The enactment of the Personal Information Protection Law (“PIPL”) in 2021 establishes a legal framework regulating foreign and domestic companies alike in collecting personal information (“PI”) in China and its cross-border transfer (or export, using interchangeably below). PIPL has extra-territorial effect. Foreign companies processing Chinese PI remotely from their home countries are subject to PIPL’s scrutiny, necessitating the establishment of an entity in China or the designation of a Chinese representative. This local entity or representative must comply with PIPL requirements and register with the Cyberspace Administration of China (“CAC”).
According to Article 38 of PIPL, companies exporting PI, regardless of that of Chinese or foreign nationals, must fulfil one of the following options:
a) pass a security assessment by CAC;
b) sign a standard contract with the overseas PI recipient and file it, along with PI Protection Impact Assessment, with the provincial level CAC; or
c) obtain certification from an accredited institution.
Under the Measures for Security Assessment of Data Cross-border Transfer, data processors who:
- transfer important data;
- are key information infrastructure operators or PI processors handling PI of over 1 million people; or
- export PI of over 100,000 subjects or Sensitive PI of over 10,000 subjects since January 1st of the previous year
must apply for security assessments (Option (a)). Options (b) and (c) are not available for them.
PIPL empowers CAC to stipulate rules about Options (a)-(c). CAC has since issued the following regulations to set out deadlines for PI processors:
|Security Assessment||March 1, 2023||Measures for Security Assessment of Data Cross-border Transfer|
|Standard Contract||December 1, 2023||Measures for Personal Information Cross-border Transfer Standard Contract|
|Certification||No set deadline||Implementation Rules for Personal Information Protection Certification|
Facing these deadlines, foreign enterprises in China have largely taken two approaches: proactive preparation for security assessment or standard contract, or awaiting further clarification or guidance from CAC.
On September 28, 2023, CAC issued the Draft Provisions on Regulating and Promoting Cross-border Data Transfers (“Draft Provisions”), providing exemptions under certain conditions. If a PI processor exports PI of fewer than 10,000 subjects, it may be exempted from fulfilling any of the three options. The consultation period of the Draft Provisions ended on October 15.
Once the Draft Provisions become law, this is good news for foreign companies collecting a small amount of PI in China and export it as part of their business operations. For instance, they may export a Chinese employee’s PI to manage global HR, or collect Chinese consumer’s PI to enrich their worldwide membership database. However, the PI amount and its business value, along with the business benefit derived from such PI export, do not justify disproportionate spending on legal compliance. Leveraging the Draft Provisions, they can claim exemptions from filing with CAC.
But as the second deadline of 1 December for filing the standard contract is now overdue and the final version of the Draft Provisions has not yet been released, these foreign companies which have previously taken a wait-and-see approach are now anxious about compliance issues. The first question popping into their head would be:
What is the legal consequence if we fail to file with CAC before the deadlines?
This article aims at answering the question, applicable even when the Draft Provisions become law. Preparing a precise response is challenging, as the laws are new and the deadlines not yet long overdue. Precedents are scant. No penalty has yet been issued for missing the deadlines. Given these restrictions, this article tries to offer insights from both a legal interpretation and practical perspective.
Chapter 7 of PIPL, titled “Legal Responsibility”, stipulates consequence for non-compliance by a PI processor.
Legal responsibility under PIPL includes administrative and civil liability. For criminal liability, Article 71 of PIPL defers to the Criminal Law of the People’s Republic of China. Article 286 of the Criminal Law stipulates certain criminal liabilities in extreme cases of non-compliance under the Crime of Refusing to Fulfill Information Network Security Management Obligations.
For administrative liability, Article 66 of PIPL provides directives for different violation levels, ranging from rectification orders and warnings to fines and business shutdowns. Article 67 records violations in the credit rating of the violating entity.
Article 66 (1) of PIPL subdivides violation into three levels, depending on the seriousness of the breach. For the first level, petty violation, CAC can issue the following decisions:
- Rectification order,
- Confiscation of illegal gain, and
- Order for suspension or termination of service.
If the violator fails to comply with the rectification order, it is subject to the second level liability, which includes:
- A fine of below RMB 1 million yuan (approx. US$143,000) imposed on the PI processing entity, and
- A fine of RMB 10,000-100,000 yuan (approx. US$1,430-14,300) for responsible person(s).
For more aggrieved circumstances, the highest-level administrative penalty is stipulated in Article 66 (2), which empowers provincial level CAC to issue the following decisions:
- Rectification order,
- Confiscation of illegal gains,
- A fine of not more than RMB 50 million yuan (approx. US$7.15 million) or less than 5% of the previous year’s turnover,
- Business suspension,
- Business shutdown for rectification,
- Notification to relevant authorities to revoke business license,
- A fine of RMB 100,000 – 1 million yuan (approx. US$14,300 – US$143,000) for responsible person(s), and
- Prohibition of that person(s) serving as a director and other responsible position in a company.
Civil liability is briefly mentioned in Articles 69-70 without going into detail about how damages are measured. Article 69 introduces a reversed burden of proof. If a PI processor infringes upon PI rights and causes damage, but cannot prove that it is not at fault, it shall bear the liability for infringement such as compensation for damages.
Article 70 introduces the concept of class action. The People’s Procuratorate, consumer organizations and organizations determined by CAC may file a lawsuit with the People’s Court on behalf of a group of affected individuals.
