Cross-border Data Transfer in China

However, companies have quickly discovered that there are sometimes considerable differences between the requirements of EU laws and the Chinese law. This is evident, among other things, in the area of cross-border data transfer. The permissible grounds available under the EU GDPR for exporting personal data (in particular adequacy decision, binding corporate rules or standard data protection clauses in contracts) do not apply to international data transfers from China. Instead, the PIPL provides for its own, much shorter catalogue of per­missible grounds for outbound data transfer. This includes an official security review, officially recognized certifications, standard contractual clauses and other reasons according to Chinese laws and regulations. Furthermore, unlike under EU data protection law, companies transferring data out of China have to direct their focus not only on personal information but must include data of any kind in their risk assessment, regardless of whether this data is related to an identified or identifiable person or not. With the EU Data Governance Act coming into force on 24 September 2023, companies will face additional challenges, especially with regard to the international transfer of non-personal data.

 

In most cases, data mapping and risk analyses can help to identify cross-border data flows, spot existing vul­ne­ra­bilities at an early stage and take appropriate measures to remedy them quickly. Unfortunately, Chinese lawmakers had so far left companies largely in the dark about what exactly needs to be done to transfer data between China and abroad in a legally compliant manner. Hope for a little more legal clarity has been created by various recent developments, which we would like to briefly present in a four-part series of articles: