China: new rules for cross-border data transfers

31 Agosto 2022

Introduction to the Personal Information Protection Law

During the summer of 2021, the Standing Committee of the National People's Congress of the People's Republic of China enacted the Personal Information Protection Law (in Chinese: "中华人民共和国个人信息保护法", briefly "PIPL"), which came into effect as of 1st November 2021, and which has many elements in common with the principles and provisions of the General Data Protection Regulation no. 2016/679 ("GDPR").

Among others, the PIPL also contains provisions on transfer of personal information outside the borders of the People’s Republic of China. In this document, we will analyze how controllers of personal information can carry out overseas transfer activities.

In particular, this document aims to clarify how companies (including European companies) that operate, provide products or services or analyze or assess activities of individuals within Chinese territory, can carry out cross-border data transfer activities, in compliance with the PIPL and other relevant laws and regulations.

Cross-border data transfers

Pursuant to Article 38 of the PIPL, whenever controllers of personal information (the PIPL equivalent of a controller under the GDPR) “truly need” (in Chinese “需要”) to transfer personal information outside the borders of the People’s Republic of China for business or other such requirements, such controllers shall meet one of the following conditions:

  • passing the security assessment carried out by the Cyberspace Administration of China (“CAC”) pursuant to Article 40 of the PIPL and the Measures for Data Export Security Assessment (the “Measures”, in Chinese "数据出境安全评估办法", available only in Chinese, here);
  • obtaining certification carried out by professional institutions pursuant to the provisions issued by the CAC;
  • entering into a contract, in accordance with the standard contract formulated by the CAC, with the foreign receiving party, stipulating and agreeing the rights and obligations of both parties;
  • other conditions and/or requirements provided for by other laws or administrative regulations, or in the rules set by the CAC.

Furthermore, pursuant to Article 39 of the PIPL, whenever controllers of personal information transfer personal information outside of the borders of the People’s Republic of China, they shall:

  1. inform individuals about the foreign receiving party’s name or personal name, its contact information, processing purposes, means of processing, categories of personal information involved, as well as the ways and procedures for them to exercise the rights provided in the PIPL towards the foreign receiving party, and other such matters; and
  2. obtain individuals’ separate consent for the transfer of personal information.

The Measures for Data Export Security Assessment

Pursuant to Article 40 of the PIPL, whenever critical information infrastructure operators[1] and controllers of personal information meet the threshold provided by the CAC, they shall store personal information collected and processed within the borders of the People’s Republic of China domestically. In case they need to transfer personal information abroad, they must first pass a security assessment carried out by the CAC.

Therefore, controllers of personal information must determine if they meet the threshold provided by the CAC and, eventually, pass the security assessment carried out by the CAC.

In addition to the PIPL, on 7th July 2022, the CAC released the Measures that will come into effect on 1st September 2022, with a six months grace period for controllers of personal information to obtain approval by the CAC (namely, existing data export activities must be remediated by 1st March 2023).

In particular, the Measures shall be applied to controllers of personal information that transfer data overseas in the circumstance the personal information exporter:

  • transfers important data[2] overseas;
  • is designated as a critical information infrastructure operator;
  • may process the personal information of more than 1 million individuals and intends to carry out overseas transfer activities;
  • processes the personal information of 100,000 individuals or the sensitive information of 10,000 individuals since 1 January of the previous year; or
  • is required to carry out a security assessment by the CAC based on other relevant laws and regulations.

In the above cases, the controller of personal information who intends to transfer data overseas must apply for an approval from the CAC, submitting required materials (i.e., the application form, the self-assessment report, legal documents concluded between the controller of personal information and overseas recipients, and other required materials) and waiting for the result of the security assessment carried out by the CAC.

However, before exporting any data and before any submission to the CAC, the controller must carry out a self-assessment, as provided for by Article 5 of the Measures.

Specifically, the Measures highlight that the self-assessment should focus on, inter alia, the responsibilities and obligations that the foreign receiving party is subject to, the risk of data to be tampered, destroyed, or leaked, and whether data transfer related contracts or other legally binding documents to be concluded with the overseas recipient fully stipulate the responsibility and obligation of data security protections.

The controller shall draft a self-security assessment report that should then be submitted to the local CAC together with a completed application form and the relevant contract and any other legally binding documents concluded with the overseas recipient.

The local CAC will carry out a preliminary review of the submitted documentation, and submit them to the national CAC for the security assessment that, eventually, will issue an approval note. The approval by the national CAC has a validity period of 2 years from the date of issuance of the assessment result, except for specific circumstances – that may occur within the validity period - that require a new security assessment.


[1] The regulations define critical information infrastructure operators as companies, including foreign companies, engaged in “important industries or fields”, including telecommunication and information services, energy, transport, water, finance, public services, national defense, and any other important network facilities or information systems that may seriously harm national security, the national economy and people’s livelihoods, or public interest in the event of incapacitation, damage, or data leaks.

[2] Pursuant to Article 19 of the Measures, the term “important data” mentioned in the Measures refers to data that, once tampered with, destroyed, leaked, or illegally obtained or used, may endanger national security, economic operation, social stability, public health and safety, etc.

2024 - Morri Rossetti

I contenuti pubblicati nel presente sito sono protetti da diritto di autore, in base alle disposizioni nazionali e delle convenzioni internazionali, e sono di titolarità esclusiva di Morri Rossetti e Associati.
È vietato utilizzare qualsiasi tipo di tecnica di web scraping, estrazione di dati o qualsiasi altro mezzo automatizzato per raccogliere informazioni da questo sito senza il nostro esplicito consenso scritto.
Ogni comunicazione e diffusione al pubblico e ogni riproduzione parziale o integrale, se non effettuata a scopo meramente personale, dei contenuti presenti nel sito richiede la preventiva autorizzazione di Morri Rossetti e Associati.

cross