The global surge in cross-border data flow has prompted governments worldwide, including China, to intensify oversight of data export and enhance security provisions. This came as a response to the European Union's introduction of the General Data Protection Regulation (GDPR). China, aligning its policies with this new data protection paradigm, enacted the Cybersecurity Law, further tightened by subsequent laws like the Data Security Law (DSL) and the Personal Information Protection Law (PIPL).
These laws are critical for multinational corporations that handle data across borders as they navigate the complex requirements of China's data transfer regulations. Adhering to these laws is legal and crucial for ensuring data security and smooth international data flow. Ignoring these regulations can lead to serious repercussions, including business interruptions and penalties.
The newest regulation titled, Regulations to Promote and Standardize Cross-Border Data Flows, relaxes requirements for data export by adjusting thresholds triggering security assessments or the need for standard contracts or PI protection certification. Notably, it increases thresholds for security assessments, such as:
- Transferring non-sensitive personal information (PI) offshore from 100,000 to 1 million individuals' PI, and shortens the time period for cumulative PI assessment; and,
- Similarly, it adjusts thresholds for standard contracts or PI protection certification, with requirements now based on cumulative PI transferred since January 1 of the current year.
Many businesses still need to adjust to these changes, risking non-compliance and potential future policy shifts. In this dynamic environment, legal and cybersecurity experts recommend that businesses proactively adapt to CBDT regulations. They suggest a forward-thinking approach, preparing for both current and future compliance requirements.
Scope and definitions
Personal Information (PI) under the Personal Information Protection Law (PIPL) in China is broadly categorized as any information, recorded electronically or otherwise, that can identify a natural person, either directly or indirectly. This definition parallels the General Data Protection Regulation (GDPR) of the European Union but notably excludes anonymized data, which cannot be reversed to identify an individual. In contrast to GDPR, PIPL does not apply to the PI of deceased individuals, although it grants close relatives certain rights over the deceased's PI for lawful purposes.
The processing and handling of PI
The processing of PI encompasses various activities, including collection, storage, use, alteration, transmission, and deletion. This broad interpretation means that virtually any interaction with PI falls under the scope of PIPL, demanding strict adherence to its guidelines for both domestic and international entities operating in China.
Sensitive Personal Information (SPI) vs PI
SPI under the PIPL is treated with greater caution and includes data that, if misused, could harm an individual's dignity or personal and property security. This category is more extensive than the GDPR's 'special category data.' Article 28 of the PIPL specifies that ‘Sensitive PI’ is “PI that is likely to damage the personal dignity of any natural person or damage to his or her personal or property once disclosed or illegally used”. This is followed by a non-exhaustive list, which includes:
- Biometric data;
- Religious beliefs;
- Specific identities;
- Medical health;
- Financial accounts; and,
- The location of individuals, especially minors under 14.
The handling of SPI requires explicit consent and is subject to stringent protective measures, highlighting its elevated importance in data security.
The fact that financial account information is categorized as SPI came as a surprise to many foreign companies. It implies that almost any business activity involving a payment transaction would involve the processing of SPI. The company can refer to the national standard number GB/T35273-2020 to better understand the detailed scope of SPI defined by the PIPL.
The GDPR lists all ‘Special Category Data’, making it easy for companies or individuals to identify whether or not the PI they are processing falls within this category. The PIPL’s definition is more descriptive but does not include a full list as the GDPR does.
The GDPR treats the PI of minors under the age of 16 as special category data (though specific EU member countries have different rules on age limits, with some lowering it to 13) while the PIPL specifies the age of 14.
PIPL vs GDPR – Definition of Personal Information
Aspect |
General Data Protection Regulation (GDPR) |
Personal Information Protection Law (PIPL) |
Definition of Personal Information (PI) |
Similar to PIPL: Information related to identified or identifiable natural persons |
Similar to GDPR: Information related to identified or identifiable natural persons |
PI categories scope of protection |
Some categories of PI are subject to stringent protection (“special category data”) |
Some categories of PI are subject to stringent protection (“sensitive PI”) |
Individuals rights defined |
Defines rights for individuals regarding their personal data |
Similar to GDPR in defining rights for individuals regarding their personal data |
Anonymous information treatment |
Includes anonymous information in the definition of PI |
Excludes anonymous information from the definition of PI |
Scope of Sensitive/Special Category PI |
Has a narrower scope for what is considered “special category” data |
Has a much wider scope for what is considered “sensitive” PI |
Key highlights and interpretation of PIPL
Data protection principles
Below we have summarized the basic principles for protecting the security of PI and the rights and interests of PI subjects.
