Transfer of Personal Data Outside the EU/China: A How-To Guide

Like the European GDPR, China has recently adopted a law to tighten the legislative framework governing the use of personal data within its territory. This law came into effect on November 1, 2021.

The law, titled the Personal Information Protection Law (PIPL), establishes the framework within which private companies operating in China can process personal data. As a result, certain data processing activities may require the consent of individuals for the collection of medical, financial, or location data. Similar to the GDPR, the PIPL also mandates the appointment of a data protection officer accountable to the competent authorities. However, it should be noted that the Chinese administration is not subject to this law, and the Chinese government will retain control over the processing of personal data by private companies. Foreign companies, particularly European ones, will need to pay special attention to this regulation when transferring and storing data in China, as the PIPL does not ensure an equivalent level of protection to the GDPR.

Beyond this new Chinese regulation, what should European companies do if they wish to transfer their data abroad, particularly to China? How does this interact with the GDPR?

Data Transfers: What Does It Mean?

According to the CNIL (French Data Protection Authority), data transfer refers to “any communication, copy, or movement of personal data intended to be processed by a third party outside the European Union (EU).”

It is important to note that transferring data outside of the European Union (EU) and the European Economic Area (EEA) is possible, provided that an adequate and appropriate level of data protection is ensured. These transfers must be regulated using various legal tools.

Overview of Countries Where Data Can Be Hosted in Compliance with the GDPR

Currently, personal data can be transferred to third countries (outside the EU and the EEA) that provide an adequate level of protection for transferred personal data, according to the European Data Protection Board (EDPB).

By geographical area, the following countries are noted:

• North America: Only Canada, through the Personal Information Protection and Electronic Documents Act (PIPEDA), has a regulation considered equivalent to the GDPR, allowing data transfers.
• South America: Argentina (Ley de Acceso a la Información Pública, Protección de Datos Personales y el Registro Nacional "No Llame") and Uruguay (Ley N° 18.331 de Protección de Datos Personales y Acción de Habeas Data - LPDP) have legislation in line with the GDPR, with no restrictions.
• Africa: No country has regulations that align with the GDPR.
• Asia / Oceania: Israel (Privacy Protection Law), New Zealand (Privacy Act 2020), and Japan (Protection of Personal Information Act) have legislation in line with the GDPR.

For more information on personal data management in the UK since Brexit, see here.

If a company wants to transfer data to another state not on this list, it must implement mechanisms that ensure the equivalence of data protection.

Transferring Data to Countries with Protection Not Considered "Equivalent"

Several options are available for companies:

• Binding Corporate Rules (BCRs)

Since August 2020, following the European Court of Justice's invalidation of the Privacy Shield (USA) under the GDPR, a new equivalence process has been established: Binding Corporate Rules (BCRs). These rules allow companies that are no longer covered by the Privacy Shield to process data from the EU and regulate these personal data transfers.

BCRs are internal rules applicable to all entities within a group and contain key principles to regulate data transfers.

Implementing these agreements can help justify a sufficient level of data protection for transferring personal data to countries without regulations aligned with the GDPR.

These BCRs must undergo an approval process by the competent authorities in personal data protection: national authorities and the European Data Protection Committee.

However, BCRs are not the only mechanisms to ensure the security of personal data storage by a host.

• Standard Contractual Clauses (SCCs)

Another option is to implement Standard Contractual Clauses (SCCs) provided by the European Commission. The European Court of Justice (ECJ) confirmed in its ruling of July 16, 2020, the validity of SCCs for transferring data to a third country.

The SCC mechanism helps regulate personal data transfers made by data controllers to recipients located outside the EU without prior authorization from the CNIL (except for modified SCCs agreed upon by the parties).

However, it is important to emphasize that it is the responsibility of the parties to assess whether local regulations ensure the levels of protection defined in the SCCs.

Challenges of Outsourcing Personal Data

Outsourcing does not exempt a company from responsibility for the processing of personal data: the company remains jointly responsible for the processing. That is, if the company's subcontractor fails to meet its obligations, the company will be fully responsible for the subcontractor's non-compliance. This is why the GDPR imposes the obligation to implement a framework for monitoring subcontractors.

The good practices recommended by the CNIL in this regard are:

• Requiring the service provider to provide its information security policy (Information security and GDPR are inseparable pillars).
• Ensuring and documenting the effectiveness of the guarantees provided by the subcontractor in terms of data protection. For example, the parties can implement the following measures (and formalize them contractually if necessary): security audits, facility visits, certifications from the organization, certifications of the DPO's qualifications.
• It is also recommended that both the data controller and the subcontractor impose a contractual confidentiality obligation on their employees and ensure they are sensitized to the key principles of data protection.
• Finally, it is necessary to limit access to data only to authorized individuals based on their roles and to distinguish the different operations that can be performed on the data (viewing, modification, deletion, export, etc.).
   

It is essential to remain vigilant when transferring personal data from the EU to China, as well as to all countries outside the EU. While mechanisms such as BCRs and Standard Contractual Clauses exist, they have significant limitations due to the highly heterogeneous legal context in different countries. As a result, it is risky to ensure an equivalent level of protection to the GDPR and, thus, to safely regulate the transfer of personal data to these third countries.

Therefore, for any transfer of personal data to these countries, it is important to carefully examine the mechanisms in place to guarantee and justify the security of the data and, if necessary, implement appropriate measures to comply with the provisions of the GDPR.