Understanding Cross Borders Data Transfers Under GDPR and PIPL

Products
By Use Cases By Roles
DataControls Cloud^TM
View
Learn more

Asset and Data Discovery

Discover Data Assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Discover & Classify Structured and Unstructured Streaming Data

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Protect data systems by discovering and automatically remediating misconfigurations

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog enterprise datasets

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
DataControls Cloud^TM
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Managment

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

US California CPRA

View

European Union GDPR

View

Brazil’s LGPD

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA

View

Thailand PDPA

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Videos

Solution and customer videos.

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

China has passed its comprehensive data protection law that came into effect on November 1st, 2021. China’s PIPL imposes very stringent obligations on how organizations process and disclose personal information. PIPL is said to be “China’s GDPR” based on its strict and far-reaching scope. Both GDPR and PIPL have extraterritorial applicability. However, China’s public authorities have discretion provided under the PIPL to further extend the long-arm jurisdiction of the PIPL in cross-border scenarios. In this article, we will highlight and compare the requirements of cross-border data transfers under the GDPR and PIPL.

Cross border transfers of data are allowed when the user explicitly agrees with the code of conduct approved by a relevant supervisory authority. This code of conduct must include crucial information related to safeguards in place to protect data, data rights

The cross-border transfer mechanism prescribed under the PIPL is quite similar to the GDPR except there are few differences. PIPL includes some additional cross-border data transfer requirements, in particular, for the exporters who are Critical Information Infrastructure Operators (CIIOs) or who process a large amount of personal information. The PIPL does not specify what constitutes a large amount of personal information, the Cyberspace Administration of China (CAC) will release further guidelines on this threshold. Following are the few mechanisms that PIPL and GDPR provide for the cross border transfer of personal data:

1) Adequacy Decision:

GDPR has an “Adequacy Decision” mechanism for the cross-border transfer of personal data. Accordingly, personal data transfers to another country outside the European Union can take place when the European Commission has decided that the third country of data destination provides an adequate level of data protection (there are currently 12 countries on the “adequate” list). Although China does not provide this specific and clear mechanism, it imposes an obligation on personal information exporters to ensure data protection standards are met after transfer as per Article 38 of the PIPL. It means it is quite similar to GDPR as both laws require organizations outside of their jurisdictions to have the same level of data protection for exported personal data.

The PIPL also describes that China is open to mutual recognition with other countries regarding cross-border data transfers and China will respect and adhere to relevant provisions of ratified international treaties and agreements. Furthermore, Article 43 of the PIPL provides certain requirements for countries or regions not to adopt discriminatory prohibitions, restrictions, or other similar measures against China in terms of personal information protection.

2) Appropriate safeguards:

As per the GDPR, personal data transfers to another country outside the EU can take place only when an adequate level of protection is ensured or there are safeguards in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the EU. Such safeguards include Binding Corporate Rules (BCRs), Code of Conduct, Standard Contractual Clauses (SCCs), Certifications, and other legally binding instruments. These safeguards are also provided under the PIPL. Based on Article 37 of the PIPL, it would be accurate to state that PIPL and GDPR have a few similar approaches in providing several paths for organizations to facilitate cross-border data transfer scenarios. However, there are a few differences that can be seen in the following table:

	GDPR	PIPL
BCRs	BCRs are internal rules for cross-border data transfers between the same group of enterprises engaged in a joint economic activity. They are required to be approved by the competent supervisory authority.	The PIPL does not provide any information regarding the BCRs.
Code of Conduct	Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, specifying the application of the GDPR. Cross-border data transfers may take place on the basis of codes of conduct that have been approved.	The PIPL does not provide any information regarding the code of conduct.
Security Reviews and Assessment	Not required.	Cross-border data transfers may take place only after having the security assessment performed by the state cybersecurity department. This requirement is for the CIIOs and personal information processors who handle large volumes of personal information. This is one of the reasons why the PIPL cross-border regime is considered stricter than the GDPR.
Certification	Data protection certification mechanisms may allow cross-border data transfers. Certifications are approved by the competent supervisory authority and issued for a maximum period of three years and may be renewed.	Cross-border data transfers may take place after having personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department.
Legally Binding Instruments/Treaties	Public sector cross-border data transfers may take place via a legally binding and enforceable instrument between public authorities or bodies (i.e. between a public authority in the EU and a public authority in the third country).	Cross-border data transfers may take place while obliging with China’s international treaties and agreements.
SCCs	Cross-border data transfers may take place with the use of standard data protection clauses (adopted by a supervisory authority and approved by the European Commission). The European Commission has adopted two sets of SCCs, one for the transfer of personal data to third countries and one for use between controllers and processors.	Cross-border data transfers may take place with a contract formulated by the cyberspace and informatization department, which establishes the rights and responsibilities of both the company and foreign receiving side. These SCCs are not formalized yet.

BCRs
GDPR
BCRs are internal rules for cross-border data transfers between the same group of enterprises engaged in a joint economic activity. They are required to be approved by the competent supervisory authority.
PIPL
The PIPL does not provide any information regarding the BCRs.

Code of Conduct
GDPR
Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, specifying the application of the GDPR. Cross-border data transfers may take place on the basis of codes of conduct that have been approved.
PIPL
The PIPL does not provide any information regarding the code of conduct.

