New FPF Report: Demystifying Data Localization in China – A Practical Guide
On February 21, 2022, FPF published a report detailing China’s data governance framework for data localization and cross-border transfers. The report outlines 10 steps organizations can take before deciding to localize or transfer data, with practical advice on how to carry out each of them. By examining provisions of relevant laws and administrative regulations passed by ministerial departments, it aims to give organizations a better understanding of how the transfers framework operates, the expectations of Chinese regulatory authorities with respect to such transfers, and the specific steps controllers can take for better compliance mapping. It is important to note that this report does not contain legal advice.
While the new data protection and data security legal framework solidified and added to pre-existing data localization requirements, it also clarified that data can be transferred or made accessible outside of China if specific conditions are met.
Under Chinese law, data localization is only required in certain circumstances framed around two distinct conceptual pillars: (1) which entity is processing the data; and 2) what type of data is being processed. With respect to the first pillar, certain special categories of controllers must store their data in China due to their importance to China’s national security and economy, and may only transfer data with the approval of regulatory authorities. For the second, controllers must store “important data” in China, and receive approval before transferring such data abroad.
In other circumstances, controllers do not need to store data locally in China but must comply with other transfer requirements. Article 38 of the Personal Information Protection Law (PIPL) sets forth these conditions for lawfully transferring data. Once a controller chooses a transfer mechanism, it must comply with additional transparency obligations. However, it is important to take both the PIPL and the Data Security Law (DSL) requirements into account when deciding whether to localize data or to transfer it.
In order to untangle this complex legal landscape, this Report proposes 10 steps that data controllers can take before deciding to localize or transfer data, with practical advice on how to carry them out:
Step 1 – Determine scope and when data is “transferred” overseas
Step 2 – Evaluate the type of data controller and whether it is a critical information infrastructure operator (CIIO) or a special controller
Step 3 – Determine the type of data to be transferred including whether it is important data
Step 4 – Evaluate whether a security assessment by the CAC is required
Step 5 – Determine whether a cybersecurity review is mandatory
Step 6 – Determine if an exception applies
Step 7 – Choose the transfer mechanism
Step 8 – Check whether an international treaty or agreement is applicable
Step 9 – Obligations for Entrusted Processors (委托处理)
Step 10 (bonus) – Determine whether the transfer is compelled by a foreign judicial or law enforcement body
The Report also contains an annexed Flowchart with a summary of the 10 steps.