Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Understanding Cross Borders Data Transfers Under GDPR and PIPL

Published July 7, 2022 / Updated January 8, 2024
Author

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

This post is also available in: Brazilian Portuguese

China has passed its comprehensive data protection law that came into effect on November 1st, 2021. China’s PIPL imposes very stringent obligations on how organizations process and disclose personal information. PIPL is said to be “China’s GDPR” based on its strict and far-reaching scope. Both GDPR and PIPL have extraterritorial applicability. However, China’s public authorities have discretion provided under the PIPL to further extend the long-arm jurisdiction of the PIPL in cross-border scenarios. In this article, we will highlight and compare the requirements of cross-border data transfers under the GDPR and PIPL.

Cross-border transfers of data are allowed when the receiver explicitly agrees with the code of conduct approved by a supervisory authority. The code of conduct must include appropriate safety measures to safeguard the rights of individuals whose personal data were transferred and allow for direct enforcement of individual rights.

The cross-border transfer mechanism prescribed under the PIPL is quite similar to the GDPR, except there are a few differences. PIPL includes some additional cross-border data transfer requirements, in particular, for exporters who are Critical Information Infrastructure Operators (CIIOs) or who process a large amount of personal information. The PIPL does not specify what constitutes a large amount of personal information, the Cyberspace Administration of China (CAC) will release further guidelines on this threshold. Following are the few mechanisms that PIPL and GDPR provide for the cross-border transfer of personal data:

1) Adequacy Decision:

GDPR has an “Adequacy Decision” mechanism for the cross-border transfer of personal data. Accordingly, personal data transfers to another country outside the European Union can take place when the European Commission has decided that the third country of data destination provides an adequate level of data protection (there are currently 12 countries on the “adequate” list). Although China does not provide this specific and clear mechanism, it imposes an obligation on personal information exporters to ensure data protection standards are met after transfer as per Article 38 of the PIPL. It means it is quite similar to GDPR as both laws require organizations outside of their jurisdictions to have the same level of data protection for exported personal data.

The PIPL also describes that China is open to mutual recognition with other countries regarding cross-border data transfers and China will respect and adhere to relevant provisions of ratified international treaties and agreements. Furthermore, Article 43 of the PIPL provides certain requirements for countries or regions not to adopt discriminatory prohibitions, restrictions, or other similar measures against China in terms of personal information protection.

2) Appropriate safeguards:

As per the GDPR, personal data transfers to another country outside the EU can take place only when an adequate level of protection is ensured or there are safeguards in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the EU. Such safeguards include Binding Corporate Rules (BCRs), Code of Conduct, Standard Contractual Clauses (SCCs), Certifications, and other legally binding instruments. These safeguards are also provided under the PIPL. Based on Article 37 of the PIPL, it would be accurate to state that PIPL and GDPR have a few similar approaches in providing several paths for organizations to facilitate cross-border data transfer scenarios. However, there are a few differences that can be seen in the following table:

