Implications of China’s Personal Information Protection Law and Data Security Law for cross-border data transfers

For multinational corporations (MNCs) with local subsidiaries and affiliates in Mainland China, one of the most important business needs in everyday operations is the ability to freely share business data—including personal information relating to employees, customers and business contacts—between those local businesses and their headquarters (HQs). Now that the People’s Republic of China (PRC) Personal Information Protection Law (PIPL) and Data Security Law (DSL) both went into effect in 2021, MNCs should assess their information flows to ensure compliance with these important new data laws.

This article by Alex Roberts and Tiantian Ke of Linklaters Zhao Sheng summarises six key steps for handling the cross-border data transfer requirements under the Chinese data protection legal regime.

Step 1: Map your data flows

MNCs should map their data flows in and in and out of Mainland China, if they have already not done so when refreshing their data compliance strategies following the upheaval of the Schrems-II case on personal data protection in the European Union (EU) in 2020.[1] One of the key issues in mapping data flows for the PRC is to understand what constitutes a cross-border data transfer under Chinese law and, in particular, that it covers remote access from overseas to data stored in Mainland China. Although the PIPL is silent on the definition of a cross-border data transfer, guidance released in 2017 and instructions from officials have indicated a broad scope should be applied, covering both (i) the provision of PRC-originated data to an overseas entity directly or through business operations and provision of services or products; and (ii) remote access to PRC-originated data by an overseas entity.

For in-scope cross-border data transfers, MNCs should consider how to implement steps 2 to 6.

Step 2: Determine your role

There are two types of data recipients under the PIPL:

• A ‘personal information processor’ is defined as a person able to independently determine processing purposes and methods in personal-information processing activities, which is akin to the concept of a ‘data controller’ under the EU’s General Data Protection Regulation (GDPR).
• Another type of data recipient is an ‘entrusted party’ that is commissioned by a personal information processor to process information in accordance with that processor’s instructions. This role resembles a ‘data processor’ under the GDPR.

As personal information processors and entrusted parties have different responsibilities and obligations pursuant to the PIPL in a cross-border data transfer scenario (see steps 4–6 below), MNCs should consider the roles their HQs and Chinese business presences play, and put in place compliance measures accordingly. 

Step 3: Classify your data

Depending on the types of data involved, their ‘transfer’ may be subject to special conditions under the PIPL, the DSL and other PRC laws. Most of these conditions apply to personal information. However, if a transfer involves certain regulated data—such as data subject to certain industrial or sectoral rules, ‘important data’, or ‘core data’ as regulated in the DSL—further data localisation and security assessment requirements could apply.

Step 4: Conduct an impact assessment and/or a security self-assessment

A personal information processor should conduct a personal information protection impact assessment on the cross-border transfer. This assessment is similar to a data protection impact assessment under the GDPR. In addition, a set of draft measures released by the Chinese authorities further proposes requiring a security self-assessment before a data export. To satisfy the PIPL’s requirements, MNCs should carry out any necessary assessments before sharing PRC-originated data with overseas recipients.

Step 5: Disclose prescribed information and obtain separate consent

Before a cross-border transfer, MNCs’ local entities in Mainland China must clearly inform the individuals that the personal data belongs to of the details of the proposed transfer, and obtain their “separate consents”, unless other legal processing conditions are applicable. A vital—though challenging in practice—action point would be to update an MNC’s current privacy notices / policies with prescribed supplementary details describing overseas data recipients, and to obtain ‘unbundled’ consents from individuals to the transfer of their data to these recipients.

Step 6: Implement one statutory transfer mechanism

For MNCs that process data as critical information infrastructure operators in Mainland China, process important data, or process amounts of personal information over a certain threshold, they must pass a government-led security assessment before completing any cross-border data transfer. The assessment will remain valid for two years providing there are no changes to the circumstances. MNCs not subject to this burdensome requirement can choose one of the following transfer mechanisms:

• obtaining a personal information protection certification;
• contracting with the foreign receiving party based on the ‘standard contract’ formulated by the Cyberspace Administration of China; or
• as otherwise stipulated in the law.

Likely based on the GDPR’s ‘standard contractual clauses’ already familiar to companies, the ‘standard contract’ mechanism is expected to become the most popular approach for MNCs. However, almost half a year since the PIPL was launched, the template contract is yet to be released by the authorities. Once it becomes available, MNCs will need to prepare and execute revised data transfer agreements with overseas vendors and affiliates.

While none of these steps should prove insurmountable for international businesses, internal functions need to cooperate to ensure efficient implementation of the PIPL, so as to allow smooth communication with their HQs. Legal and compliance teams monitoring for developments and release of the pending templates and guidelines have an important role to play as gatekeepers and project managers in an increasingly regulated—even if ever more connected—international business environment.

Linklaters is a well-known global law firm, supporting clients in achieving their strategies wherever they do business around the world. It has more than 40 years’ experience of advising Chinese and international corporates, Chinese state-owned enterprises and financial institutions on their cross-border strategic deals. Their rich experience in China and strong track record have provided the Linklaters’ team an exceptional understanding of the local legal and economic landscape. They are able to not only call on the expertise of lawyers from the firm’s 31 offices globally, but also to get support for PRC legal advice through Linklaters Zhao Sheng, its joint operation office with Zhao Sheng Law Firm in the Shanghai Free Trade Zone. This joint operation brings together Linklaters’ long-standing international experience and Zhao Sheng’s PRC-law capabilities, offering a ‘one-stop shop’ service of both international and PRC legal advice seamlessly to clients.

[1] Sharp Cookie Advisors, Schrems II: a summary – all you need to know, GDPR Summary, 23^rd November 2020, viewed 17^th March 2022, <https://www.gdprsummary.com/schrems-ii/>