Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. China’s Personal Information Protection Law (PIPL) provides that data controllers (such as employers) may only transfer or access personal information outside of mainland China:
In addition to meeting one of the conditions above, the data controller (such as the employer) must (a) provide notice to, and obtain separate, explicit consent from the data subject (the employee); and, (b) conduct a personal information impact assessment.
The PIPL does not include a specific requirement to keep copies of personal information in China. However, certain personal information (and non-personal data) must still remain in (and cannot be accessed outside of) Mainland China. This includes (but isn’t limited to):
Cybersecurity Law requires “critical information infrastructure” providers to store “personal information” and “important data” within China unless their business requires them to store data overseas and they have passed a security assessment. At this point, it remains unclear what qualifies as “critical infrastructure” and “important data,” although its inclusion in the text of the law alongside “personal data” means that it likely refers to non-personal data.The National Standard of Information Technology – Personal Information Security Specification, (个人信息安全规范, GB/T 35273-2020), effective October 1, 2020, includes suggested best practices relating to personal data. When transmitting or storing sensitive personal information, the Specification recommends that security measures, such as encryption should be used.
In addition, before sharing and transferring personal sensitive information, network operators should inform data subjects of the type of personal sensitive information involved, the identity and data security capabilities of the data recipient, and should obtain the personal data subject’s prior, express consent.
The Draft Measures on Security Assessment of Cross-border Data Transfer was made available for public comment on October 29, 2021. The Draft Measures include a detailed description of when data that would be transferred out of China would be subject to a security assessment. Under the Draft Measures, a CAC security assessment would be required when:
The Draft Measures have not yet been finalized and are therefore not binding at this time.