GDPR PIPL
BCRs BCRs are internal rules for cross-border data transfers between the same group of enterprises engaged in a joint economic activity. They are required to be approved by the competent supervisory authority. The PIPL does not provide any information regarding the BCRs.
Code of Conduct Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, specifying the application of the GDPR. Cross-border data transfers may take place on the basis of codes of conduct that have been approved. The PIPL does not provide any information regarding the code of conduct.
Security Reviews and Assessment Not required. Cross-border data transfers may take place only after having the security assessment performed by the state cybersecurity department. This requirement is for the CIIOs and personal information processors who handle large volumes of personal information. This is one of the reasons why the PIPL cross-border regime is considered stricter than the GDPR.
Certification Data protection certification mechanisms may allow cross-border data transfers. Certifications are approved by the competent supervisory authority and issued for a maximum period of three years and may be renewed. Cross-border data transfers may take place after having personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department.
Legally Binding Instruments/Treaties Public sector cross-border data transfers may take place via a legally binding and enforceable instrument between public authorities or bodies (i.e. between a public authority in the EU and a public authority in the third country). Cross-border data transfers may take place while obliging with China’s international treaties and agreements.
SCCs Cross-border data transfers may take place with the use of standard data protection clauses (adopted by a supervisory authority and approved by the European Commission). The European Commission has adopted two sets of SCCs, one for the transfer of personal data to third countries and one for use between controllers and processors. Cross-border data transfers may take place with a contract formulated by the cyberspace and informatization department, which establishes the rights and responsibilities of both the company and foreign receiving side. These SCCs are not formalized yet.
BCRs
GDPR
BCRs are internal rules for cross-border data transfers between the same group of enterprises engaged in a joint economic activity. They are required to be approved by the competent supervisory authority.
PIPL
The PIPL does not provide any information regarding the BCRs.
Code of Conduct
GDPR
Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, specifying the application of the GDPR. Cross-border data transfers may take place on the basis of codes of conduct that have been approved.
PIPL
The PIPL does not provide any information regarding the code of conduct.
Security Reviews and Assessment
GDPR
Not required.
PIPL
Cross-border data transfers may take place only after having the security assessment performed by the state cybersecurity department. This requirement is for the CIIOs and personal information processors who handle large volumes of personal information. This is one of the reasons why the PIPL cross-border regime is considered stricter than the GDPR.
Certification
GDPR
Data protection certification mechanisms may allow cross-border data transfers. Certifications are approved by the competent supervisory authority and issued for a maximum period of three years and may be renewed.
PIPL
Cross-border data transfers may take place after having personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department.
Legally Binding Instruments/Treaties
GDPR
Public sector cross-border data transfers may take place via a legally binding and enforceable instrument between public authorities or bodies (i.e. between a public authority in the EU and a public authority in the third country).
PIPL
Cross-border data transfers may take place while obliging with China’s international treaties and agreements.
SCCs
GDPR
Cross-border data transfers may take place with the use of standard data protection clauses (adopted by a supervisory authority and approved by the European Commission). The European Commission has adopted two sets of SCCs, one for the transfer of personal data to third countries and one for use between controllers and processors.
PIPL
Cross-border data transfers may take place with a contract formulated by the cyberspace and informatization department, which establishes the rights and responsibilities of both the company and foreign receiving side. These SCCs are not formalized yet.

3) Derogations:

In the case of a cross-border data transfer to a non-adequate country and when no safeguards are in place, the GDPR allows data controllers to rely on certain derogations for cross-border data transfers. These derogations have a limited application as a means of transferring data to a third country. However, the PIPL prescribes that cross-border transfer is permitted if it meets the requirements of “Laws, administrative regulations or other conditions stipulated by the national cybersecurity and informatization department”.

GDPR PIPL
Derogations
  • The transfer has been conducted upon the explicit consent of the Data Subject;
  • The transfer is necessary for the performance of a contract (or pre-contractual measures) between the Data Subject and Data Controller;
  • The transfer is necessary for the performance of a contract between a legal guardian of the Data Subject and Data Controller, for the benefit of the Data Subject;
  • The transfer is necessary for important reasons of public interest;
  • The transfer is necessary for the establishment or exercise of legal claims or defenses;
  • The transfer is necessary for the vital interests of the data subject - and the data subject is unable to consent;
  • The transfer is made from a register which according to Union or Member State law is intended to provide information to the public;
  • The transfer is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject - provided no other exception/derogation applied and the Supervisory Authority and the Data Subject is notified of the transfer.
Cross-border data transfers may take place after meeting the conditions provided under other Chinese laws and regulations.
Derogations
GDPR
  • The transfer has been conducted upon the explicit consent of the Data Subject;
  • The transfer is necessary for the performance of a contract (or pre-contractual measures) between the Data Subject and Data Controller;
  • The transfer is necessary for the performance of a contract between a legal guardian of the Data Subject and Data Controller, for the benefit of the Data Subject;
  • The transfer is necessary for important reasons of public interest;
  • The transfer is necessary for the establishment or exercise of legal claims or defenses;
  • The transfer is necessary for the vital interests of the data subject - and the data subject is unable to consent;
  • The transfer is made from a register which according to Union or Member State law is intended to provide information to the public;
  • The transfer is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject - provided no other exception/derogation applied and the Supervisory Authority and the Data Subject is notified of the transfer.
PIPL
Cross-border data transfers may take place after meeting the conditions provided under other Chinese laws and regulations.

