What is required by the PIPL regarding data transfers and data localisation? The PIPL has specialised the obligation in the Chapter 3, which sets rules for providing personal information outside of China. Articles 38 – 43 impose rules relating to data transfers and data localisation, with some restrictions. Articles 38 and 39 can apply to more organisations in general, requiring personal information processors to take measures, including: data transfer risk assessments required by the Cybersecurity Administration of China ('CAC'); legal certification; signing the Standard Contractual Clauses ('SCCs') formulated by the CAC; and other measures required by laws, regulations, or the CAC rules.
Insight
China: Operationalising PIPL Part two: Data transfers and localisation
September 27, 2021
Summary
The Personal Information Protection Law (PIPL) of China imposes new compliance obligations on organizations regarding data transfers and data localization, particularly under Articles 38-43. Critical Information Infrastructure Operators (CIIOs) and large personal information processors must store personal information within China, while all organizations must assess legal bases for data transfers, including obtaining consent and passing risk assessments by the Cybersecurity Administration of China (CAC). The PIPL also allows China to take reciprocal measures against countries that discriminate against it in terms of personal information protection. As the PIPL is not effective until September 1, 2021, and lacks case law, organizations are advised to focus on clear compliance requirements first.