Cross-Border Data Transfers Under the New PRC Data Protection Regime

By /

Cross-Border Data Transfers Under the New PRC Data Protection Regime

June 17, 2021

View as PDF

China is poised to significantly update its current data-protection legal and regulatory framework by the upcoming passage of two new key laws: 1) The PRC Personal Information Protection Law (PIPL); and 2) The PRC Data Security Law (DSL). The PIPL and DSL will have wide-ranging impact on current data regulation practices, key among which will be the changes in which these laws regulate the cross-border transfer of data, particularly where such transfer is to foreign authorities or for foreign investigations or judicial proceedings. Similar to other laws already on the books in China, the PIPL and DSL will require approval from the relevant Chinese authorities prior to conducting a cross-border data transfer to foreign judicial or enforcement authorities. This mirrors China’s legislative trend to limit long-arm jurisdiction overreach by foreign governments into China, strengthen its sovereignty by re-directing these requests to relevant treaties or diplomatic channels, and react to laws by Western nations such as the U.S. CLOUD Act. Moreover, it also elevates personal information and data protection into the realm of national security, implying that China will apply more scrutiny to the regulation of these matters, and particularly the cross-border transfer of such data and information. This article seeks to discuss the background of the PIPL and DSL, provide a basic overview of the pending laws, discuss restrictions in cross-border transfers, and finally offer some potential impacts and suggestions for those operating in China.

1. Background

On April 29, 2021, the People’s Republic of China (PRC or China) National People’s Congress (NPC) Standing Committee released the second drafts of the PIPL and the DSL. The DSL was approved by the NPC on June 10 and will go into effect on September 1, 2021. The second draft of the PIPL has been released for public comments (comment period ended on May 28, 2021) but is not on the June 2021 agenda. The NPC will now conduct the second round of deliberations for the PIPL, which is anticipated to become effective by the end of 2021.

Although the PIPL and the DSL share similarities with the current PRC Cybersecurity Law (CSL), they do differ in several key manners. While the CSL created the first basic framework for regulating data transfers and security in China, the DSL is mainly focused on the balance between data security, national security, and the benefits of and interests in the collection and development of data. Moreover, the PIPL focuses mostly on utilizing increased civil, administrative, and even criminal procedures to create comprehensive protection of personal information. The laws attempt to harmonize multiple interests, namely the interests of individual natural persons and rights towards their own personal information with the freedom of information and public interest. Despite these differences, the PIPL and the DSL share a key similarity with the CSL – namely, that they will join the CSL as part of the group of fundamental laws that make up China’s data protection legal and regulatory scheme.

2. Basic Overview of Key Concepts and Liability Under the PIPL and DSL

a. PIPL

The PIPL defines several key concepts, some of which have been introduced by measures, rules, or guidance previously, but have now been defined in law for the first time. PIPL Art. 4 defines “Personal Information” as electronic or non-electronic information that identifies or is able to identify a natural person. However, this does not include information after it has been processed through data anonymization.[1] PIPL Art. 4 goes on to further define “Personal Information Processing” as the collection, storage, use, processing, transfer, provision, or publication of personal information. PIPL Art. 29 defines “Sensitive Personal Information” as personal information that, if disclosed or illegally used, may lead to discrimination, or serious harm to the personal safety or safety of property of that individual. Such information includes information on a person’s race, ethnicity, religion or religious beliefs, biometrics, medical, health, and finance or bank accounts. Finally, PIPL Art. 72(1) defines a “Personal Information Processor” as an organization or individual that, on its own, determines the purpose and method of processing personal information. The concepts provide the basis for the PIPL.

Moreover, PIPL Art. 3 stipulates the scope of the law. In general, the PIPL applies to individuals and organizations who conduct processing of personal information of natural persons within the PRC. What is notable here is that PIPL Art. 3 allows for the extraterritorial application of the PIPL where personal information is collected for the purpose of providing an individual located within the PRC with products or services, analyzing or evaluating the behavior of natural persons within the PRC, and other circumstances as prescribed under PRC laws and regulations.