Security Reviews and Assessment
GDPR
Not required.
PIPL
Cross-border data transfers may take place only after having the security assessment performed by the state cybersecurity department. This requirement is for the CIIOs and personal information processors who handle large volumes of personal information. This is one of the reasons why the PIPL cross-border regime is considered stricter than the GDPR.

Certification
GDPR
Data protection certification mechanisms may allow cross-border data transfers. Certifications are approved by the competent supervisory authority and issued for a maximum period of three years and may be renewed.
PIPL
Cross-border data transfers may take place after having personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department.

Legally Binding Instruments/Treaties
GDPR
Public sector cross-border data transfers may take place via a legally binding and enforceable instrument between public authorities or bodies (i.e. between a public authority in the EU and a public authority in the third country).
PIPL
Cross-border data transfers may take place while obliging with China’s international treaties and agreements.

SCCs
GDPR
Cross-border data transfers may take place with the use of standard data protection clauses (adopted by a supervisory authority and approved by the European Commission). The European Commission has adopted two sets of SCCs, one for the transfer of personal data to third countries and one for use between controllers and processors.
PIPL
Cross-border data transfers may take place with a contract formulated by the cyberspace and informatization department, which establishes the rights and responsibilities of both the company and foreign receiving side. These SCCs are not formalized yet.

3) Derogations:

In the case of a cross-border data transfer to a non-adequate country and when no safeguards are in place, the GDPR allows data controllers to rely on certain derogations for cross-border data transfers. These derogations have a limited application as a means of transferring data to a third country. However, the PIPL prescribes that cross-border transfer is permitted if it meets the requirements of “Laws, administrative regulations or other conditions stipulated by the national cybersecurity and informatization department”.

	GDPR	PIPL
Derogations	The transfer has been conducted upon the explicit consent of the Data Subject; The transfer is necessary for the performance of a contract (or pre-contractual measures) between the Data Subject and Data Controller; The transfer is necessary for the performance of a contract between a legal guardian of the Data Subject and Data Controller, for the benefit of the Data Subject; The transfer is necessary for important reasons of public interest; The transfer is necessary for the establishment or exercise of legal claims or defenses; The transfer is necessary for the vital interests of the data subject - and the data subject is unable to consent; The transfer is made from a register which according to Union or Member State law is intended to provide information to the public; The transfer is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject - provided no other exception/derogation applied and the Supervisory Authority and the Data Subject is notified of the transfer.	Cross-border data transfers may take place after meeting the conditions provided under other Chinese laws and regulations.

Derogations
GDPR
The transfer has been conducted upon the explicit consent of the Data Subject; The transfer is necessary for the performance of a contract (or pre-contractual measures) between the Data Subject and Data Controller; The transfer is necessary for the performance of a contract between a legal guardian of the Data Subject and Data Controller, for the benefit of the Data Subject; The transfer is necessary for important reasons of public interest; The transfer is necessary for the establishment or exercise of legal claims or defenses; The transfer is necessary for the vital interests of the data subject - and the data subject is unable to consent; The transfer is made from a register which according to Union or Member State law is intended to provide information to the public; The transfer is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject - provided no other exception/derogation applied and the Supervisory Authority and the Data Subject is notified of the transfer.
PIPL
Cross-border data transfers may take place after meeting the conditions provided under other Chinese laws and regulations.

4) Data localization:

The GDPR does not require data localization. However, the PIPL requires that Critical information infrastructure operators and personal information processors that process personal information above the number prescribed by the national cybersecurity and informatization department shall store personal information collected and generated within China. If they need to transfer such personal information to points outside China, the transfer must pass a security assessment administered by the government authorities.

5) Requirement of Privacy Notice and Consent:

For the cross-border transfer of personal information under the PIPL, organizations must provide notices to individuals explaining the details of the transfer. Organizations should also obtain separate consent from individuals for the transfer of their personal information. The notice should include the following:

Foreign recipient name or personal name;
Contact method,
Purpose of processing and processing methods; and
Personal information categories, as well as ways for individuals to exercise their rights under the PIPL with the foreign recipient, or other matters related to transfer.

For cross-border data transfers under the GDPR, data controllers must inform the data subject of its intention regarding the transfer of data to a third country at the time personal data is collected from the data subject and provide the following information:

The existence or absence of an adequacy decision by the Commission, or
In case of transfers based on appropriate safeguards or derogations, reference to the appropriate or suitable safeguards, the means by which to obtain a copy of them, or where they have been made available

Where the data controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller must provide the data subject prior to that further processing with information on that other purpose and any relevant information. The data controller must generally comply with the transparency obligations of the GDPR.

Conclusion

Global privacy regulations are encouraging organizations to be responsible custodians of their consumers' data and automate privacy and security operations. In order to operationalize compliance, organizations need to incorporate robotic automation in order to keep up with the current digital landscape.

Securiti helps organizations automate their privacy management operations using artificial intelligence and robotic automation. Ask for a demo today to understand how Securiti can help you prepare for compliance with the PIPL as well as comply with GDPR, DSL, and a whole host of global privacy regulations, with ease.

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.

Watch a demo

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.