Do I need permission to transfer Chinese citizen PI data across borders?
The Cyberspace Administration of China (CAC) has finally released guidelines for how to apply for permission to transmit Chinese citizen personal information (PI) across the country's borders. Companies seeking to transfer PI or other “important” data gathered from citizens in China may need to take a number of steps in order to get official approval, depending on the amount of data they wish to transmit. This approval process includes a security review, certification for PI protection, a contractual agreement with the foreign corporate recipient of the PI, among other requirements.
But before you begin a potentially costly application process, first you should determine: do you need permission to transfer PI across Chinese borders?
1) Are you a Critical Information Infrastructure Operator (CIIO)?
The most important thing to know about your company's status within the legal framework established by the Chinese 2021 PIPL data privacy laws is whether or not you would be considered a CIIO.
The regulations define CII as companies handling data from “important industries or fields”, including but not limited to the following:
- Public communication and information services
- Energy
- Transport
- Water
- Finance
- Public services
- E-government services
- National defense
- Any other important network facilities or information systems that may seriously harm national security, the national economy and people’s livelihoods, or public interest in the event of incapacitation, damage, or data leaks.
Companies involved in the above sectors are CII operators, and will need to apply for special permission to transfer any data outside of China.
For other sectors however, the regulations are less definitive. In particular, the loose language around “any other important network facilities or information systems” has been interpreted to include major online service companies, such as the ride-hailing platform Didi, which found itself ensnared by the new regulations for billions in fines.
2) How much Personal Information do you process?
The second primary indicator as to whether you'll need to apply for special permission is how much data you are handling.
Specifically:
- if you process the PI of more than 1 million people
- if you have transmitted the PI of more than 100k people out of China since January 2021
- if you have transmitted the Sensitive PI of more than 10k people out of China since January 2021
Under those scenarios you will need to apply for permissions.
If you do not find that the types of data you handle or industries you serve, or sheer volume of data transfers, crosses the definitions above - that's good news. You can simply use a contract that ensures PIPL compliance and no further special oversight is needed.
If you aren't sure, consult an expert. The penalties for non-compliance are steep and Didi is a prime example of just how costly misunderstanding the rules and regulations can be.
Need help with your data strategy? Nuna Network is here for you. We’re the partner of choice and go-to resource for businesses or individuals seeking guidance in researching, developing, and establishing bespoke data solutions with over 180+ million companies indexed across 55+ data points. Feel free to reach out to a Nuna Network data expert to discuss further.
Nuna Network offers more than a one-time report, but a range of validation, verification, and diligence services that help you determine the authenticity of a Chinese company. Check out our valuable guides, helpful tips, and other practical information to help you navigate the complex landscape of Chinese Businesses.