China’s Personal Data Law – Legal and Practical Assessment of Compliance Risk
The implementation of the Personal Information Protection Law (“PIPL”) in 2021 establishes a legal framework that regulates the collection of personal information (“PI”) in China, applying to both foreign and domestic companies. The law also governs the cross-border transfer (or export, used interchangeably) of PI and has extraterritorial effects. Foreign companies processing Chinese PI from their home countries are subject to PIPL’s scrutiny, requiring them to either establish an entity in China or designate a Chinese representative. This local entity or representative must comply with PIPL requirements and register with the Cyberspace Administration of China (“CAC”).
Article 38 of PIPL outlines the obligations for companies exporting PI, whether belonging to Chinese or foreign nationals. Companies must choose one of the following options:
a) Successfully undergo a security assessment by CAC. b) Enter into a standard contract with the overseas PI recipient, filing it along with a PI Protection Impact Assessment at the provincial level CAC. c) Obtain certification from an accredited institution.
According to the Measures for Security Assessment of Data Cross-border Transfer, data processors meeting specific criteria, such as those transferring important data, serving as key information infrastructure operators, or handling PI for over 1 million people, must opt for security assessments (Option a). Options b and c are not available for entities meeting these criteria. Additionally, these security assessments apply to data processors exporting PI of over 100,000 subjects or Sensitive PI of over 10,000 subjects since January 1st of the previous year…