On August 20, 2021, the Standing Committee of the National People’s Congress adopted the Personal Information Protection Law of the People’s Republic of China (the “Personal Information Protection Law”). The Personal Information Protection Law will become effective on November 1, 2021, and will then, together with the Cybersecurity Law of the People’s Republic of China (the “Cybersecurity Law”) and the Data Security Law of the People’s Republic of China (which will become effective on September 1, 2021, the “Data Security Law”), form the foundation of the data security legal regime of China.
In this article, we will highlight and explain certain provisions of the Personal Information Protection Law which are particularly relevant to cross-border transfer of personal information.
- Extraterritorial Jurisdiction
The Personal Information Protection Law, like the Data Security Law, will apply extraterritorial jurisdiction under certain circumstances.
Article 2 of the Data Security Law provides that those who conduct data processing activities outside the territory of China to the detriment of the national security, public interest or the lawful rights and interests of citizens and organizations of China shall be held legally liable in accordance with the law.
Article 3 of the Personal Information Protection Law specifies three situations under which extraterritorial jurisdiction may be applied, including:
(1) for the purpose of providing products or services to natural persons located domestically;
(2) to analyze and evaluate the behavior of natural persons located domestically;
(3) other situations provided by laws and administrative regulations.
- “Person in Charge” Policy
According to the Personal Information Protection Law, domestic and foreign information processors who process more than a certain amount of information shall be required to have a “person in charge” or “specialized institution and designated representative”.
Specifically, Article 53 of the Personal Information Protection Law provides that a processor of personal information outside China shall have an institution or a designated representative in China to handle matters related to the protection of personal information, and shall submit the name of the institution or the name and contact information of the representative to the relevant government authority.
- Cross-Border Transmission and Security Assessment
The Personal Information Protection Law prohibits cross-border transmission of personal information by an entity, except when one of the conditions listed in Article 38 thereof is met; such conditions include:
(1) such entity has passed the security assessment organized by the relevant government authority;
(2) such entity has received the personal information protection certification of professional institutions;
(3) such entity has entered into a contract with the overseas recipient of the personal information in accordance with the standard contract formulated by the relevant government authority, specifying the rights and obligations of both parties;
(4) such entity has met other conditions specified by laws, administrative regulations or the relevant government authority.
Notwithstanding the above, it should be noted that when the processor of the personal information falls into the definition of “the operator of key information infrastructure” or the amount of personal information processed reaches certain thresholds specified by the relevant government authority, the first condition listed above will be a mandatory requirement (i.e. such entity must pass the security assessment).
- Sanction List
Section III of the Personal Information Protection Law states that if a foreign organization or individual is engaged in personal information processing activities that infringe on the rights and interests of the citizens of China or endanger the national security or public interests of China, the relevant government authority may include them in “a list of persons who are restricted or prohibited for personal information transmission”, and take measures to restrict or prohibit providing personal information to them.
All in all, the publication of the Personal Information Protection Law will undoubtedly have a profound impact on the personal information protection practices of the Internet industry, information technology industry, and other industries that process and store personal information. It will also bring new challenges to multinational companies and we expect that the ability to stay compliant with the Personal Information Protection Law will become an important corporate governance goal for multinational in China and even globally.