News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Top 5 operational impacts of China's PIPL — Part 5: International data transfers Related reading: Top 5 operational impacts of China’s PIPL — Part 4: Penalties and enforcement mechanisms

rss_feed

""

Editor's Note:

The entire five-part series, the “Top 5 Operational Impacts of China’s PIPL,” is available in the IAPP Resource Center.

China’s Personal Information Protection Law, which is still in the process of being fleshed out through implementing regulations and official guidance, provides a regulatory framework that governs the cross-border transfer of personal information. This article focuses on PIPL and the transfer mechanisms it proposes to safeguard personal information transferred out of China.

Note that the PIPL is only one piece in the patchwork of Chinese legislation that addresses cross-border data transfers, as explained in our previous article. While the PIPL governs the transfer of personal information, China’s Cybersecurity Law and Data Security Law regulate the cross-border transfer of so-called important data, a concept which itself continues to evolve and develop through regulatory guidance. While this is not a topic that will be addressed in this piece, we note that it could be of significance to many companies operating in China.

Scope of the PIPL cross-border data transfer rules

The PIPL applies to personal information, which refers to electronic (or otherwise recorded) information related to identified or identifiable natural persons, excluding anonymized information.

The PIPL uses the term personal information processing entity to refer to an “organization or individual that independently determines the purposes and means for processing of personal information” (Article 73). This appears to be the Chinese law equivalent of the data controller concept under the EU General Data Protection Regulation.

In general, a processing entity that plans to transfer personal information to entities outside China is required to (i) provide individuals with certain specific information about the transfers and obtain separate consent (Article 39), (ii) adopt necessary measures to ensure that the overseas recipients can provide the same level of protection as required under the PIPL (Article 38) and (iii) carry out a personal information protection impact assessment (Article 55). 

Note that even Article 39 explicitly requires companies to obtain separate consent for the purpose of a cross-border data transfer and that the text itself does not spell out any exceptions. Furthermore, it is unclear whether separate consent would still be required when consent was not the legal basis for processing at the point of collection. For example, it might be impractical for companies to obtain separate consent from data subjects if a company processes publicly available information relying on Article 13.6, which does not require consent at the point of collection. Further regulatory guidance might be offered on this point at a later stage.

On top of the generally applicable requirements distilled above, Article 38 offers three transfer mechanisms for companies wishing to transfer personal information outside of China. We explain these three transfer mechanisms below. 

How transfer mechanisms work under the PIPL

The three transfer mechanisms offered by PIPL include security assessment, standard contractual clauses and certification. The applicability of these mechanisms depends on the characteristics of the operators.

Critical information infrastructure operators and others processing a “large volume” of personal information will need to undergo a security assessment administered by the Cyberspace Administration of China if they wish to transfer personal information outside China. The proposed process for the security assessment is described in the draft Measures for the Security Assessment of Cross-border Data Transfer, discussed below.

Non-CIIOs that do not meet the thresholds as set out in these Draft Measures do not need to go through a security assessment, but must choose one of the following lawful transfer mechanisms:

  1. Obtaining personal information protection certification issued by professional institutions in accordance with rules specified by the CAC.
  2. Entering into agreement based on SCCs stipulated by the CAC with the data recipient outside China.

Article 38 did provide a “catch all” provision that predicates a transfer on the satisfaction of other conditions stipulated by laws and regulations, but there is no information about what those other conditions might be at this point.

1. Security assessment

The first transfer mechanism detailed in the PIPL is security assessment. On Oct. 29, 2021, the CAC released the Draft Measures for public comment. Note that the CSL, DSL and PIPL all require companies to meet certain conditions to undergo a security assessment but do not provide further details. Therefore, the Draft Measures were released to further implement the security assessment requirements under all three fundamental laws.

In this section, we explain which entities are subject to a security assessment, how a security assessment works, what is assessed and what remains uncertain.

Who is subject to a security assessment under the PIPL?

The first group of entities subject to the security assessment are CIIOs. Article 40 provides that CIIOs store within China any “citizens’ personal information and important data” collected or generated in the course of operations within the country. If international transfers of data are necessary for operational reasons, a security assessment must be conducted by designated agencies unless otherwise specified by law. Any cross-border transfer of personal information by CIIOs will be subject to a security assessment.

Under Article 4 of the Draft Measures, other than CIIOs, a Chinese processing entity needs to apply to the CAC for a security assessment if it either:

  1. Processes personal information of over one million individuals.
  2. Has cumulatively transferred personal information of more than 100,000 individuals or has cumulatively transferred sensitive personal information of more than 10,000 individuals.

“Sensitive personal information” is defined under the PIPL as “personal information that, once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14” (Article 28).

Note that a processing entity that transfers important data out of China is also subject to the security assessment requirement.  

How does a security assessment work?

Article 6 of the Draft Measures requires data processing entities to submit the following materials when applying for the security assessment for cross-border data transfer:

  1. Application form.
  2. Self-assessment report.
  3. The agreement to be entered into between the data processing entity and the overseas recipient or other legally binding documents.
  4. Other materials required for the security assessment.

The high-level workflow of the security assessment process is summarized in the chart below.

 

So far, the CAC has not released the template application form or any template self-assessment report.

What is the security assessment assessing?

