New requirements in force for cross-border data transfers from China

Personal data processors whether in mainland China or abroad wishing to transfer personal data outside of mainland China must obtain a separate consent from the relevant individual. In addition, data processors are also required to meet one of the following conditions: passing a security assessment conducted by the cyberspace administration authorities of China (CAC); obtaining personal information protection certification issued by a CAC-accredited institution; entering into standard contracts issued by the CAC; or other conditions as specified in the mainland laws and regulations.

Jennifer Wu of Pinsent Masons said: “Further guidance is being developed in this regard and it is prudent for companies preparing for compliance with the PIPL to review the results from their data mapping exercise and conduct an impact assessment for the data transfer outside of mainland China.”

Violation of the PIPL could result in a fine of up to RMB 50 million (US$7.9m) or 5% of the previous year's annual revenue. Other administrative penalties that may be imposed by the departments performing personal information protection duties include business suspension and revocation of the relevant business licence or operating permit. There is also personal liability for those performing data protection duties.

The CAC has also issued "Draft Measures on Security Assessment of Cross-Border Data Transfer" (the Draft Measures) for carrying out security assessments on cross-border data transfers. Data processors are required to conduct self-assessment of cross-border data transfer risks before transferring data abroad. This self-assessment includes consideration of the legality, justifiability and necessity of the cross-border data transfer; the volume, scope and sensitivity of the cross-border data transfer; the measures taken by the processor to ensure data security; and the ability of the overseas data recipient to protect the data.