Without precedent cases for reference, foreign companies may find it challenging to gauge the actual risk level for not meeting the deadlines. The risk level would definitely increase over time.
CAC is aware of business justifications for foreign companies to export certain PI back to their headquarters in home countries. In practice, there is no technical means to detect all PI export activities in China and penalize all violators in one go. Unavoidably, CAC may focus enforcement actions on cases which possess higher risk to the Chinese PI subjects, society and national security as a whole.
Depending on certain factors, foreign enterprises may experience different challenges in conducting their compliance activities in China. Companies may consider the following non-exclusive list of factors in their risk assessment and preparing an appropriate level of compliance activities that they find fitting:
|PI Sensitivity||PIPL affords a stronger protection to Sensitive PI, as defined by the law and National Standard. Priority should be given to PI considered particularly sensitive in the Chinese context, for example biometric data, credit ratings, medical records, PI of minors and financial data. A foreign company exporting a substantial amount of Sensitive PI, should plan ahead in their compliance activities.|
|Industry sectors||CAC may consider certain business sectors as strategic, under which any PI collected and exported would likely invite more scrutiny from the authority. While not explicitly stated in the law, foreign PI processors in areas such as finance, education, medical, telecom, transportation, energy, and advanced technology (e.g. AI, electric vehicle, microchips, robotic, life science) are advised to pay more attention to PI compliance issue.|
|Scale of PI export||Destination – Chinese PI being exported to a country lacking legal and technical protection for PI would certainly raise eyebrows at the Chinese authority. Even if the recipient country has a sophisticated legal framework on PI protection, inconsistencies with PIPL or discriminatory measures against Chinese PI may prompt CAC intervention. PI Amount – The higher the amount of PI export, the riskier the exporter is for being accused of non-compliance. PI Scope – To calculate whether the amount of PI export has reached a certain threshold, all PI belonging to the same PI individual would be considered as one count only. A foreign company exporting a smaller amount of PI may not reach the threshold of a security assessment. However, if it exports a large scope of PI for the same person that goes beyond usual items like name, sex, date of birth, telephone number, etc., its risk level may increase. Duration – PIPL requires PI processors to delete PI upon completion of the stated processing purpose. If a piece of PI stays overseas for too long without a proper retention and deletion process, CAC may challenge the entire PI export activity.|
|Location of foreign companies in China||Exporting PI from a major Chinese city (Beijing, Shanghai, Shenzhen, etc.) is a double-edged sword. On one hand, that invites scrutiny from a more proactive provincial CAC bureau that is eager to enforce PIPL. These local bureaus are, however, also more experience in resolving PI exporting issues faced by a foreign company and more ready to provide guidance. Foreign companies setting up a branch office in China are advised to stay closely in touch with their local CAC.|
|Origin of foreign companies||A foreign investor from a more PI law-advanced country may be more reputed in its PI export activities. But if China’s relationship with this country turns sour, any activity of this investor would be in the limelight.|
|Other factors||Other dynamic factors such as government attitude, public and media opinion, and PI leakage incidents, may change from time to time but are crucial for foreign companies to measure their risk level in Chinese PI compliance.|
While the factors above affect the likelihood of CAC’s accusations, violation occurrence remains a fact. A time bomb is ticking. It is advised for even low-risk foreign companies to engage third-party assessors for PI export compliance activities. These activities may include:
- PI Protection Impact Assessment: even if they are not prepared to file an application with CAC, organizations are required under Article 55 of PIPL to conduct an impact assessment for any cross-border PI transfer.
- Consent Management: Organizations must obtain explicit consent from individuals before transferring their PI across borders. The consent process should be transparent, and individuals should be informed about the purpose, scope, and destination of the PI transfer.
- Data Localization: PIPL emphasizes PI localization requirements, meaning that certain types of PI must be stored within the borders of mainland China. Organizations should assess the types of PI they are collecting and ensure compliance with localization requirements.
- Security Measures: Implementing appropriate security measures to protect PI during its export is crucial. This includes encryption, access controls, and other safeguards to prevent unauthorized access, disclosure, alteration, and destruction of PI
- Contractual Obligations: Organizations engaging in PI export should establish clear contractual agreements with overseas PI recipients, outlining the responsibilities and obligations of each party in ensuring the protection and lawful use of the transferred PI.
- Notification and Transparency: Individuals should be informed about the cross-border transfer of their PI, and organizations should be transparent about their PI processing practices. Notification may be required before or after the transfer.
- Recordkeeping: Maintaining records of cross-border PI transfers is essential for compliance. Organizations should be able to demonstrate to regulatory authorities that they are handling PI in accordance with the law.
- PI Subject Rights: Ensure that individuals have the right to access, correct, and delete their PI even when it is transferred across borders. Organizations should establish mechanisms for individuals to exercise their PI subject rights.
- Compliance Audits: Regularly conduct internal audits to assess compliance with PIPL and related regulations. Audits can help identify areas for improvement and ensure that the organization’s practices align with legal requirements.
Businesses operating in China or dealing with Chinese citizens’ PI should stay informed about the latest regulations and non-legal updates, such as PI news in China and China’s diplomatic relationship with other countries. The regulatory and other PI landscape can evolve, and companies should regularly review their PI protection policies and practices to align with the current circumstances.
For the most up-to-date and accurate information, it is recommended to consult CAC directly or other legal professionals in China.