Out-Law / Your Daily Need-To-Know

New requirements in force for cross-border data transfers from China

Out-Law News | 16 Feb 2022 | 2:00 am | 1 min. read

China's Personal Information Protection Law (PIPL) came into force on 1 November 2021, setting new requirements on the transfer of personal data from China to other jurisdictions.

Personal data processors whether in mainland China or abroad wishing to transfer personal data outside of mainland China must obtain a separate consent from the relevant individual. In addition, data processors are also required to meet one of the following conditions: passing a security assessment conducted by the cyberspace administration authorities of China (CAC); obtaining personal information protection certification issued by a CAC-accredited institution; entering into standard contracts issued by the CAC; or other conditions as specified in the mainland laws and regulations.

Jennifer Wu of Pinsent Masons said: “Further guidance is being developed in this regard and it is prudent for companies preparing for compliance with the PIPL to review the results from their data mapping exercise and conduct an impact assessment for the data transfer outside of mainland China.”

Violation of the PIPL could result in a fine of up to RMB 50 million (US$7.9m) or 5% of the previous year's annual revenue. Other administrative penalties that may be imposed by the departments performing personal information protection duties include business suspension and revocation of the relevant business licence or operating permit. There is also personal liability for those performing data protection duties.

Jennifer Wu

Jennifer Wu

Senior Associate

It is prudent for companies preparing for compliance with the PIPL to review the results from their data mapping exercise and conduct an impact assessment for the data transfer outside of mainland China.

The CAC has also issued "Draft Measures on Security Assessment of Cross-Border Data Transfer" (the Draft Measures) for carrying out security assessments on cross-border data transfers. Data processors are required to conduct self-assessment of cross-border data transfer risks before transferring data abroad. This self-assessment includes consideration of the legality, justifiability and necessity of the cross-border data transfer; the volume, scope and sensitivity of the cross-border data transfer; the measures taken by the processor to ensure data security; and the ability of the overseas data recipient to protect the data.

Data centre

The Draft Measures also set out the terms that should be included in data transfer contracts, such as the purpose and method of the recipient’s handling and processing of the data, where the data is kept, the retention period of the data and restrictions on its re-transfer where applicable, and the handling of data breaches.

Critical data infrastructure operators and specific categories of processors are required to store personal data on the mainland. If it is necessary to transfer personal data outside of mainland China, it must pass a security assessment organised by the national internet information department, unless otherwise exempted by other regulations.

In November 2021, the CAC also released the draft Regulations on Network Data Security Management (Draft Regulations), imposing additional requirements on data processors listed or planning to be listed outside of China. Companies listed in the Hong Kong Special Administrative Region are also subject to cybersecurity review if doing so could affect national security.

Companies that process the personal data of more than one million users must undergo a cyber security review if they plan to list overseas. According to the Draft Regulations, large internet platform operators should submit a report to the CAC if they want to set up their headquarters, operation centres or R&D centres abroad. Data processors affected by the new rules will be required to submit their annual data security assessments to the CAC before 31 January every year.