As explained in our previous blog post, in addition to the requirements for adopting a cross-border transfer mechanism, China’s Personal Information Protection Law (PIPL) and the European Union’s General Data Protection Regulation (GDPR) set out further compliance obligations on the cross-border transfer of personal information.[1]
Before controllers (under the GDPR) or personal information processors (under the PIPL) in China can initiate cross-border data transfers across its borders, certain requirements generally must be satisfied regardless of the transfer mechanism and the status of the personal information processors – e.g., whether or not the personal information processors are operators of critical information infrastructure or process a “large amount” of personal information.
As a general requirement, the PIPL mandates that all personal information processors take necessary measures to ensure that the personal information processing activities of overseas recipients meet the level of protection on personal information protection set forth under the PIPL.[2] In practice, imposing contractual obligations on data importers regarding how they must process the received personal information, and including an audit right for data exporters, are common ways of discharging the obligation referenced in the preceding sentence, based on our observations.
Comparison table of relevant compliance requirements for personal information processors under the PIPL and controllers under the GDPR
As the final installment in this series, our next blog post discusses the localization requirements and restrictions on responding to requests of foreign judicial and enforcement agencies under the PIPL.
[1] Because the CCPA doesn’t regulate the transfer of personal information across international borders, this post doesn’t discuss the CCPA.
[2] PIPL Article 38.
[3] PIPL Article 39.
[4] Id. We’ve also seen a different interpretation, which is that separate consent isn’t required. In that interpretation, Article 13 of the PIPL indicates that if a company relies on a non-consent basis for processing certain personal information (e.g., relying on “necessary for the performance of contract” as a lawful basis), it doesn’t need to obtain a separate consent before transferring such personal information overseas.
[5] Under Article 55 of the PIPL, an internal personal information protection impact assessment will be triggered under the following circumstances: (i) processing sensitive personal information; (ii) processing personal information for automated decision making; (iii) entrusting vendors to process personal information, sharing personal information with other personal information processors or publicly disclosing personal information; (iv) transferring personal information outside of China; and (v) other processing activities that may result in significant impact on the rights and interests of individuals.
[6] PIPL Articles 55 and 56.
[7] PIPL Article 56.
[8] Published on November 19, 2020, and effective June 1, 2021, this guidance from China’s State Administration for Market Regulation and Standardization Administration specified that the assessment for the cross-border transfers must refer to other guidance specifically for such situations.
[9] Draft Security Assessment Measures for Cross-Border Data Transfer Article 5.
[10] Id.
[11] The European Data Protection Board has produced draft recommendations on supplementary measures, which may assist data controllers and processors.
[12] PIPL Article 42.
[13] PIPL Article 43.
[View source.]