China has passed its comprehensive data protection law that came into effect on November 1st, 2021. China’s PIPL imposes very stringent obligations on how organizations process and disclose personal information. PIPL is said to be “China’s GDPR” based on its strict and far-reaching scope. Both GDPR and PIPL have extraterritorial applicability. However, China’s public authorities have discretion provided under the PIPL to further extend the long-arm jurisdiction of the PIPL in cross-border scenarios. In this article, we will highlight and compare the requirements of cross-border data transfers under the GDPR and PIPL.
Cross-border transfers of data are allowed when the receiver explicitly agrees with the code of conduct approved by a supervisory authority. The code of conduct must include appropriate safety measures to safeguard the rights of individuals whose personal data were transferred and allow for direct enforcement of individual rights.
The cross-border transfer mechanism prescribed under the PIPL is quite similar to the GDPR, except there are a few differences. PIPL includes some additional cross-border data transfer requirements, in particular, for exporters who are Critical Information Infrastructure Operators (CIIOs) or who process a large amount of personal information. The PIPL does not specify what constitutes a large amount of personal information, the Cyberspace Administration of China (CAC) will release further guidelines on this threshold. Following are the few mechanisms that PIPL and GDPR provide for the cross-border transfer of personal data:
1) Adequacy Decision:
GDPR has an “Adequacy Decision” mechanism for the cross-border transfer of personal data. Accordingly, personal data transfers to another country outside the European Union can take place when the European Commission has decided that the third country of data destination provides an adequate level of data protection (there are currently 12 countries on the “adequate” list). Although China does not provide this specific and clear mechanism, it imposes an obligation on personal information exporters to ensure data protection standards are met after transfer as per Article 38 of the PIPL. It means it is quite similar to GDPR as both laws require organizations outside of their jurisdictions to have the same level of data protection for exported personal data.
The PIPL also describes that China is open to mutual recognition with other countries regarding cross-border data transfers and China will respect and adhere to relevant provisions of ratified international treaties and agreements. Furthermore, Article 43 of the PIPL provides certain requirements for countries or regions not to adopt discriminatory prohibitions, restrictions, or other similar measures against China in terms of personal information protection.
2) Appropriate safeguards:
As per the GDPR, personal data transfers to another country outside the EU can take place only when an adequate level of protection is ensured or there are safeguards in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the EU. Such safeguards include Binding Corporate Rules (BCRs), Code of Conduct, Standard Contractual Clauses (SCCs), Certifications, and other legally binding instruments. These safeguards are also provided under the PIPL. Based on Article 37 of the PIPL, it would be accurate to state that PIPL and GDPR have a few similar approaches in providing several paths for organizations to facilitate cross-border data transfer scenarios. However, there are a few differences that can be seen in the following table:
|
GDPR |
PIPL |
BCRs |
BCRs are internal rules for cross-border data transfers between the same group of enterprises engaged in a joint economic activity. They are required to be approved by the competent supervisory authority. |
The PIPL does not provide any information regarding the BCRs. |
Code of Conduct |
Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, specifying the application of the GDPR. Cross-border data transfers may take place on the basis of codes of conduct that have been approved. |
The PIPL does not provide any information regarding the code of conduct. |
Security Reviews and Assessment |
Not required. |
Cross-border data transfers may take place only after having the security assessment performed by the state cybersecurity department. This requirement is for the CIIOs and personal information processors who handle large volumes of personal information. This is one of the reasons why the PIPL cross-border regime is considered stricter than the GDPR. |
Certification |
Data protection certification mechanisms may allow cross-border data transfers. Certifications are approved by the competent supervisory authority and issued for a maximum period of three years and may be renewed. |
Cross-border data transfers may take place after having personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department. |
Legally Binding Instruments/Treaties |
Public sector cross-border data transfers may take place via a legally binding and enforceable instrument between public authorities or bodies (i.e. between a public authority in the EU and a public authority in the third country). |
Cross-border data transfers may take place while obliging with China’s international treaties and agreements. |
SCCs |
Cross-border data transfers may take place with the use of standard data protection clauses (adopted by a supervisory authority and approved by the European Commission). The European Commission has adopted two sets of SCCs, one for the transfer of personal data to third countries and one for use between controllers and processors. |
Cross-border data transfers may take place with a contract formulated by the cyberspace and informatization department, which establishes the rights and responsibilities of both the company and foreign receiving side. These SCCs are not formalized yet. |
BCRs |
GDPR |
BCRs are internal rules for cross-border data transfers between the same group of enterprises engaged in a joint economic activity. They are required to be approved by the competent supervisory authority. |
PIPL |
The PIPL does not provide any information regarding the BCRs. |
Code of Conduct |
GDPR |
Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, specifying the application of the GDPR. Cross-border data transfers may take place on the basis of codes of conduct that have been approved. |
PIPL |
The PIPL does not provide any information regarding the code of conduct. |
Security Reviews and Assessment |
GDPR |
Not required. |
PIPL |
Cross-border data transfers may take place only after having the security assessment performed by the state cybersecurity department. This requirement is for the CIIOs and personal information processors who handle large volumes of personal information. This is one of the reasons why the PIPL cross-border regime is considered stricter than the GDPR. |
