PIPL 2023/24: Cross-Border Data Transfer in China HandbookPublished: January 2024
China’s PIPL and cross-border data transfer (CBDT) frameworks require that companies operating in country take appropriate actions to ensure their compliance. Businesses that send data overseas or access data in China from abroad need a solid understanding of the criteria and requirements that apply to them to act accordingly. This handbook helps explain the key facets of China’s CBDT regime from a business perspective, highlights recent trends and expected developments, and offers practical steps for business to consider when planning their compliance approach.
The global surge in cross-border data flow has prompted governments worldwide, including China, to intensify oversight of data export and enhance security provisions. Against the backdrop of the European Union’s enactment of the General Data Protection Regulation (GDPR), China announced its own Cybersecurity Law of the People’s Republic of China (CSL) soon after, introducing restrictions on data export. Subsequent legislation, such as the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), along with supplementary regulations, have continually refined China’s cross-border data transfer (CBDT) regime.
For multinational corporations that send data overseas or remotely access data in China as part of their operations, understanding the evolving requirements and criteria for CBDT is of paramount importance. Compliance with China’s relevant data laws is not only essential for conducting business legally but also crucial for maximizing data security and facilitating the smooth flow of data across borders. Failure to implement proper CBDT mechanisms may result in delayed data sharing, business disruptions, and unforeseen penalties.
Despite cybersecurity and data protection laws being well developed, China’s regulatory landscape continues to evolve. In 2023, several new regulations specifically addressing data protection and cybersecurity were introduced, with a particular emphasis on CBDT. Additionally, a new draft law has been proposed, potentially introducing easing CBDT rules 2024.
This ongoing developmental phase has created some framework gaps, making it challenging for foreign companies to precisely discern applicable requirements and necessary actions for full compliance. Consequently, many companies have yet to take action, exposing themselves to coming policy shifts and compliance risks.
Given the current dynamic environment, experts in the legal and cybersecurity fields emphasize the importance of businesses adopting a proactive stance toward CBDT. Rather than awaiting enforcement, companies should address both known and unknown aspects appropriately.
In this handbook:
- What data are subject to CBDT mechanisms?
- What counts as CBDT activities?
- What kind of companies will have CBDT issues?
- What are the current rules for CBDT?
- CBDT mechanism I: Security assessment by the CAC
- CBDT mechanism II: Third party PI protection certification
- CBDT mechanism III: Signing a standard contract
- Recent developments & trends: Easing CBDT requirements for foreign companies
- 2024 outlook for cybersecurity and data protection regulations
- Conclusion: How businesses can deal with China’s evolving cross-border data transfer regimes
- Appendix I: Regulatory framework for CBDT in China
The information provided in this publication is for general purposes only and should not be used as legal or professional advice. No liability is assumed for the completeness or accuracy of the information. For specific business queries, consult our experts at Dezan Shira & Associates by emailing China@dezshira.com.