foreign territory or who control personal information of more than 500,000 information subjects cumulatively, shall apply for security assessment. However, since the above draft measures are still under the process requesting comments, we still need to pay attention to the notices and relevant measures issued by the competent authorities in the future.

2. “Inform & Consent” rules on Cross-border Information Transfer

In addition to meet the above requirements, Article 39 of the PIPL also provides clear regulations on personal information’s cross-border transfer procedure.  It requires that personal information processor providing information abroad shall inform the information subjects of the name and contact information of the oversea receiver, processing purpose, methods of processing, the type of information collected, and the methods and procedure for them to exercise their rights guaranteed under the PIPL; while also obtaining the consent from the information subjects.

3. Supervising the Cross-border Information Receiver

The cross-border transmission of personal information involves domestic information providers and oversea information receivers.  Since it’s more difficult to enforce information protective obligations on the receiving end of a cross-border information transfer, the PIPL indirectly enforces such obligations via imposing restrictive regulations on the domestic information providers. Article 38, Paragraph 3 of the PIPL raises the “equal protection standard” requirement, which requires personal information processors to take the necessary measures to ensure oversea information receiver’s activities are in accordance with the protective standards under the PIPL.

The effort to supervise oversea receivers is also present in Article 42 of the PIPL, which stipulates that the National Network Information Department may  put the oversea entities whose activities infringe the personal information rights of citizens of the People’s Republic of China, or threaten its national security or public interests, on a black list and restrict or prohibit the provision of personal information to such oversea entities.  Such a mechanism can, to a certain extent, compensate for the difficulties of supervising oversea receivers while also prompting these oversea receivers to perform their obligations.

4. Suggestions for Businesses That Engage in the Cross-border Transfer of Personal Information

(1) Establish an internal system for controlling the cross-border transfer of personal information as soon as possible. The managing and operating procedures shall at least include gathering, storing, usage, processing, transferring, provision, publication, and deletion of personal information.

(2) Improve the employee education and training on information security. Strengthen employee’s awareness of personal information security and expand personnel education and training to cover the laws and regulations and operating procedures that are relevant to personal information protection.

(3) Strengthen the categorization of personal information management by ranking personal information based on its sensitivity level, and take appropriate security measures for each level.

(4) When a cross-border transfer involves entering into contract with the oversea receiver, such contract should be as detailed as possible, including but not limited to a clearly defined purpose, content, context of the transfer, and the rights, obligation, and responsibilities of both parties so as to effectively allocate responsibilities and avoid risks.

(5) Being familiar with the local laws and regulations of the receiving territory. The PIPL expressly requires oversea personal information processors to enforce the same level of protection as applied domestically.  Accordingly, transferring personal information to countries with comprehensive laws and regulations on personal information protection means a correspondingly less legal risk.

[1] The authors are lawyers and of-counsel at Shanghai Lee, Tsai & Partners.  However, the contents of this article merely reflect personal opinions and do not represent the position of this law firm.

[2] Article 2 of the Regulation on Protecting the Security of Critical Information Infrastructure: For the purposes of this Regulation, critical information infrastructure (hereinafter referred to as “CII”) means any of material network facilities and information systems in important industries and fields—such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, and science, technology and industry for national defense and others that may seriously endanger national security, national economy and people’s livelihood, and public interests in the event that they are damaged or lose their functions or their data are leaked.

[3] Article 9 of the Measures for Outbound Security Assessment of Personal Information and Critical Data (Draft for Comment): Network operators who transfer data abroad involve any of the following circumstances, shall apply to the industry director or regulatory department for security assessment:

(1) controlling personal information of more than 500,000 information subjects at once or cumulatively;

(2) transferring data size exceeding 1000GB;

(3) including data in nuclear facilities, chemistry and biology, national defense and military industry, population health and other fields, large-scale engineering activities, marine environment and sensitive geographic information data;

(4) including network security information, such as system vulnerabilities and security protection of the critical information infrastructure;

(5) acting as operators of critical information infrastructure transmit personal information or key information abroad; or

(6) including other factors that may affect national security and social public interests and industry authorities or regulatory authorities deem that assessment is necessary.