Introduction to the Personal Information Protection Law During the summer of 2021, the Standing Committee of the National People's Congress of the People's Republic of China enacted the Personal Information Protection Law (in Chinese: "中华人民共和国个人信息保护法", briefly "PIPL"), which came into effect as of 1st November 2021, and which has many elements in common with the principles and provisions of the General Data Protection Regulation no. 2016/679 ("GDPR"). Among others, the PIPL also contains provisions on transfer of personal information outside the borders of the People’s Republic of China. In this document, we will analyze how controllers of personal information can carry out overseas transfer activities. In particular, this document aims to clarify how companies (including European companies) that operate, provide products or services or analyze or assess activities of individuals within Chinese territory, can carry out cross-border data transfer activities, in compliance with the PIPL and other relevant laws and regulations. Cross-border data transfers Pursuant to Article 38 of the PIPL, whenever controllers of personal information (the PIPL equivalent of a controller under the GDPR) “truly need” (in Chinese “需要”) to transfer personal information outside the borders of the People’s Republic of China for business or other such requirements, such controllers shall meet one of the following conditions: Furthermore, pursuant to Article 39 of the PIPL, whenever controllers of personal information transfer personal information outside of the borders of the People’s Republic of China, they shall: The Measures for Data Export Security Assessment Pursuant to Article 40 of the PIPL, whenever critical information infrastructure operators[1] and controllers of personal information meet the threshold provided by the CAC, they shall store personal information collected and processed within the borders of the People’s Republic of China domestically. In case they need to transfer personal information abroad, they must first pass a security assessment carried out by the CAC. Therefore, controllers of personal information must determine if they meet the threshold provided by the CAC and, eventually, pass the security assessment carried out by the CAC. In addition to the PIPL, on 7th July 2022, the CAC released the Measures that will come into effect on 1st September 2022, with a six months grace period for controllers of personal information to obtain approval by the CAC (namely, existing data export activities must be remediated by 1st March 2023). In particular, the Measures shall be applied to controllers of personal information that transfer data overseas in the circumstance the personal information exporter: In the above cases, the controller of personal information who intends to transfer data overseas must apply for an approval from the CAC, submitting required materials (i.e., the application form, the self-assessment report, legal documents concluded between the controller of personal information and overseas recipients, and other required materials) and waiting for the result of the security assessment carried out by the CAC. However, before exporting any data and before any submission to the CAC, the controller must carry out a self-assessment, as provided for by Article 5 of the Measures. Specifically, the Measures highlight that the self-assessment should focus on, inter alia, the responsibilities and obligations that the foreign receiving party is subject to, the risk of data to be tampered, destroyed, or leaked, and whether data transfer related contracts or other legally binding documents to be concluded with the overseas recipient fully stipulate the responsibility and obligation of data security protections. The controller shall draft a self-security assessment report that should then be submitted to the local CAC together with a completed application form and the relevant contract and any other legally binding documents concluded with the overseas recipient. The local CAC will carry out a preliminary review of the submitted documentation, and submit them to the national CAC for the security assessment that, eventually, will issue an approval note. The approval by the national CAC has a validity period of 2 years from the date of issuance of the assessment result, except for specific circumstances – that may occur within the validity period - that require a new security assessment. [1] The regulations define critical information infrastructure operators as companies, including foreign companies, engaged in “important industries or fields”, including telecommunication and information services, energy, transport, water, finance, public services, national defense, and any other important network facilities or information systems that may seriously harm national security, the national economy and people’s livelihoods, or public interest in the event of incapacitation, damage, or data leaks. [2] Pursuant to Article 19 of the Measures, the term “important data” mentioned in the Measures refers to data that, once tampered with, destroyed, leaked, or illegally obtained or used, may endanger national security, economic operation, social stability, public health and safety, etc.
