By Amigo L. Xie
2023 is destined to be a big year for the hottest issues of the China Personal Information Protection Law (PIPL) for MNCs doing business in or with China especially in the areas of: cross-border personal data transfers, localization, compliance, and enforcement.
It is worth noting the following milestones in your timeline for China data privacy compliance in 2023:
- On February 24, 2023, the Cyberspace Administration of China (CAC) released the long-awaited final version of the China standard contractual clauses (China SCCs). Please see the official Chinese announcement here and the English news here. Back to June 30, 2022, the draft China SCCs were released for public comment. With the release of the China SCCs, implementing rules of all the three routes to transfer personal data from China to other jurisdiction under the PIPL are available now:
- The national security review (CAC Assessment);
- The certification by licensed institutions (Binding Corporate Rules); and
- The China SCCs.
- On February 28, 2023, the grace period under the CAC Assessment expired. This means that any personal data transfer by a CIIO or a large-scale personal data handler or any transfer of large-scale personal data from China cannot be made until the CAC Assessment has been obtained. However, the approval process has been slow, with authorities so far only approved two cases – Beijing Friendship Hospital and Air China. It is reported that regulators have taken a more practical approach and eased the deadline for MNCs now. See here.
- On June 1, 2023, the China SCCs are required to be put in place if this route will be used in a cross-border personal data transfer from China.
- On November 30, 2023, the 6-month grace period to allow companies to bring their cross-border personal data transfers activities through a personal data transfer agreement into compliance will expire.