Additionally, the PIPL also provides clear legal liability for violation of its provisions in PIPL Sec. 7, Arts. 65–70. Generally, depending on which provision of the law is violated and the severity of its violation, legal liability can be civil, administrative, or even criminal. Civil liability includes liability for damages and losses of the individual, and even grounds for civil litigation, while administrative liabilities include fines up to RMB 50 million or 5% of a company’s turnover in the previous year (it’s unclear how the 5% will be calculated and whether it refers to the turnover in China or worldwide), warnings, corrective orders, or the suspension or termination of one’s business license. Criminal liability and other administrative punishments (including detention) are prescribed pursuant to PIPL Art. 70.

b. DSL

Like the PIPL, the DSL defines several concepts that were previously unclear. DSL Art. 3 defines “Data” as any electronic or non-electronic information records. This is noticeably a broad definition of the term meant to encompass both electronic as well as physical information. Moreover, DSL Art. 3 defines “Data Processing” as the collection, storage, processing, transfer, provision, or publication of data. This mirrors the definition in PIPL Art. 4. Additionally, DSL Art. 3 defines “Data Security” as the ability to ensure that data is in a state of effective protection and lawful use as well as a continuous state of security through the adoption of necessary measures. This provides a standard, albeit somewhat broad, definition for what it means to provide data security in relation to data as defined under the DSL.

As for the scope, like the PIPL, the DSL has both domestic and extraterritorial application. DSL Art. 2 states that the DSL applies towards any data processing events as well as security control and monitoring in the PRC. DSL Art. 2 also allows for legal liability for extraterritorial data process events where such events harm PRC national security, the public interest, or the lawful rights and interests of PRC citizens or organizations. DSL Art. 53 also relates to this point, specifying that where data processing involves state secret information, the PRC Law on Guarding State Secrets applies, which adds to the extraterritorial application of the DSL in a similar fashion to the PRC Law on Guarding State Secrets with respect to data involving state secrets being processed abroad. This scope also traces back to recent laws enacted by the PRC to protect its national sovereignty, such as recent regulations by the PRC Ministry of Commerce,[2] PRC Securities Law, and PRC International Criminal Judicial Assistance Law (ICJAL).

Finally, the DSL also provides for legal liability under DSL Sec. 6, Arts. 44-52. Punishments vary depending on which article of the DSL is violated, but generally include civil, administrative, and even criminal liability, depending on the type and severity of the violation. Civil liability generally includes liability for damages and losses through civil litigation, while administrative liability can include fines between RMB 10,000 and RMB 10 million or 1-10 times the amount of illegal gains due to the violation, warnings, corrective orders, “talks” with PRC authorities, or termination or suspension of an industry or business license, depending on the type, scope and severity of the violation and the violator (i.e. individual/natural person or company/legal person). Criminal liability, civil liability and other administrative punishments (including detention) are prescribed pursuant to DSL Art. 52. Based on the DSL, both legal persons and natural persons (individuals) can be held liable (criminal, civil and administrative liability) under the DSL.

3. Restrictions on Cross-border Data Transfers

The PIPL and DSL prescribe four different mechanisms for the transfer of data outside the borders of the PRC depending on the purpose and requirements of the transfer. Under PIPL Art. 38, there are three mechanisms for generally transferring data across borders.

The first type of mechanism is the State Cyberspace and Information Administration (SCIA) safety evaluation mechanism. This occurs with respect to data transfers involving a Critical Information Infrastructure Operator (CIIO)[3] or a processor who has processed personal information in the amount prescribed by regulations issued by the SCIA. The second and third types of mechanisms are generally for all other general data transfers and include obtaining an authentication for personal information protection prior to the cross-border data transfer and signing a Standard Contract as determined by Chinese authorities with the overseas party receiving the data transfer and reaching/implementing specified protection standards for such data. With respect to this latter mechanism, it is similar to mechanisms prescribed in the EU’s GDPR.

