Tech & Sourcing @ Morgan Lewis


As part of our Spotlight series, we welcome Todd Liao, a partner in our Shanghai office who works with clients on a wide range of complex commercial and financial transactions and legal issues involving China. Todd is a thought leader on issues facing tech firms doing business in China, recently publishing articles on new measures for online advertising in China, data privacy, and key drivers of Asia’s tech scene. We caught up with Todd to discuss data privacy regulations in China and cross-border data transfers.

1. Todd, thanks for joining us. As a leading authority on China privacy regulations, can you tell us what the key existing and pending privacy regulations are in China today?

China has garnered significant attention in terms of its privacy and security legislation in recent years. For multinational corporations operating in China, the three most pivotal legal frameworks governing data protection are the Cybersecurity Law (CSL), which took effect in 2017, the Data Security Law (DSL), and the Personal Information Protection Law (PIPL), both of which took effect in 2021. These laws lay out the legal framework of China in enhancing data protection supervision, specifically with respect to data that will impact national security and data security.

Government authorities, such as the Cyberspace Administration of China (CAC), have promulgated a myriad of regulations to effectuate the above-referenced laws. In addition, other government and semi-government agencies, such as China’s National Information Security Standardization Technical Committee, have also issued many national standards to provide further elucidation. Furthermore, additional implementing regulations and national standards are currently in the process of being drafted or are yet to be finalized.

In addition to the PIPL, CSL, and DSL, the following legal instruments form the foundation of the existing personal information protection framework in the People’s Republic of China:

  • Security Assessment Measures for Outbound Data Transfers, effective as of September 1, 2022
  • Implementing Rules for the Certification of Personal Information Protection, effective as of November 4, 2022
  • Measures for the Standard Contract for Outbound Transfer of Personal Information, which will take effect on June 1, 2023
  • Draft Regulation of Network Data Security Management, released for comments on November 14, 2021

Over the last five years, a deluge of implementing regulations and guidelines have been proposed, issued, or revised to explicate the concepts set forth in the personal information protection framework, including the following:

  • Guidelines on Internet Personal Information Security Protection, effective as of April 10, 2019
  • National Standard of Information Security Technology – Personal Information Security Specification, as amended and effective as of October 1, 2020
  • National Standard of Information Security Technology – Guidelines on Personal Information Security Impact Assessment, effective as of June 1, 2021
  • Guidelines on Application of Security Assessment of Cross-border Data Transfers (First Version), effective as of September 1, 2022
  • Practicing Guidelines for Network Security Standards – Technical Specification for Certification of Personal Information Cross-border Processing Activities (V2.0), effective as of December 16, 2022

Although the National Standards and other guidelines are technical guides and thus not legally binding, they have historically been highly persuasive. While the PIPL takes priority over the specifications and guidelines, the latter still perform an essential role in supplementing the existing legal framework, especially with respect to any aspect that has not been fully elucidated by the PIPL, CSL, or DSL.

2. That certainly seems like a complex web of standards to adhere to. How do you think these regulations will impact businesses doing business in or with China? What are the key “watch outs” to consider?

As regulations evolve, responding to changes has been of paramount concern for multinational corporations operating in China, particularly those whose daily business and operations are predominantly reliant on cross-border data transfers. Many multinational corporations construct their information infrastructure as a unified resource and employ a worldwide database for their daily activities.

It is imperative for businesses to ensure that they comply with the regulations. As a starting point, it would be prudent for multinational corporations to undertake a data health review or data mapping project to gain an understanding of the nature, volume, and stakeholders of their data processed in China.

With this information, they can develop a sound strategy and seek expert advice on how to balance compliance risks for data governance in China with considerations of international compliance interests, such as conflicts of law and long-term feasibility.

Subsequently, appropriate remedial actions, such as appointing a data protection officer, formulating data protection policies and procedures, and implementing technical and organizational measures, must be taken to bring their practices in line with the new legal requirements.

Businesses must also be cognizant of the fact that the enforcement of these laws is expected to be rigorous, with significant penalties for noncompliance. Violations may lead to severe fines, reputational harm, and even suspension of business operations. Given the broad ambit of these laws, including the extraterritorial jurisdiction, businesses must ensure compliance if they collect data from China even if they do not have entities in the country.

In light of these circumstances, it is advisable for businesses to engage experienced legal counsel to navigate the evolving regulatory landscape and adopt proactive measures to protect personal information in alignment with the legal framework.

3. What can companies do when it comes to cross-border data transfer?

According to the Security Assessment Measures for Outbound Data Transfers, a data handler (a concept similar to a data controller under the EU General Data Protection Regulation) must declare a security assessment for its outbound data transfer to the CAC if any of the following thresholds are met:

  • Where a data handler provides important data abroad
  • Where a critical information infrastructure operator or a data handler processing the personal information of more than 1 million people provides personal information abroad
  • Where a data handler has provided personal information of 100,000 people or sensitive personal information of 10,000 people in total abroad since January 1 of the previous year
  • Other circumstances prescribed by the CAC for which declaration for security assessment for outbound data transfers is required

If the data handler does not meet any of the thresholds above for the security assessment, the data handler should follow one of two procedures before lawfully transferring personal information outside of China:

  • Enter into a data transfer agreement with the overseas data recipients based on the standard contract published by the CAC
  • Obtain a personal information cross-border transfer certification from a “qualified institution”

The definition of “transfer data abroad/outside China” includes not only the scenario where data collected and generated within China is transferred and stored outside of China, but also the scenario where an overseas entity or individual is granted the authority to access or use the data stored within China. Companies should evaluate their data processing practice and select one of those two routes for their cross-border data transfers.