Understanding Cross Borders Data Transfers Under GDPR and PIPL

China has passed its comprehensive data protection law that came into effect on November 1st, 2021. China’s PIPL imposes very stringent obligations on how organizations process and disclose personal information. PIPL is said to be “China’s GDPR” based on its strict and far-reaching scope. Both GDPR and PIPL have extraterritorial applicability. However, China’s public authorities have discretion provided under the PIPL to further extend the long-arm jurisdiction of the PIPL in cross-border scenarios. In this article, we will highlight and compare the requirements of cross-border data transfers under the GDPR and PIPL.

Cross-border transfers of data are allowed when the receiver explicitly agrees with the code of conduct approved by a supervisory authority. The code of conduct must include appropriate safety measures to safeguard the rights of individuals whose personal data were transferred and allow for direct enforcement of individual rights.

The cross-border transfer mechanism prescribed under the PIPL is quite similar to the GDPR, except there are a few differences. PIPL includes some additional cross-border data transfer requirements, in particular, for exporters who are Critical Information Infrastructure Operators (CIIOs) or who process a large amount of personal information. The PIPL does not specify what constitutes a large amount of personal information, the Cyberspace Administration of China (CAC) will release further guidelines on this threshold. Following are the few mechanisms that PIPL and GDPR provide for the cross-border transfer of personal data:

1) Adequacy Decision:

GDPR has an “Adequacy Decision” mechanism for the cross-border transfer of personal data. Accordingly, personal data transfers to another country outside the European Union can take place when the European Commission has decided that the third country of data destination provides an adequate level of data protection (there are currently 12 countries on the “adequate” list). Although China does not provide this specific and clear mechanism, it imposes an obligation on personal information exporters to ensure data protection standards are met after transfer as per Article 38 of the PIPL. It means it is quite similar to GDPR as both laws require organizations outside of their jurisdictions to have the same level of data protection for exported personal data.

The PIPL also describes that China is open to mutual recognition with other countries regarding cross-border data transfers and China will respect and adhere to relevant provisions of ratified international treaties and agreements. Furthermore, Article 43 of the PIPL provides certain requirements for countries or regions not to adopt discriminatory prohibitions, restrictions, or other similar measures against China in terms of personal information protection.

2) Appropriate safeguards:

As per the GDPR, personal data transfers to another country outside the EU can take place only when an adequate level of protection is ensured or there are safeguards in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the EU. Such safeguards include Binding Corporate Rules (BCRs), Code of Conduct, Standard Contractual Clauses (SCCs), Certifications, and other legally binding instruments. These safeguards are also provided under the PIPL. Based on Article 37 of the PIPL, it would be accurate to state that PIPL and GDPR have a few similar approaches in providing several paths for organizations to facilitate cross-border data transfer scenarios. However, there are a few differences that can be seen in the following table:

3) Derogations:

In the case of a cross-border data transfer to a non-adequate country and when no safeguards are in place, the GDPR allows data controllers to rely on certain derogations for cross-border data transfers. These derogations have a limited application as a means of transferring data to a third country. However, the PIPL prescribes that cross-border transfer is permitted if it meets the requirements of “Laws, administrative regulations or other conditions stipulated by the national cybersecurity and informatization department”.

4) Data localization:

The GDPR does not require data localization. However, the PIPL requires that Critical information infrastructure operators and personal information processors that process personal information above the number prescribed by the national cybersecurity and informatization department shall store personal information collected and generated within China. If they need to transfer such personal information to points outside China, the transfer must pass a security assessment administered by the government authorities.

5) Requirement of Privacy Notice and Consent:

For the cross-border transfer of personal information under the PIPL, organizations must provide notices to individuals explaining the details of the transfer. Organizations should also obtain separate consent from individuals for the transfer of their personal information. The notice should include the following:

• Foreign recipient name or personal name;
• Contact method,
• Purpose of processing and processing methods; and
• Personal information categories, as well as ways for individuals to exercise their rights under the PIPL with the foreign recipient, or other matters related to transfer.

For cross-border data transfers under the GDPR, data controllers must inform the data subject of its intention regarding the transfer of data to a third country at the time personal data is collected from the data subject and provide the following information:

• The existence or absence of an adequacy decision by the Commission, or
• In case of transfers based on appropriate safeguards or derogations, reference to the appropriate or suitable safeguards, the means by which to obtain a copy of them, or where they have been made available

Where the data controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller must provide the data subject prior to that further processing with information on that other purpose and any relevant information. The data controller must generally comply with the transparency obligations of the GDPR.

Conclusion

Global privacy regulations are encouraging organizations to be responsible custodians of their consumers' data and automate privacy and security operations. In order to operationalize compliance, organizations need to incorporate robotic automation in order to keep up with the current digital landscape.

Securiti helps organizations automate their privacy management operations using artificial intelligence and robotic automation. Ask for a demo today to understand how Securiti can help you prepare for compliance with the PIPL as well as comply with GDPR, DSL, and a whole host of global privacy regulations, with ease.