Under DSL, different types of data will have different cross-border transfer requirements. For “Important Data,”[4] DSL Art. 31 requires that such data collected and processed by CIIOs in China conform with the CSL with respect to cross-border transfers;[5] while other “Important Data” collected and processed by other data operators in China to be transferred abroad be regulated by the SCIA. For controlled item data, DSL Art. 25 requires that such data be subject to export control regulations.

Finally, the DSL and PIPL both specifically regulate the cross-border transfer of data to foreign authorities. Both DSL Art. 36 and PIPL Art. 41 prohibit the transfer of data and personal information, respectively, stored in the PRC to a foreign “judicial or enforcement authority” without approval from the relevant PRC government agency. But, if there is a relevant international treaty or other law, then one may transfer such data pursuant to that. This mirrors the language and trend of laws such as PRC Securities Law Art. 177 and ICJAL Art. 4, both of which aim to protect PRC sovereignty and fight against the assertion of long-arm jurisdiction by foreign governments in conducting investigations in China or against Chinese entities or individuals. The language in the DSL and PIPL also appears aimed at this purpose and addresses issues related to investigations by foreign governments.

4. Impact and Suggestions

The new requirements under the DSL and PIPL, particularly on cross-border data and personal information transfer, are primed to have real impact on domestic and multinational companies operating in the PRC. They further complicate how multinational companies consider PRC law in responding to a foreign government investigation (such as an FCPA investigation) of its subsidiary in China, or even internal investigations. They also create complications for PRC companies and individuals operating overseas, particularly in addressing foreign legal actions and how they store, protect, and process data and personal information. Both of these considerations will also change how domestic and multinational companies conduct their daily business operations in China.

Given the new laws, domestic and multinational companies in China will need to make several changes to their China operations; key among them may be how to respond to requests for cross-border transfers of data or personal information for the purpose of complying with an investigation by a foreign government authority or even in evidence production for foreign judicial proceedings. Companies may be advised to create a contingency plan if it is possible that they may be in such a situation, whether it may be in response to a foreign legal proceeding or government investigation, internal investigation or even just part of general business practices. Contingency plans may also include having a set procedure for dealing with such a cross-border data transfer, such as screening and redacting PRC state secrets or sensitive information or personal information prior to such a transfer. Additionally, and particularly in the context of responding to a foreign investigation or judicial proceeding, companies may wish to consider raising early notice of the application of PRC law by notifying the foreign government agency or filing a motion with the relevant court notifying it of the intent to argue a foreign law. Lastly, companies may also wish to build a communications channel with relevant PRC authorities to ensure streamlined approval of a cross-border data transfer as needed.

Other considerations for those operating in China include:

  • If your enterprise is engaging the collection, storage, transfer, processing, provision, or publication of data, review your internal data security and compliance mechanisms to ensure there are no gaps with the new laws;
  • Review where and what types of data and personal information are stored in the PRC and whether data or personal information collected is stored abroad; and
  • Ensure proper consent is obtained with respect to the use of personal information.

The DSL and PIPL will change the landscape of data and personal information protection and transfer. Make sure that you and your company are prepared for the change.

[1] “Data Anonymization” is further defined in PIPL Art. 72(4) as essentially a method of processing data where, after processing, it will be impossible to identify a natural person from the data, and the data cannot be recovered to its pre-anonymization processing form.

[2] See, for example, PRC Ministry of Commerce, Unreliable Entity List Regulations, Order 2020 No. 4, Sept. 19, 2020; and PRC Ministry of Commerce, Measures Blocking the Improper Extraterritorial Application of Foreign Laws and Measures, Order 2021 No. 1, Jan. 9, 2021.

[3] “Critical Information Infrastructure Operator” is defined in the CSL as the identified operator of the division charged with the protection of critical information infrastructure.