Under the PIPL, CIIOs processing personal information (defined as various kinds of data related to identified or identifiable natural persons recorded by electronic or other means, excluding the data processed anonymously), and personal information processors that are processing personal information over certain thresholds prescribed by the CAC have to store the personal information collected or produced in mainland China domestically. Personal information processors that wish to transfer such information outside mainland China must either:
- pass the security assessment;
- obtain certification from a professional institution in accordance with the regulations set by the CAC;
- enter into a standard contract with the overseas recipient specifying their respective rights and obligations; or
- comply with other conditions imposed by laws, regulations or the CAC.
Additionally, they must also obtain the specific consent of the individuals concerned and inform them of the identity and contact of the recipient, purpose and method of processing, the type of personal information being transferred and the rights of the individuals concerned.
On 29 October 2021, the CAC published the Draft Measures on Security Assessment of Cross-Border Data Transfer (Draft Data Transfer Measures) to provide more detailed rules on the security assessment requirements under the CSL, the DSL and the PIPL. The Draft Data Transfer Measures, if passed, will require data processors meeting one of the following conditions to pass security assessment before exporting data outside the territory of mainland China:
- data processors that handle personal information and important data collected and produced by CIIOs;
- data processors that export important data;
- personal data processors that have processed personal information of more than one million persons;
- data processors that have cumulatively exported personal information of 100,000 persons or more, or have cumulatively exported sensitive personal data of 10,000 persons or more;
- data processors that fall within other circumstances as provided by the CAC.
Apart from the above restrictions, the DSL and the PIPL also prohibit the provision of data and/or personal data stored in mainland China to any foreign judicial or enforcement authorities without the approval of the relevant mainland China authorities. There is a similar prohibition in the Securities Law (2019 Revision) against the export of documents and information relating to securities business activities overseas without the approval of the China Securities Regulatory Commission.
Which industries’ data are relatively more sensitive?
Organizations can take guidance from the DSL, the CSL, the PIPL and their implementing measures on the type of data that is more sensitive and the industries that are likely to have such data.
The DSL defines data that is closely related to national security, economic development, people’s livelihood or public interest as national core data (and hence require more stringent protection). While the DSL does not specifically define important data, it expressly mandates the need to strengthen protection to important data. Organizations could turn to the Draft Implementing Measures on Data Security Management (Draft Measures)  for reference as it defines important data as data that may directly affect national security, economic security, social stability, public health and safety. Examples include non-publicized government information and significant volumes of data related to population, genetics and health care, geographic, and/or mineral resources.
The CSL, together with the Regulations on Critical Information Infrastructure Security Protection (CII Regulations) (which took effect on 1 September 2021) , specify network operators in the following industries to be CIIOs, signifying the sensitivity of the data they hold: public communication and information services, energy, transport, water, finance, public services, e-government, defence technology  etc.; and other industries with facilities which, if destroyed, functionalities, which if lost, or data, which if leaked, would seriously harm state security, national economy, and people’s livelihood, and/or public interest.
The PIPL also identifies certain types of personal information as being sensitive personal information. These include personal information that, once disclosed or used illegally, may easily cause harm to the dignity, security of individuals or their property. Examples include biometric characteristics, religious beliefs, special designation, health and medical record, financial accounts, location tracking information and the personal information of minors who are under the age of 14.
How should organizations prepare themselves?
The recent introduction of the DSL and the PIPL, when taken together with the CSL, now gives mainland China a comprehensive data protection regime governing the entire data cycle of businesses operating in mainland China. Organizations should closely monitor the implementation of the laws over time through implementation rules as well as enforcement actions. Now that industry regulators (which is also known as “Protection Departments”) are delegated with the power to formulate the implementing rules for the identification of CII, organizations should closely monitor these implementation rules and assess whether their operations will fall under a CII classification. Further, it is essential for organizations, especially those engaged in cross-border operations, to devise and implement a comprehensive data governance framework to ensure compliance amidst the evolving regulatory landscape.