Part 2: PIPL and GDPR Compliance Obligations on Cross-Border Transfers of Personal Information | Cooley LLP

As explained in our previous blog post, in addition to the requirements for adopting a cross-border transfer mechanism, China’s Personal Information Protection Law (PIPL) and General Data Protection Regulation (GDPR) of European Union establish further compliance obligations on cross-border transfer. cross-border transfer of personal information.^[1]

Before controllers (under the GDPR) or personal information processors (under the PIPL) in China can initiate cross-border data transfers across its borders, certain requirements must generally be met regardless of the transfer mechanism. and the status of personal information processors – for example, whether or not personal information processors are critical information infrastructure operators or process a “large amount” of personal information.

As a general requirement, the PIPL requires that all personal information processors take steps to ensure that the processing activities of foreign recipients’ personal information meet the level of personal information protection set out in the PIPL.^[2] In practice, imposing contractual obligations on data importers regarding how they should handle personal information received, and including a right of audit for data exporters, are common ways of fulfilling the mentioned obligation. in the previous sentence, based on our observations.

Comparison table of relevant compliance requirements for personal information processors under the PIPL and controllers under the GDPR

As the final installment in this series, our next blog post discusses whereabouts requirements and restrictions on responding to requests from foreign judicial and law enforcement agencies under the PIPL.

[1] Because the CCPA does not regulate the transfer of personal information across international borders, this article does not discuss the CCPA.

[2] LIP Article 38.

[3] LIP Article 39.

[4] ID. We have also seen a different interpretation, that separate consent is not required. In this interpretation, Section 13 of the PIPL indicates that if a company relies on a non-consent basis for the processing of certain personal information (for example, relying on “necessary for the performance of the contract” as a legal basis), it does not need to obtain separate consent before transferring such personal information overseas.

[5] Under Section 55 of the PIPL, an internal privacy impact assessment will be triggered in the following circumstances: (i) processing of sensitive personal information; (ii) the processing of personal information for automated decision-making; (iii) rely on Suppliers to process Personal Information, share Personal Information with other Personal Information Processors, or publicly disclose Personal Information; (iv) transfer personal information outside of China; and (v) other processing activities that may have a significant impact on the rights and interests of individuals.

[6] Articles 55 and 56 of the PIPL.

[7] LIP Article 56.

[8] Published on November 19, 2020 and effective June 1, 2021, these guidelines from China’s State Administration for Market Regulation and the Administration of Standardization specify that the assessment of cross-border transfers should refer to other guidelines specifically for such situations.

[9] Draft security assessment measures for cross-border data transfer Article 5.

[10] ID.

[11] The European Data Protection Board has drawn up draft recommendations on additional measures, which can help controllers and processors.

[12] LIP Article 42.

[13] LIP Article 43.

[View source.]