Businesses Navigating Data Transfer Uncertainties by Balancing Compliance Necessity, Business Costs
December 18, 2020 | BY
Vincent ChowThe scope of China's cross-border personal information transfer regulatory regime is edging closer to being finalized, but businesses are in no rush to overhaul their data transfer practices
China's newly released draft PRC Personal Information Protection Law (PIPL) (中华人民共和国网络安全法) introduces two new mechanisms for transferring personal information overseas, taking elements of the European Union's General Data Protection Regulation (GDPR) to potentially reduce direct government involvement in the regulatory regime (read part one of our analysis here).
Companies in China have welcomed this development, but uncertainty remains surrounding the scope of the regulatory regime once it is finalized. In particular, the questions of what types of companies will be subject to security assessments should they seek to transfer personal information overseas, as well as what kinds of data transfer will be subject to scrutiny, remain unanswered. Given these lingering uncertainties, companies in China have mostly adopted a data processing strategy of localizing where possible while exporting where necessary.
This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now