Article 8 of the Draft Measures lays out the following criteria the security assessment focuses on, including: the legitimacy and necessity of the purpose and method of the cross-border transfer; the level of protection offered to the transferred data under local laws and the recipient’s policies; the amount, type and sensitivity of the data, as well as risks of leakage, loss or illegal access during and after the transfer; and the adequacy of the agreement between the data processing entity and oversea data recipient.

What we still do not know about the security assessment

There remain several key uncertainties regarding the security assessments even after the release of the Draft Measures. For example, the Draft Measures are silent on the length of time for calculating cumulative transfers. Further, for group companies with multiple subsidiaries and affiliates, it is unclear whether the calculation of the number of individuals whose personal information has been processed or transferred overseas shall be conducted by each subsidiary and affiliate separately or by the group company altogether. While we had expected a final version of the Draft Measures to have been released—the current Draft Measures have not been updated since December 2021—such an update has not yet been published.

Finally, although outside the scope of this article, we also note that the Draft Measures focus on the security assessment for cross-border data transfers and do not provide specific rules on the data localization requirements. In other words, the Draft Measures do not clarify whether data localization is a pre-condition to cross-border data transfer for companies that might at the same time be subject to the data localization requirements. It is also unclear whether companies that are subject to the security assessment requirements would have a heightened risk in terms of having the data localization requirements applied to them.

2. Standard contractual clauses

As of today’s date, the CAC has not yet released further guidance on the two other transfer mechanisms. In particular, there have been no template or standard contracts published by the CAC that would allow parties to satisfy the requirements of Article 38.3 of the PIPL.

However, the Draft Measures do give some guidance on what the CAC may expect to see in such transfer contracts. For reference, Article 9 of the Draft Measures indicates that the security assessment will include an evaluation of whether the contract between the data processing entity and the overseas recipient “fully stipulate(s) the responsibilities and obligations of data security protection,” which the CAC explains shall include:

  1. The purpose, method and scope of transferred data, and the use and method of data processing by the overseas recipient.
  2. The overseas location that will retain the transferred data and the retention period of such data, as well as the measures to be taken when the retention period is reached, the agreed purpose has been achieved or the contract is terminated.
  3. Provisions that restrict the overseas recipient from re-transferring the data to other organizations and individuals.
  4. Security measures to be taken by the overseas recipient in the event of a material change in its actual control or business scope, or a change of the legal environment of the country or region where the recipient is located, which makes it difficult to safeguard the data security.
  5. Liability for breach of the obligations of data security protection as well as binding and enforceable dispute resolution provisions.
  6. In the event of risks such as data leakage, properly implementing emergency response measures and ensuring convenient means are available for individuals to safeguard their personal information rights and interests.

Even in light of the above, the lack of guidance regarding the standard contractual clauses creates considerable uncertainties as we expect many companies will need to rely on standard contractual clauses for most of their international transfers.

Expected timeline

Late last year, the CAC publicly stated it is working on the draft standard contracts, although no indication has been given when such drafts will be released for public comment.

Inferring from the standard Chinese regulatory rule-making process, once the draft SCCs are released, it is likely there will be a public comment period of one month. After that, it will likely take regulators an additional period of several months to finalize the rules, although it is difficult to predict when the final rules will take effect.  

3. Certification

Lastly, Article 38.3 of the PIPL states that when personal information processing entities need to transfer personal data outside of China, the final transfer mechanism is to obtain a “personal information protection certification” offered by “professional institutions” in accordance with CAC rules. As with the standard contractual clauses, the CAC is working on guidance on the process of obtaining a personal information protection certification, but no guidance has yet been released. This is also no indication when the certification rules might be published.

We will continue to monitor these developments and encourage businesses that may be transferring personal information outside of China to do the same.

Photo by Liam Read on Unsplash

 


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Authors
Headshot Irina Danescu IAPP Member Contributor
Headshot Vicky Liu Nonmember Contributor
Headshot Yan Luo IAPP Member Contributor
Tags
Asia-Pacific
Privacy Law
Transborder Data Flow
2 Comments

If you want to comment on this post, you need to login.

  • comment Yuanping Zhang • Mar 18, 2022 
    Referring "Note that even Article 39 explicitly requires companies to obtain separate consent for the purpose of a cross-border data transfer and that the text itself does not spell out any exceptions. Furthermore, it is unclear whether separate consent would still be required when consent was not the legal basis for processing at the point of collection",   the separate consent should be obtained either which legal basis is applied for PI processing.   The article 14 of PIPL clearly specifies that "Where laws and administrative regulations provide that the processing of personal information shall be subject to the separate consent or written consent of the individual concerned, such provisions shall prevail.  "  

PIPL regulates five circumstances in which separate consent is necessary :  1) sharing PI(A23); 2) publicly release PI(A25);  3) use the PI collected through monitoring in public place for non-public security purpose (A26);  4) processing sensitive PI (A29);  5) CBDT (A39)

Regards,
Thomas
  • comment Kristina Mittra • Aug 16, 2022 
    I'm very curious about the practical implications of the separate consent. Especially, when it is to meet a customer's request (e.g. an enquiry submitted through a Contact Us form, to deliver products or services, or even processing personal data of employees who are based in China, etc.). Havnig a separate consent when we've sourced information from public registers/records - I can't imagine it's feasible to be going to every separate individual and ask them for a consent.
Related Stories
Related Stories
Tags
Asia-Pacific
Privacy Law
Transborder Data Flow
Recent Comments