4) Data localization:

The GDPR does not require data localization. However, the PIPL requires that Critical information infrastructure operators and personal information processors that process personal information above the number prescribed by the national cybersecurity and informatization department shall store personal information collected and generated within China. If they need to transfer such personal information to points outside China, the transfer must pass a security assessment administered by the government authorities.

5) Requirement of Privacy Notice and Consent:

For the cross-border transfer of personal information under the PIPL, organizations must provide notices to individuals explaining the details of the transfer. Organizations should also obtain separate consent from individuals for the transfer of their personal information. The notice should include the following:

  • Foreign recipient name or personal name;
  • Contact method,
  • Purpose of processing and processing methods; and
  • Personal information categories, as well as ways for individuals to exercise their rights under the PIPL with the foreign recipient, or other matters related to transfer.

For cross-border data transfers under the GDPR, data controllers must inform the data subject of its intention regarding the transfer of data to a third country at the time personal data is collected from the data subject and provide the following information:

  • The existence or absence of an adequacy decision by the Commission, or
  • In case of transfers based on appropriate safeguards or derogations, reference to the appropriate or suitable safeguards, the means by which to obtain a copy of them, or where they have been made available

Where the data controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller must provide the data subject prior to that further processing with information on that other purpose and any relevant information. The data controller must generally comply with the transparency obligations of the GDPR.

Conclusion

Global privacy regulations are encouraging organizations to be responsible custodians of their consumers' data and automate privacy and security operations. In order to operationalize compliance, organizations need to incorporate robotic automation in order to keep up with the current digital landscape.

Securiti helps organizations automate their privacy management operations using artificial intelligence and robotic automation. Ask for a demo today to understand how Securiti can help you prepare for compliance with the PIPL as well as comply with GDPR, DSL, and a whole host of global privacy regulations, with ease.

Frequently Asked Questions

Cross-border data transfers under GDPR refer to the transfer of personal data from the European Economic Area (EEA) to a jurisdiction outside the EEA. Such transfers are subject to specific rules and safeguards to ensure data protection.

The Personal Information Protection Law (PIPL) of China also regulates cross-border data transfers, requiring organizations to follow certain requirements and conduct security assessments before transferring personal data outside of China.

While the PIPL in China shares some similarities with GDPR, they are separate regulations. PIPL draws from GDPR and other global data protection frameworks but has unique provisions tailored to the Chinese context.

Key differences include certain data localization requirements in PIPL, specific rules for cross-border data transfers, and variations in penalties and enforcement mechanisms. PIPL is also less extensive in terms of its extraterritorial scope compared to GDPR.

Yes, GDPR allows cross-border transfers of personal data to countries outside the EEA, provided there are appropriate safeguards in place or there are adequate levels of protection, such as standard contractual clauses or binding corporate rules, to ensure data protection. Data transfers are subject to scrutiny to protect data subject rights and privacy.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.

Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
What is AI Security Posture Management (AI-SPM)? View More
What is AI Security Posture Management (AI-SPM)?
AI SPM stands for AI Security Posture Management. It represents a comprehensive approach to ensure the security and integrity of AI systems throughout the...
View More
Data Security & GDPR Compliance: What You Need to Know
Learn the importance of data security in ensuring GDPR compliance. Implement robust data security measures to prevent non-compliance with the GDPR.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Top 3 Key Predictions on GenAI's Transformational Impact in 2025 View More
Top 3 Key Predictions on GenAI’s Transformational Impact in 2025
Discover how a leading Chief Data Officer (CDO) breaks down top predictions for GenAI’s transformative impact on operations and innovation in 2025.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New