Certification |
GDPR |
Data protection certification mechanisms may allow cross-border data transfers. Certifications are approved by the competent supervisory authority and issued for a maximum period of three years and may be renewed. |
PIPL |
Cross-border data transfers may take place after having personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department. |
Legally Binding Instruments/Treaties |
GDPR |
Public sector cross-border data transfers may take place via a legally binding and enforceable instrument between public authorities or bodies (i.e. between a public authority in the EU and a public authority in the third country). |
PIPL |
Cross-border data transfers may take place while obliging with China’s international treaties and agreements. |
SCCs |
GDPR |
Cross-border data transfers may take place with the use of standard data protection clauses (adopted by a supervisory authority and approved by the European Commission). The European Commission has adopted two sets of SCCs, one for the transfer of personal data to third countries and one for use between controllers and processors. |
PIPL |
Cross-border data transfers may take place with a contract formulated by the cyberspace and informatization department, which establishes the rights and responsibilities of both the company and foreign receiving side. These SCCs are not formalized yet. |
3) Derogations:
In the case of a cross-border data transfer to a non-adequate country and when no safeguards are in place, the GDPR allows data controllers to rely on certain derogations for cross-border data transfers. These derogations have a limited application as a means of transferring data to a third country. However, the PIPL prescribes that cross-border transfer is permitted if it meets the requirements of “Laws, administrative regulations or other conditions stipulated by the national cybersecurity and informatization department”.
|
GDPR |
PIPL |
Derogations |
- The transfer has been conducted upon the explicit consent of the Data Subject;
- The transfer is necessary for the performance of a contract (or pre-contractual measures) between the Data Subject and Data Controller;
- The transfer is necessary for the performance of a contract between a legal guardian of the Data Subject and Data Controller, for the benefit of the Data Subject;
- The transfer is necessary for important reasons of public interest;
- The transfer is necessary for the establishment or exercise of legal claims or defenses;
- The transfer is necessary for the vital interests of the data subject - and the data subject is unable to consent;
- The transfer is made from a register which according to Union or Member State law is intended to provide information to the public;
- The transfer is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject - provided no other exception/derogation applied and the Supervisory Authority and the Data Subject is notified of the transfer.
|
Cross-border data transfers may take place after meeting the conditions provided under other Chinese laws and regulations. |
Derogations |
GDPR |
- The transfer has been conducted upon the explicit consent of the Data Subject;
- The transfer is necessary for the performance of a contract (or pre-contractual measures) between the Data Subject and Data Controller;
- The transfer is necessary for the performance of a contract between a legal guardian of the Data Subject and Data Controller, for the benefit of the Data Subject;
- The transfer is necessary for important reasons of public interest;
- The transfer is necessary for the establishment or exercise of legal claims or defenses;
- The transfer is necessary for the vital interests of the data subject - and the data subject is unable to consent;
- The transfer is made from a register which according to Union or Member State law is intended to provide information to the public;
- The transfer is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject - provided no other exception/derogation applied and the Supervisory Authority and the Data Subject is notified of the transfer.
|
PIPL |
Cross-border data transfers may take place after meeting the conditions provided under other Chinese laws and regulations. |
4) Data localization:
The GDPR does not require data localization. However, the PIPL requires that Critical information infrastructure operators and personal information processors that process personal information above the number prescribed by the national cybersecurity and informatization department shall store personal information collected and generated within China. If they need to transfer such personal information to points outside China, the transfer must pass a security assessment administered by the government authorities.
5) Requirement of Privacy Notice and Consent:
For the cross-border transfer of personal information under the PIPL, organizations must provide notices to individuals explaining the details of the transfer. Organizations should also obtain separate consent from individuals for the transfer of their personal information. The notice should include the following:
- Foreign recipient name or personal name;
- Contact method,
- Purpose of processing and processing methods; and
- Personal information categories, as well as ways for individuals to exercise their rights under the PIPL with the foreign recipient, or other matters related to transfer.
For cross-border data transfers under the GDPR, data controllers must inform the data subject of its intention regarding the transfer of data to a third country at the time personal data is collected from the data subject and provide the following information:
- The existence or absence of an adequacy decision by the Commission, or
- In case of transfers based on appropriate safeguards or derogations, reference to the appropriate or suitable safeguards, the means by which to obtain a copy of them, or where they have been made available
Where the data controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller must provide the data subject prior to that further processing with information on that other purpose and any relevant information. The data controller must generally comply with the transparency obligations of the GDPR.
Conclusion
Global privacy regulations are encouraging organizations to be responsible custodians of their consumers' data and automate privacy and security operations. In order to operationalize compliance, organizations need to incorporate robotic automation in order to keep up with the current digital landscape.
Securiti helps organizations automate their privacy management operations using artificial intelligence and robotic automation. Ask for a demo today to understand how Securiti can help you prepare for compliance with the PIPL as well as comply with GDPR, DSL, and a whole host of global privacy regulations, with ease.