The “Personal Information Protection Law” will be come into effect on November 1, 2021

After ten years discussion, and several drafts, the widely concerned “Personal Information Protection Law” has finally been promulgated and will come into effect on November 1, 2021. As a special law on regulating the protection of personal information (“PI”), the “Personal Information Protection Law” has made relatively comprehensive and systematic articles for the protection of “PI”. Although some articles need to be clarified or refined, in view of the recent legislative background and individual cases, considering of reducing legal risks, we recommend enterprises to conduct a comprehensive self-review on the basis of this law.

Due to space limitations, we only introduce the content related to the issues for cross-border “PI”. The issues related to cross-border “PI” involve two parties: the provider and the overseas recipient. In practice, the former is usually the latter’s affiliated company in mainland China.

First of all, providers need to review the prerequisites for providing “PI” abroad, the forbidden circumstances, the procedures for providing, and etc. Such rules are listed as follows:

1.Prerequisites (at least meet 1), “Article 38”

(1) The provider shall have been certified by a specialized agency for protection of “PI” in accordance with the provisions of the Cyberspace Administration of China (“CAC”);

(2) The provider shall enter into a contract with the overseas recipient under the standard contract formulated by “CAC”, specifying the rights and obligations of both parties;

(3) Critical information infrastructure operators and “PI” processors whose quantity of processing of “PI” reaches that as prescribed by “CAC” shall pass the security evaluation organized by “CAC”; where the laws, administrative regulations and the provisions of the CAC stipulate that security evaluation is not required, such stipulation shall prevail.

2.Forbidden circumstances, “Article 41-43”

(1) Without the approval of the competent authorities of PRC, no processor may provide “PI” stored within the territory of PRC to foreign judicial or law enforcement authorities.

(2) The recipient has been listed in the negative name list in accordance with Article 42;

(3) Where any country or region takes discriminatory prohibitive, restrictive or other similar measures against PRC in terms of protection of “PI”.

3.Cross-border procedures, “Article 39, 55, 56 and 38”

(1) Inform + Separate Consent

The informed items include: the name of the recipient, contact information, purpose and method of processing, type of “PI” and the method and procedure for the individual to exercise the rights stipulated herein against the recipient.

(2) An impact assessment on “PI” protection shall be conducted beforehand, and keep a record of the handling. The impact assessment report and records of handling shall be kept for at least three years.

An impact assessment report shall include:

(I) Whether the purpose and method of processing “PI” are lawful, legitimate, and necessary;

(II) The impact on personal rights and interests and security risks; and

(III) Whether the protection measures taken are lawful, effective and commensurate with the degree of risks.

The processor shall take necessary measures to ensure that the activities of processing “PI” by the overseas recipient meet the standards for protection of “PI”.

Second, according to Article 3, the law shall be applied to two behaviors of processing of “PI” happened overseas. The first behavior is where the purpose is to provide domestic natural persons with products or services. The second behavior is where the activities of domestic natural persons are analyzed and evaluated. Therefore, if the recipient would conduct those behaviors, it shall abide this law in the two aspects:

(1) Regarding the responsibilities, according to Article 53, the recipient shall establish a special agency or designate a representative within the territory of PRC to be responsible for handling matters relating to “PI” protection, and submit the name and contact information of the relevant agency or the representative to the authorities performing duties of “PI” protection.

(2) Regarding the liabilities, according to Article 42, where an overseas organization or individual engages in “PI” processing activities infringing upon “PI” rights and interests of citizens of PRC or endangering the national security and public interests of PRC, CAC may include such organization or individual in the list of subjects to whom provision of “PI” is restricted or prohibited, announce the same, and take measures such as restricting or prohibiting provision of “PI” to such organization or individual.

Although there is a dispute as to whether the above-mentioned articles involved the “Long-arm Jurisdiction”, and it is still unclear on the enforcement of those articles, from the perspective of legislative intent, it is speculated that the authority could indirectly administrate the overseas recipient by applying Artcle 38 as the processor shall take necessary measures to ensure that the activities of processing “PI” by the overseas recipient meet the standards for protection of “PI”.