Principle |
Description for PI processors and overseas recipients |
Lawfulness, propriety, necessity, and good faith |
Adhere to relevant laws and regulations on cross-border PI processing. Process PI according to the agreed purpose and in a way that minimally impacts the rights and interests of the PI subject. |
Openness and transparency |
Meet the requirements for disclosing processing rules. Inform the PI subject of the overseas recipient's details, processing purpose, scope, methods, and the subject's rights, including how to exercise them. |
Equal protection |
Ensure PI quality, preventing adverse effects due to inaccuracy or incompleteness. Implement measures to protect the security of the processed PI, ensuring it meets the information protection requirements of the PIPL. |
Clear responsibility |
Designate a domestic party or an institution in China, established by the overseas recipient, to bear civil legal liability for the overseas recipient's PI processing activities, in case of damage to the rights and interests of PI subjects. |
Voluntary certification |
Encourage PI processors to voluntarily apply for PI protection certification, leveraging its role in strengthening PI protection and improving the efficiency of cross-border PI processing. |
Regulatory framework for processing personal information
The PIPL sets out several legal bases for processing personal information. These include:
- Obtaining individual consent;
- Fulfilling contractual obligations and statutory responsibilities;
- Responding to public health emergencies;
- Journalistic reporting; processing publicly disclosed pi; and,
- Other legally permitted purposes, according to PIPL article 13.
Essentially, the law ensures that PI is processed legitimately and responsibly. Under China's Personal Information Protection Law (PIPL), obtaining consent for data handling is pivotal. Articles 24, 44, 45, 46, and 48 emphasize the need for clear notifications and explicit consent from individuals when third parties are involved in Personal Identifiable Information (PII) processing.
PI handlers are tasked with adopting robust security measures to safeguard PII from unauthorized access, leakage, or distortion. Additionally, they must be transparent about all PII processing activities, including data recipients' identity and contact details. The principal duties of PI handlers are as follows:
- Development and Implementation of a Privacy Program (PIPL Article 51).
- Appointment of a Data Protection Officer (DPO) (PIPL Article 52).
- Establishment of a Local Representative (PIPL Article 53).
- Conducting Regular Data Protection Audits (PIPL Article 54).
- Conducting PI Protection Impact Assessments (PIPIAs) (PIPL Article 55).
- Responding to Cybersecurity Incidents (PIPL Article 57).
Valid consent and its parameters
According to PIPL Article 14, consent must be freely given, voluntary, and explicit, based on full information. New consent must be obtained if there are changes in the processing purposes, means, or PI categories. This approach ensures that individuals are fully aware of and agree with how their data is used.
Separate consent
PIPL mandates separate consent in specific situations, though it doesn't explicitly define it. Separate consent is required when:
- Transferring PI to another handler (PIPL Article 23);
- Disclosing PI (PIPL Article 25);
- Processing PI from public surveillance for non-public security purposes (PIPL Article 26);
- Processing sensitive personal information (SPI)( PIPL Article 29); and,
- Transferring PI outside the PRC (PIPL Article 39).
This extra consent layer underscores the law's emphasis on individual autonomy over personal data.
Automated decision-making in PIPL
Automated decision-making uses computer programs to assess personal behaviors, health, and financial status. PIPL Article 73 requires that such processes are transparent, fair, and just. It prohibits unreasonable differential treatment based on automated decision-making.
Regulations concerning automated decision-making.
Under PIPL Article 24, if automated decision-making significantly affects an individual, they have the right to demand an explanation and can refuse decisions made solely on an automated basis. This provision is crucial in an era where algorithms play a significant role in decision-making processes.
PIPL compliance for organizations
Impact of PIPL on organizational data life cycle
The enactment of the Personal Information Protection Law (PIPL) has considerable implications for organizations, particularly regarding their data life cycle management. While the regulatory landscape continues to evolve, companies should start preparing by understanding the expected impact.
Below are some of the requirements for your business consideration to process personal data in the cloud:
Data Life Cycle Stage |
Mandatory PIPL Requirements |
Data subject notification |
Inform data subjects about:
|
Right to use & disclose |
Obtain consent from data subjects before collecting and processing their PII, especially for transferring PII to cloud services, third parties, or overseas, and for internal processing like analytics or job opportunities. |
Data collection |
|
Data usage |
|
Data Sharing/Transfer |
For transferring/sharing PII to cloud services outside the country, comply with one of the following:
|
Data Disposal/Retention |
Delete PII upon the data subject's request when the retention period expires, or the processing purpose is achieved. Cease processing PII if deletion is technically challenging. |
Requirements for processing PI of minors and internet giants
Organizations must meticulously handle minors' personal information (PI) and comply with stringent requirements for processing data. This involves ensuring secure data collection methods, particularly when dealing with sensitive data like images or videos, and applying robust security measures like encryption and de-identification.
Data localization and cross-border transfer of PI
What counts as CBDT activities?
There is no specific definition for “cross-border data transfer” in China’s CSL, DSL, or PIPL laws. However, clues can be found in the following three documents:
- The Measures for Data Export Security Assessment;
- The Guidelines for Data Exit Security Assessment and Declaration (First Edition); and
- The Standard Contract Measures for the Export of Personal Information.
Under the Measures for Data Export Security Assessment, cross-border data transfer is defined as:
- The provision of PI and important data collected and generated in the operation within the territory of the People’s Republic of China to institutions, organizations, and individuals located outside the country.
- The Guidelines for Data Exit Security Assessment and Declaration (First Edition) lists out some specific circumstances that are deemed as cross-border data transfer, including:
- Where a data processor transfers or stores abroad the data collected or generated during its operation within the territory of China;
- Where the data collected and generated by a data processor is stored within the territory of China for inquiry, retrieval, download and export by overseas institutions, organizations or individuals; and
- Any other activity involving data to be transmitted abroad is prescribed by the CAC.
Finally, under the Standard Contract Measures for the Export of Personal Information, cross
border data (PI) transfer is defined as:
- When PI processors transmit and store PI that has been collected and generated during domestic operations overseas;
- When PI collected and generated by PI processors is stored within China, but overseas
Institutions, organizations, or individuals can inquire, retrieve, download, and export the PI;
- Other acts of exporting PI abroad as specified by the CAC.
From these above definitions, cross-border data transfer might be interpreted as:
- Direct transfer and storage of important data and PI to overseas locations;
- Remote access to important data and PI stored in China by a person or entity located outside of China - this is to say, if an overseas party within the same or different company, remotely accesses the Important Data or PI of an individual located in China, then this activity will also constitute cross-border data transfer, even if the data is not actively exported to a location outside of China.
While these definitions may suggest which company activities could constitute CBDT, it is by no means a comprehensive definition. The above measures and the overall framework include another clause implying that additional definitions may be left open to interpretation by the authorities in China.
CBDT's current regulatory framework
The newly revised regulations introduce specific exemptions to the requirements for exporting data, providing clarity and flexibility in certain scenarios. Data exports are now permitted without adhering to the previously strict requirements under these circumstances:
- The export of personal information (PI) is deemed necessary for the execution or fulfillment of contracts where the individual whose PI is involved is a participant. This includes a range of activities such as international shopping, delivery services, payment processes, opening bank accounts, reservation of tickets and accommodations, visa application processes, and examination services, among others.
- For the purpose of implementing human resources management in alignment with employment policies and collective labor agreements, exporting employees' PI is allowed.
- In emergencies where it is critical to protect individuals' life, health, or property, exporting PI is permissible.
- Entities not classified as critical information infrastructure operators are allowed to export the PI of up to 100,000 individuals cumulatively from the start of the current year.
- The export of PI that is collected or produced outside of mainland China is exempt, provided it does not include any "important data" or PI collected/generated within mainland China.
- Non-PI data collected or generated through international trade, cross-border shipments, academic collaborations, and international manufacturing and marketing activities are exempt from the requirements unless categorized as "important data" or other specific types of sensitive data, such as state secrets.
Furthermore, the regulations have been adjusted to ease some of the requirements associated with data export. These adjustments are particularly notable in terms of the security assessment triggers and the criteria for either standard contracts or PI protection certification:
- The new criteria for security assessment are as follows:
- Critical information infrastructure operators intend to transfer any PI or "important data" abroad.
- Data handlers are not classified as critical information infrastructure operators who wish to transfer "important data" abroad.
- Non-critical information infrastructure operators have been transferring the PI of more than 1 million individuals (excluding sensitive PI) cumulatively since the start of the current year.
- Non-critical information infrastructure operators are transferring the sensitive PI of more than 10,000 individuals cumulatively since the start of the current year.
It's important to note that data transfers falling within the exemptions are not subject to the security assessment requirements. Additionally, when calculating the processing volume of PI to determine if thresholds are exceeded, PI transferred under these exemptions will not be counted.
- Standard Contract or PI Protection Certification: The revised timeframe for the cumulative calculation of PI and sensitive PI now include:
- Non-critical information infrastructure operators are transferring the PI of more than 100,000 but less than 1 million individuals cumulatively since the start of the current year.
- Non-critical information infrastructure operators are transferring the sensitive PI of no more than 10,000 individuals cumulatively since the start of the current year.
Should these thresholds be met without triggering the security assessment thresholds and none of the exemptions apply, data handlers are required to comply with either the standard contract stipulations or the PI protection certification requirement.
Change in PI Export Volume Thresholds for CBDT Compliance Procedures | ||
Required compliance procedure | Previous regulations | New regulations |
No procedures required | N/A | Cumulative since January 1 of the current year:
< 10,000 (normal PI) |
PI protection certification or Standard Contract signing | Cumulative since January 1 of the previous year:
< 100,000 (normal PI); or
< 10,000 (sensitive PI) |
Cumulative since January 1 of the current year:
≥ 10,000 (normal PI) < 1,000,000 (normal PI); or
< 10,000 (sensitive PI) |
Security assessment by CAC | Cumulative since January 1 of the previous year:
≥ 100,000 (normal PI); or
≥ 10,000 (sensitive PI) |
Cumulative since January 1 of the current year:
≥ 1,000,000 (normal PI); or
≥ 10,000 (sensitive PI) |
Personal Information Protection Impact Assessment (PIPIA)
PIPL mandates that organizations conduct a Personal Information Protection Impact Assessment (PIPIA) in various scenarios, including handling sensitive information, using PI for automated decision-making, disclosing PI to third parties, and transferring PI internationally. This assessment is crucial to identify and mitigate potential risks in data processing activities.
Conducting PIPIA
Before transferring PI overseas using the standard contract method, companies must conduct a PIPIA. This report should be kept for at least three years. According to the Standard Contract Measures, the PIPIA must assess the following matters:
- The legality, legitimacy, and necessity of the purpose, scope, and processing method of the data processor [in China] and the overseas recipient.
- The scale, scope, type, and sensitivity level of the outbound PI being, and the potential risks that the export of the PI can pose to the rights and interests of the PI subjects.
- The responsibilities and obligations that are undertaken by the overseas recipient, and whether the management and technical measures and capabilities for fulfilling these responsibilities and obligations can ensure the security of outbound PI.
- The risk of the PI being tampered with, destroyed, leaked, lost, or illegally used after being exported, and whether the channels for safeguarding the rights and interests of the PI subjects are unobstructed.
- The impact that the PI protection policies and regulations in the country or region where the overseas recipient is located may have on the fulfillment of the standard contract.
- Other matters that may affect the security of the outbound PI.
What must be stipulated in the standard contract?
The standard contract for exporting personal information (PI) to overseas recipients must follow the template provided by the Standard Contract Measures, as set by the Cyberspace Administration of China (CAC). While CAC may make occasional adjustments to the template, it generally includes:
- Basic details of the PI processor in China and the overseas recipient, such as company names, addresses, and contact information.
- Duration of the contract and details about the mutual PI processing activities.
- Information on the security measures to be employed by the overseas recipient, like encryption, anonymization, and access control.
- Methods for arbitration and dispute resolution.
The contract template comprises nine articles covering the obligations of both the PI processor and the overseas recipient, the impact of local PI protection policies on contract fulfillment, and the rights and interests of the PI subjects. Additional terms can be agreed upon with the overseas recipient, provided they don't conflict with the standard contract's requirements. The export of PI is permissible only after the contract is in effect.
Filing procedures for the standard contract
Within 10 days of the standard contract taking effect, the PI processor must file requisite materials with the local provincial-level cybersecurity office. The PI processor can begin cross-border data transfer activities after the contract takes effect. All the materials must be delivered in both physical and electronic form.
The materials that need to be submitted are listed in the table below:
Nr. |
Document Required |
Specification |
1 |
Photocopy of Unified Social Credit Code Certificate |
Photocopy with company chop |
2 |
Photocopy of Legal Representative's ID Card |
Photocopy with company chop |
3 |
Photocopy of ID Card of Person in Charge |
Photocopy with company chop |
4 |
Power of Attorney |
Original copy |
5 |
Letter of Commitment |
Original copy |
6 |
Standard Contract |
Original copy |
7 |
Personal Information Protection Impact Assessment (PIPIA) |
Original copy |
Note: Templates for documents 4 to 7 are available in the Standard Contract Guidelines. |
Provincial cybersecurity authorities will review submitted materials and notify companies of the outcome within 15 days. Successful reviews will result in a filing number issued to the PI processor. Unsuccessful ones will include a notice detailing reasons for the rejection. The company will receive written notification about the review result and may need to submit additional materials. These resubmissions must occur within ten working days of receiving the notice.
In certain situations, the PI processor might need to redo their Personal Information Protection Impact Assessment (PIPIA), re-sign the standard contract, and redo relevant filing procedures before expiration. These situations include changes in PI processing or overseas storage, alterations in overseas PI protection policies affecting PI subjects' rights, and other scenarios impacting PI subjects' rights. Any resubmitted materials will undergo a 15-day review. Violations of the Standard Contract Measures are subject to penalties as per the PIPL and other relevant regulations.
Conclusion
China's Personal Information Protection Law (PIPL) has significantly reshaped the data security legislation. Notably, in the latter half of 2023, Chinese authorities have indicated a potential easing of Cross-Border Data Transfer (CBDT) regulations, especially to boost foreign investments post-pandemic. Key developments include:
- The State Council's August 2023 measures for optimizing foreign investment, proposing "green channels" for qualified foreign companies and piloting a list of "general data" for freer cross-border transfer in major cities.
- The September 2023 draft regulations by the Cyberspace Administration of China (CAC) offer several allowances for PI and important data export, which could alleviate compliance burdens for foreign companies.
Looking ahead, China's cybersecurity and data protection regulations are expected to gain more clarity, particularly regarding the definition of important data. The country's efforts to align with international digital trade agreements like DEPA and CPTPP suggest forthcoming adjustments in its data regulation framework. These changes are anticipated to be trialed in Free Trade Zones (FTZs) and potentially expanded nationwide, easing CBDT requirements on a larger scale.
Staying informed and compliant is crucial for businesses grappling with these dynamic regulatory changes. Multinational companies should monitor legislative developments and adapt their cybersecurity and data protection policies accordingly. Dezan Shira & Associates offers expert guidance and support in:
- Assessing data protection and cross-border data transfer risks.
- Preparing for mandatory security assessments and documentation.
- Developing data collection, processing consent mechanisms, and privacy notices.
- Providing internal compliance training and strategies for data breach mitigation.
For tailored assistance in navigating China's cybersecurity and data protection landscape, contact Dezan Shira & Associates' team of experts. Stay updated with our insights and recommendations to ensure your business aligns with China's evolving data laws.
Frequently Asked Questions
Q1: PIPL states the company should appoint “a person in charge of personal information protection” (个人信息保护负责 人)when processing personal information on a large scale based on the criteria specified by the CAC. Consequently, is the appointment of a Data Protection Officer (DPO) mandatory under the PIPL?
