Part 3: PIPL’s Localization Requirements and Restrictions on Responding to Foreign Judicial and Enforcement Agencies

Cooley LLP

Localization requirements

China’s Personal Information Protection Law (PIPL) requires that operators of critical information infrastructure (e.g., China Mobile) and personal information processors that process personal information in an amount that reaches “the threshold specified by” the Cyberspace Administration of China (CAC) store personal information collected and generated in China locally.[1] These entities can only export personal information when it is necessary (this may include for a business purpose) and after passing a security assessment administered by the CAC.[2]

As discussed in our first blog post of this series, in October 2021, the CAC released for public comment the draft Security Assessment Measures for Cross-Border Data Transfer, which provide further clarity on the scope, criteria and process for carrying out a security assessment. Under the such draft, the threshold specified by the CAC is set as:

  • The personal information processor has processed personal information of more than 1 million individuals.
  • The personal information processor has cumulatively transferred personal information of more than 100,000 individuals or has cumulatively transferred sensitive personal information of more than 10,000 individuals.

Notably, sectoral regulations may also impose data localization requirements on specific sectors. For example, the Provisions on the Management of Automotive Data Security (for Trial Implementation), effective October 1, 2021, impose localization requirements on the “important data” processed by “automobile data processors.”[3] Such important data include, among other things, “personal information of more than 100,000 individuals.”[4]

Responding to requests by foreign judicial and enforcement agencies

The PIPL also introduces a “blocking statute” that restricts personal information processors from providing personal information stored within China to foreign judicial or enforcement agencies. Under the PIPL, without the prior approval of a competent Chinese authority, no personal information processors are allowed to respond to requests of foreign judicial or enforcement agencies for providing personal information stored in China.[5]

However, the blocking statute under the PIPL leaves several key questions unanswered, including what personal information might be considered as “stored” in China (i.e., whether personal information that’s already legally transferred to overseas and subsequently stored outside of China is in scope), and what is the process for obtaining approval for providing personal information to foreign judicial or enforcement agencies.

Companies with a US presence may recognize that this restriction could conflict with US compelled disclosure laws, such as the Clarifying Lawful Overseas Use of Data (CLOUD) Act,[6] the Foreign Intelligence Surveillance Act of 1978[7] and the Electronic Communications Privacy Act.[8] Under these laws, companies that receive valid legal process (e.g., a subpoena) must comply with those requests for data or face civil or criminal penalties. These requirements apply regardless of the nationality of the data subject and where the data is stored. The CLOUD Act provides a way for companies to challenge requests for stored communications and requires courts to conduct a limited comity analysis when determining whether to block such requests. However, in our view, it is unlikely that a US court would consider PIPL compliance a valid reason to not comply with the US legal process. Also, if the data is stored concurrently in China and the US – for example, if the data originated in the US or was transferred there via a valid PIPL cross-border data transfer – the court could require the data to be produced from US storage.

The European Union’s GDPR doesn’t contain specific provisions on requests from authorities for personal information. However, companies that transfer personal information to third countries may do so on the basis of a data transfer mechanism under the GDPR – the standard contractual clauses (SCCs) – which contain detailed provisions in the event of a request from a public authority that, among other obligations, oblige the data importer (i.e., the recipient of the personal information in the third country) to notify the data exporter (and, where possible, the data subject) of such a request, and to review and potentially challenge the legality of such request.

It remains to be seen how Chinese and US authorities intend to enforce these seemingly disparate requirements. Operationally, some companies may seek to add clauses to data processing agreements that mirror those contained within the SCCs. These clauses would require US-based data processors to make best efforts to decline requests from US authorities that conflict with the PIPL, and to notify the personal information processors when receiving and responding to such government requests.


[1] PIPL Article 40.

[2] Id.

[3] Provisions on the Management of Automotive Data Security (for Trial Implementation) Article 11.

[4] Provisions on the Management of Automotive Data Security (for Trial Implementation) Article 3.

[5] PIPL Article 41.

[6] 18 USC § 2523.

[7] 50 USC § 1801 et seq.

[8] 18 USC § 2510 et seq.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Cooley LLP

Written by:

Cooley LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Cooley LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide