Cross-border Transfer of Data under the Personal Information Protection Law of the Mainland

The Personal Information Protection Law (PIPL) of the Mainland, which became effective on 1 November 2021, is the first piece of legislation dedicated to the protection of personal information in the Mainland. As the PIPL imposes requirements on the transfer of personal information from the Mainland to other jurisdictions, this article attempts to highlight the rules and the more salient requirements for businesses in Hong Kong.

The PIPL, which reflects latest international standards in the area, signifies a milestone in the data protection landscape of the Mainland. Among the noticeable provisions of the PIPL are the rules on cross-border transfer of personal information. Hong Kong businesses, especially those carrying out personal information processing activities in the Mainland, would need to understand, and comply with, the rules.

Prerequisites for Cross-Border Data Transfer under the PIPL

To start with, processors of personal information in the Mainland who wish to transfer personal information out of the Mainland are required to seek separate consent from the data subjects involved and conduct personal information protection impact assessments pursuant to Articles 39 and 55 of the PIPL, respectively. The processors must also fulfil one of the following conditions specified in Article 38 of the PIPL: (i) passing the security assessment conducted by the cyberspace administration authorities of China; (ii) obtaining certification of personal information protection issued by professional institutions; (iii) entering into standard contracts issued by the cyberspace administration authorities of China; or (iv) other conditions as specified in the Mainland laws and regulations.

It appears from the remarks made by officials of relevant authorities that ‘separate consent’ refers to consent obtained specifically for a particular data processing activity. In other words, bundled consent given for multiple data processing activities may not be valid.

Notwithstanding that particulars of the impact assessment, security assessment, certification and the terms of standard contracts are yet to be promulgated by the cyberspace administration authorities of China, processors of data may make reference to a consultation document, namely, the Draft Measures on Security Assessment of Cross-border Data Transfer (Draft Measures) published by the Cyberspace Administration of China on 29 October 2021 on the possible rules involved.

While the consultation period for the Draft Measures concluded on 28 November 2021, the Draft Measures would likely be finalised thereafter to facilitate cross-border transfer of personal information under the PIPL.

Article 5 of the Draft Measures stipulates that a processor of data should conduct a self-assessment of the risks of transfer before transferring data out of the Mainland. The self-assessment should focus on a number of specified areas, including, for example, (i) the legality, righteousness and necessity of the data transfer; (ii) the quantity and sensitivity of the data involved; (iii) the measures adopted by the processor to safeguard the security of the data; and (iv) the competence of the data recipient in protecting the data.

Article 9 of the Draft Measures also sets out the clauses prescribed for a data transfer contract, such as clauses relating to (i) the allowable use of the data by the recipient; (ii) the location of data storage; (iii) the retention period of the data, and restrictions on onward transfer of the data; and (iv) the handling of data breach incidents.

Additional Requirements for Operators of Critical Information Infrastructure

More stringent requirements apply to the operators of critical information infrastructure and specified categories of processors, including, for example, processors processing personal information reaching a prescribed amount, namely information of one million individuals according to the Draft Measures. Pursuant to Article 40 of the PIPL, these types of processors are required to store personal information in the Mainland. If there is a need to transfer personal information out of the Mainland, they must pass the security assessment conducted by the cyberspace administration authorities of China, except where an exemption is granted under other laws or regulations.

Although the definition of what constitutes “critical information infrastructures” is not provided for in the PIPL, it appears that processors of data may refer to the Regulations on the Security Protection of Critical Information Infrastructure (CII Regulation) published by the State Council in July 2021 for guidance. Article 2 of the CII Regulation defines CII as important network facilities and information systems of core industries and areas, such as public communication and information services, energy, transportation, water supplies, financial services, public services, electronic government services and national defence industries, as well as other network facilities and information systems that may seriously threaten national security, national economy, people’s livelihoods and public interests in the event of damage, loss of function or data breach.

Additional Requirements for Data Processors Listed in Other Jurisdictions

On 14 November 2021, the Cyberspace Administration of China published the Draft Regulation on the Management of Data Security (Draft Regulation) which seeks to impose additional requirements on data processors listed or planning to list in other jurisdictions. Pursuant to Article 13 of the Draft Regulation, both (i) data processors which process personal information of over one million individuals and seek to list in other jurisdictions; and (ii) data processors which seek to list in Hong Kong and whose listing affects or may affect national security are required to report on their cybersecurity reviews. Meanwhile, Article 32 of the Draft Regulation requires data processors listed in other jurisdictions to carry out data security assessment annually, and submit the report to the cyberspace administration authorities of China before 31 January each year. The consultation period for the Draft Regulation will end on 13 December 2021.

Penalties

It is noteworthy that violation of the requirements under the PIPL carries a maximum fine of RMB 50 million or 5% of the annual turnover of the entity for the preceding year. The personal information protection authorities may also order suspension of business, or revoke business permits or licenses, among other administrative penalties (Article 66 of the PIPL).

To enhance public understanding of the PIPL, my office has recently published a booklet on the PIPL. The booklet is available in hard copy and assessable at: https://www.pcpd.org.hk/tc_chi/resources_centre/publications/books/files/pcpd_china_pipl_book2021.pdf

Jurisdictions

Privacy Commissioner for Personal Data

Ada was appointed as the Privacy Commissioner for Personal Data of Hong Kong in September 2020.

Ada was qualified as a barrister-at-law and a Certified Public Accountant. She has solid legal expertise and abundant administrative experience. Before her appointment as the Privacy Commissioner, Ada was the Registrar of Companies and had held various posts in the Department of Justice, including the Deputy Law Officer (Civil Law). In her role as the Registrar of Companies, she contributed significantly to the rewrite of the Companies Ordinance in Hong Kong and she spearheaded the implementation of the new Companies Ordinance in Hong Kong.