A MoFo Privacy Minute Q&A: China PIPL Edition

This is the first installment of our new A MoFo Privacy Minute Q&A: China PIPL Edition, where we answer questions about China’s Personal Information Protection Law (PIPL) in sixty seconds or less.

Question: Has CAC issued any guidance on what makes a business a “mass volume PI handler” for purposes of the data localization requirement of PIPL? Also, if a PI handler that already exports PI to overseas recipients (e.g., a PRC subsidiary transferring PI to its overseas parent) is later determined to be a mass volume PI handler, will it have to build a local instance of the database in China before it continues to export PI overseas?

Answer: Article 40 of PIPL stipulates that the following kinds of businesses must store in China the personal information (PI) that they collect or generate in China: (a) PI handlers (broadly akin to “controllers” in GDPR parlance) that handle the volume of PI crossing the threshold prescribed by the Cyberspace Administration of China (CAC) (a “mass volume PI handler”) and (b) critical information infrastructure operators.

CAC has not yet issued any clear guidance on what volume of PI a business handles will result in it being regulated as a mass volume PI handler. That said, it is widely anticipated that PI of more than one million individuals will likely be set as the volume threshold.

CAC has also not yet clarified what specific localization arrangements will satisfy PIPL’s data localization requirement. A “soft localization” arrangement (i.e., keeping a mirror copy of the PI in China) may work for now, but CAC could mandate “hard localization” (i.e., requiring that the PI is stored in China before it is exported) through CAC’s implementation rules or enforcement activities in the future. For now, some PI handlers that anticipate being regulated as mass volume PI handlers are taking a wait-and-see approach and continuing with soft localization arrangements. Regardless, businesses do need to ensure that PI exports are undertaken pursuant to the security assessment mechanism (see our client alert for more detail). We recommend that companies monitor both regulatory guidance and evolving market practice with regard to these open questions.

Visit our newly launched China Privacy and Data Security Resource Center to stay up to date on legal and business analysis related to the latest China privacy and data topics. Explore our Privacy + Data Security page for additional information from our Privacy Libraryand Resource Centers for Cybersecurity, U.S. State Privacy Laws, and the GDPR + European Privacy.