A: No, it’s not mandatory; however, for companies who don’t have an office in China and still want to provide services in China, a DPO or representative is necessary. In general cases where the company has an office in China and they can find a local person to play the role of representative, there is no need to have a DPO. But we have seen many companies don’t have enough internal resources to support this, so from that angle – an external DPO can be very helpful for companies.
Q2: Can a company send aggregated information derived from personal information across borders? If it doesn’t contain any specific personal information on Chinese citizens, can we aggregate this data and send it across borders?
A: Yes, because we are talking about aggregated data – which doesn’t have any specific personal information of individuals. This means that it will be “abstract” data that cannot be tracked to one single individual. In this case, the data will not be treated as personal information or as sensitive personal information, and you are allowed to transfer it outside of China.
Q:3 We are exchanging data with our headquarters in Germany via SAP. Will it be deemed as a cross-border transfer and require a Personal Information Protection Impact Assessment (PIPIA)?
A: Yes. If your IT system is located in Germany, but your business operations in China are processing personal information, you will need a PIPIA. Whether you are allowed to transfer personal information out of the country or not is based on the scale of the personal information. The Cyberspace Administration of China (CAC) will specify the criteria about which kind of personal information will not be allowed to be transferred out, but for now we will need to wait for more details from the government.
Q4: If personal data is transferred to Hong Kong, Macao, or Taiwan, would it be considered an international data transfer?
A: Yes, for now it would be as Hong Kong, Taiwan, and Macao are implementing different laws from Mainland China.
Q5: Do we need separate consent from our employees, one for payroll processed in China and the other for HR management purposes, assuming all data will be transferred outside of China to HQ in Singapore? Is it necessary for two consents from employees in China in this situation?
A: Our opinion is that you can use one single consent form. In this case, we understand that the purpose of processing this information for payroll and HR is quite close/tied to each other. It is a common practice for companies to process payroll and HR together, so in this case, we think you can use one single consent form.
Q6: There are many international schools storing student data. What about the protection of data for children under 14 years old? Are there special protections under the PIPL?
A: Yes. Information from those under 14 will be regarded as sensitive information. If you are going to process sensitive personal information, you must collect separate consent and conduct a PIPIAPIA.
Q7: Is the employee's name and mobile phone number in the MS Azure active directory considered personal information?
A: Yes. The definition of personal information is very wide under the PIPL. For any information that can be tied to one single individual, it is considered personal information. For example, mobile phone numbers in China are tied to real names and can be connected to an individual. Names are also a kind of personal information. Although a name can be common and used for multiple people, under the PIPL it is still considered personal information.
Q8: How about security logs (e.g., firewall and active directory)? Are they considered personal information as they are usually linked to an IP address or account name and not directly linkable to the user easily?
A: Yes. Under the GDPR, IP addresses are defined as personal information, and this is the same for the PIPL. We know that IP addresses are dynamic, but from an IT perspective, we can still trace an individual to their IP address most of the time with certain efforts, making IP addresses one kind of personal information under the PIPL.
Q9: If we store processed personal information through a third-party vendor, such as Google Drive, does it fall into the vendor’s responsibility to formulate proper information protection that complies with the PIPL?
A: Similar to GDPR, under PIPL, it’s the information controller – the one who makes decisions on how to collect and store the data – that assumes the responsibility of personal information protection. So, if you are the information controller, and you make the decision to collect personal information and make the decision to transfer it out to save in Google Drive, you are responsible for everything. Of course, you can make a service agreement with your vendor to specify what kind of measures should be taken to protect the personal information.
Q10: If an IP address is a company private IP address, for example, 10.0.0.1, is it considered personal information?
A: From the technical perspective, yes, it is. For example, in China, the cyber police require companies to set up a firewall or security device, which can allow the company to track the website access logs for users. This means that even if you are using a private IP of your company, your firewall or security can still track these records, and IT can use these records to trace back to the individual using this IP address. In practice, however, at the current stage, IP address information is really a minor consideration for the authorities. There are other more significant issues for the authorities to pay attention to.