Data protection rules in China

Jingyuan Shi December 28, 2023 09:37

Influenced by Europe's General Data Protection Regulations (GDPR), arguably the most robust privacy and security laws in the world, China introduced its Personal Information Protection Law (PIPL) in November 2021. Like GDPR, PIPL has extraterritorial reach: its jurisdiction extends to entities outside China that handle the personal information of individuals within China, if certain criteria are met.

Under PIPL, companies that export personal data outside China must either:

• pass a rigorous government security assessment, which, under the Data Security Law of China, applies to all exports of 'important data';

• execute and file a standard contract (SCC), along with a data protection impact assessment, with the Cyberspace Administration of China (CAC); or

• Meet other conditions, such as to obtain a personal information certification.

The mechanism used is determined by the volume and nature of data to be transferred.

That's the theory. In practice, there's still confusion around terminology, like figuring out what exactly qualifies as 'important data'. Regulatory bodies are still working on sector or region-specific guidance, and there is a shortage of government manpower to carry out assessments.

There are concerns that PIPL, in its current guise, is limiting domestic economic growth. Economic figures, released in the second quarter of 2023, make worrying reading. They have prompted public comment that data regulations should not construct obstacles to market participation.

New rules may ease cross-border data transfer

Fast forward to September 2023. CAC published draft revisions to the rules governing cross-border data transfer (CBDT) for public consultation. If adopted in full, the provisions, which are designed to be more market and investor friendly, could exempt all but the biggest organisations from onerous data transfer mechanisms. The draft provisions seek to clarify concerns and ambiguities:

• Important data: In the absence of specific designation from a competent regulator, organisations can safely assume that the data they transfer is not deemed 'important data'. Responsibility for definition shifts from the data exporter to sectoral and regional regulators, and the need for a security assessment is eliminated. At least for now.

• Critical infrastructure designation: Unless officially notified by a competent regulator that their activities are critical to China's national security, economy or the public interest, organisations can assume they are not designated as critical information infrastructure operators.

• Data thresholds: The threshold for triggering a security assessment is lowered and becomes forward looking rather than retrospective. Organisations likely to make aggregated transfers of the personal data of between 10,000 and one million China-based individuals per year no longer need a security assessment. They can go down the SCC clearance route instead. Those expecting to transfer the personal data of fewer than 10,000 individuals annually are exempt from all CBDT mechanisms.

• Business-critical transfers: Companies engaged in activities where the transfer of personal data is integral to doing business, such as cross-border payment for goods and services, are exempt from CBDT mechanisms.

• HR management: Transfers of employees' personal data for HR management and payroll purposes, are exempt under the proposed revisions.

• Emergency situations: Personal information, which is transferred in the interests of protecting the health or property of a person in an emergency situation, is exempt from compliance with CBDT mechanisms.

Law making in a data-dense environment

So where do these draft provisions leave China right now?

Undoubtedly, there is a delicate balance to achieve between the pursuit of a market-friendly policy that prioritises economic growth and the need to maintain the integrity of the law-making process.

Certainly, the proposed CBDT revisions introduce exceptions that diverge from the core objectives of the higher-level PIPL. If adopted as written, they run the risk of eroding foreign investors' expectations of a legal framework that is stable, consistent and reliably enforced in China.

However, in this data-dense environment, shouldn't the efficacy of law lie in its ability to keep up with the dynamic landscape it seeks to govern?

Instead of an endpoint, we might consider that the draft CBDT provisions are kickstarting an ongoing cycle of reinvention. Regulators, tuned into global best practice, are ready to adapt law to the rapidly evolving commercial, economic and security-related circumstances.

This fluid approach is not just a governance necessity. It is a strategic imperative for managing the abundance of data that is a by-product of global innovation and a non-negotiable of modern business. In fact, what we're seeing here with CBDT could well be a glimpse of the shape of things to come in China.

On the agenda

Free-trade zones to govern negative list

Central government is giving the green light to regional and local free trade zones (FTZs), like Shanghai and Guangdong, to issue their own negative lists. Essentially, it allows FTZs to make exemptions for moving data beyond their respective zones without triggering CBDT mechanisms. This not only creates more favourable conditions for domestic businesses engaged in cross-border data transfers outside China but makes FTZs more appealing bases for overseas companies too.

Data passing through

An exemption, under the draft provisions, relates to data passing through. Simply put, if data is not originally collected or generated within mainland China, it is exempt from compliance with CBDT rules. However, some commentators point to potential extraterritorial misuse, highlighting concerns that companies could use servers located outside of China for the exempt transfer of data.

-- Contact us at [email protected]

Jingyuan Shi

Partner, Simmons & Simmons