In 2015, the People’s Republic of China (PRC) enacted the first part of its comprehensive data security regime with the promulgation of the State Security Law, which provided a statutory basis for the construction of a nationwide network and information security system.  The Cybersecurity Law (CSL), which followed in 2017, addressed cybersecurity protection and introduced the concept of a “Critical Information Infrastructure Operator” (CIIO).  Subsequently, other laws, regulations, and rules have been promulgated addressing the requirements of China’s digital economy, related state security matters, and personal information privacy rights. Among those, the Data Security Law (DSL) became effective on September 1, 2021, and the Personal Information Protection Law (PIPL) will go into effect on November 1, 2021.  After subsidiary regulations and rules addressing implementation of the DSL and PIPL have entered into force, China’s new data security architecture should be largely complete.

For foreign companies with mainland China-based operations, the new provisions are likely to require changes to current compliance programs, depending on existing levels of data protection and localization of data handling procedures. Cross border data transfers could be of particular concern for foreign-operated businesses in mainland China and in some circumstances for counterparties located outside the mainland.

The PIPL is China’s first comprehensive personal data privacy law and, while modeled in part on the EU General Data Protection Regulation, there are some significant differences. Together, the provisions of the DSL and the PIPL form a comprehensive set of rules governing data protection in mainland China by addressing actions involved in the processing of data, including personal information, and related national security requirements.  These laws do not apply directly in the Hong Kong and Macau Special Administrative Regions, which currently have their own domestic legal regimes (although counterparties in Hong Kong and Macau must comply with the long-arm provisions discussed below).

Key Definitions

The DSL defines “data” as any record of information in electronic or any other form. “Data processing,” which is framed in terms of data holding in the DSL, is defined to include collection, storage, use, processing, transmission, provision, and public disclosure of data.  The PIPL defines “personal information” as all kinds of information relating to identified or identifiable natural persons recorded by electronic or other means, excluding anonymized information. “Personal information processing” is defined to include collection, storage, use, processing, transmission, provision, disclosure, or deletion of personal information.

Cross Border Data Transfers by CIIOs

The degree of regulation applicable to cross border data flows will depend on whether  an operator is a CIIO (or not), whether the volume of data reaches statutory thresholds and the sensitivity of the data.  All personal information processors have a duty to disclose specified information regarding cross border transfers of the personal information of a data subject and to obtain consent.

CIIOs comprise operators involved in processing data through network facilities and information systems within industries and fields in which damage, functional loss or data breach could cause serious harm to national security, the national economy, people’s livelihoods, or the public interest.  There has been some speculation among commentators as to which types of entities are caught by the definition. Potentially, CIIOs include operators conducting businesses in the communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense, science, and technology sectors.

The management of cross-border transfers of “important data” collected and generated by CIIOs during their operations is governed principally by the CSL, which requires that important data and personal information collected and produced by CIIOs in mainland China be retained within the jurisdiction. Special procedures apply if there is a need to send such data outside the jurisdiction.

The DSL distinguishes between “important data” and “other data,” concepts which are undefined.  To facilitate practical application, the law provides for the creation of a data protection cataloging system that will categorize different types of data, organizing it according to a hierarchy of importance.  Once a cataloging system has been established at the national level, each region or department will be required to determine local catalogs of important data that are specific to that region or department involving different industries and fields.

In order that a CIIO can transfer important data or personal information overseas for commercial or other purposes, a security assessment must be conducted in accordance with measures to be developed by the National Cyberspace Administration (CAC) and other government stakeholders. Failure to comply with the security assessment requirement could anmount to a serious violation, incurring fines and income confiscation, as well as suspension of business or revocation of business licenses, etc.

Cross Border Data Flows of Non-CIIOs

Not all data processors in mainland China will be CIIOs, and non-CIIOs will also be subject to the DSL and the PIPL.

Generally, transfers of data collected and generated by non-CIIO data processors will be subject to regulation, commensurate with the volume, type and purpose of the data to be transferred. If a data processor transfers personal information outside mainland China, appropriate certifications and compliance measures must be taken before such information is transferred.  As with CIIOs, if the volume of data reaches a mandated threshold, the data exporter must pass a security assessment organized by provincial departments of the CAC. In other circumstances, the obtaining of a personal information protection certification from a specialized institution designated by the CAC may be required.  The legislation also provides for the signing of an agreement with an overseas recipient of personal information based on a model contract to be published by the CAC.  Importantly, the DSL includes a discretion for regulators to require other measures.

Long-arms Jurisdiction

Both the DSL and the PIPL assert a degree of “long-arm jurisdiction” over counterparties to data transfer transactions that are located outside mainland China. The DSL provides that parties who conduct data processing activities outside the mainland that are detrimental to national security, public interest, or the lawful rights and interests of citizens and organizations of the PRC shall be liable for violations. The PIPL specifically provides for application of relevant provisions to the processing of personal information outside mainland China of individuals who are within mainland China, if such information is processed for the purpose of providing products or services to natural persons in mainland China, or in order to analyze or assess the conduct of natural persons inside China.  Further, the PIPL provides that information processors located outside mainland China which analyze or assess the conduct of natural persons inside the mainland must establish special institutions or designate representatives within mainland China to handle matters relating to personal information protection, and submit the names of those institutions or representatives to relevant government authorities. Potentially, offshore violations of these provisions could result in the blacklisting of an entity.  As with much of the detail required to achieve compliance, the qualification requirements for such institutions or representatives are awaited.

Timeline for Compliance

Currently, many practical aspects regarding cross border data transfers await clarification, including which regulators will be tasked with practical enforcement of the DSL and the PIPL. Also awaited are details of the thresholds that will trigger security assessments, how such assessments will be carried out, which institutions will conduct personal information protection certifications, and how long certifications will remain effective.

The 2019 draft “Measures for Security Assessment of Cross-Border Transfer of Personal Information” indicate likely compliance requirements, but they, too, await finalization. Those requirements include retention of records of cross border transfers of personal information for at least five years, including the date and time when information was sent, and details of the recipient’s name, address, and contact information, together with the category, quantity and degree of sensitivity of personal information.

No public deadlines for compliance have been issued by regulators and the drafting process for subsidiary legislation is ongoing.  However, given the comprehensive nature of data security requirements and the data management processes that are likely to be mandated, parties with exposure to data transfers involving mainland China will want to consider carefully the various ramifications as soon as possible. This is yet another framework to consider in the already complex ecosystem of rules, guidelines and recommendations applicable to data transfers across the world (including, of course, recent and upcoming developments in the EU and the UK).

For more information about these and other developments, contact a member of Steptoe’s global Privacy & Cybersecurity team or the post’s authors, Susan Munro, Diletta De Cicco, and Charles Helleputte.

(This blog post is provided for informational purposes only and does not constitute legal advice concerning PRC law.)