The Personal Information Protection Law ('PIPL') in China has been in effect since November 1, 2021. The law was created to make data protection laws more comprehensive, with the first iteration established by the China Cyber Security Law ('CSL') and related national regulations. Its regulations limit how companies operating in China will collect, process, share, and transfer personal data abroad.
The CSL and the Data Security Law ('DSL'), focus more on the cyber security of China, on the other hand, restrict the transfer of information abroad that will affect national security. Together the CSL, DSL, and PIPL form the main framework for regulating data in China. Together these rules broadly affect the business activities of many companies.
Acting as the closest thing to an all-purpose data privacy regulation, China's Personal Information Protection Act (PIPL) regulates how and where the personal information of individuals living in mainland China is recorded and how and where it is transferred, regardless of whether the organizations processing this information are located in China.
Applicable Rules for the Processing of Personal Data
The law on the protection of personal data in China aims to ensure that personal data collected in mainland China is possible only with the consent of individuals and within certain limits. The main purpose here is not to allow data processing that is inconsistent with the consent of individuals for the benefit of society, public safety, and current laws. In the second stage, there are restrictions on any transfer of the collected data abroad with stricter rules.
Consent can sometimes be implied, for example where personal data processing is necessary for the execution of the contract or for the execution of the contract, or for the human resources management to continue in accordance with labor rules.
Also where:
- It is necessary to fulfill legal duties and responsibilities or legal obligations.
- Relating to a public health emergency or requiring an intervention in an emergency to protect the safety of life, health, or property of persons.
- The necessity to carry out journalism and public scrutiny, and other similar activities in the public interest within a reasonable framework.
- Personal data has been disclosed to the public by the data subject or in any other legal way.
International Data Transfer
Personal data processors who will transfer data abroad must meet the requirements stipulated by PIPL. These requirements depend on the volume and type of data being transfered, and can include passing a security review by a government approved auditor, obtaining a personal data protection certificate, concluding a contract with the foreign party that will accept the data, and meeting other conditions stipulated by laws, administrative regulations, or the Cybersecurity Administration of China (CAC).
Critical information infrastructure operators and personal data processors that process personal data in amounts exceeding the thresholds to be determined by the CAC will be able to store the personal data collected and produced within the borders of China only on the servers they will host within the borders of China.
With this provision, PIPL introduces a critical regulation regarding data localization - imposing an obligation on processors of significant amounts of personal data to store such data within the borders of China.
Under Which Circumstances Does PIPL Allow the Transfer of Personal Data Abroad?
The personal data protection law (PIPL) applicable in China allows the transfer of personal data abroad, provided that the data processor complies with the following conditions.
- Completion and approval of the security assessment implemented by the CAC.
- The institution to which the data will be transferred abroad has signed a contract in standard form created and approved by the CAC.
Expand into China without setting up a company, by employing or relocating key staff to take a first step in exploring the market. A professional employer organization (PEO) service can act as the official employer of record (EOR) for your staff in China while you expand your business. With the support of our trusted partner network, we can facilitate local hiring and employment without the time and cost of setting up a legal entity in country.
Contact us for more information at inquiries@ChinaLawSolutions.com