On 1 November 2021, the Chinese Personal Information Protection Law (PIPL) entered into application.
If you need to refresh, Getting Started with PIPL Compliance previously outlined the obligations organizations have under this new omnibus data protection law.
It is important to realize all these obligations now have taken full effect, despite the unclarity that remains for some of them.
Confusion about PIPL compliant international data transfers
One of the issues where a lot of unclarity remains is international transfers.
However, on 29 October 2021, the Cyberspace Administration of China (CAC, the main regulator for all things digital) suddenly announced a public consultation of four weeks for the so-called Outbound Data Transfer Security Assessment Measures (the Measures).
This assessment is one of three options to export data from China to any other country. Stanford University’s DigiChina has provided a helpful translation of the consultation document.
A data transfer based on a security assessment consists of three phases:
1) Contract negotiations – the data handler and the foreign receiving party will need to have a contract in place for the data transfer that meets the requirements of the PIPL in general, as well as of Article 9 of the Measures.
This means the contract will need to provide full details of the processing operation, limitations to data storage, retention periods and onward transfers, details on a required review of the security assessment if the legal situation changes, as well as provisions on liability and consequences of data breaches.
2) A security self-assessment – before any data can be provided abroad, the data handler will need to conduct a self-assessment as prescribed in Article 5 of the Measures.
This process seems to align with the data transfer risk assessment that has become en vogue in Europe recently, and documents the transfer process, any risks that have been considered as well as their mitigating measures, as well as assurances from the receiving foreign party that the Chinese requirements will be respected.
3) Government assessment – the final step in the process is the government-led security assessment.
To this end, the self-assessment and underlying documents, including the (draft) contract between the data handler and the foreign receiving party, will need to be submitted to the regional branch of the cybersecurity authorities which oversees the data handler.
Within 7 business days, they will need to confirm if the assessment is accepted, and if so, the authorities have 45 days (extendable to 60 days for complex cases) to complete their assessment.
The focus of the government assessment is mainly if the transfer has negative effects on China’s “national security, the public interest, and the lawful rights and interests of individuals and organizations”.
After security assessments
Once a data transfer security assessment is approved, it will remain valid for two years, unless the legal situation in the receiving foreign country fundamentally changes.
If that is the case, a new assessment is required, and the existing assessment’s validity could be withdrawn.
If the transfer security assessment is not approved by the authorities, the data transfer cannot take place. It is unclear if any appeals would be possible to such a decision.