The New PRC Data Protection Laws Elevates Data Protection Into The Realm Of National Security
China is poised to significantly update its current data-protection legal and regulatory framework by the upcoming passage of two new key laws: 1) The PRC Personal Information Protection Law (PIPL); and 2) The PRC Data Security Law (DSL).
The PIPL and DSL will have a wide-ranging impact on current data regulation practices, key among which will be the changes in which these laws regulate the cross-border transfer of data, particularly where such transfer is to foreign authorities or for foreign investigations or judicial proceedings.
Cross-Border Data Transfers
Similar to other laws already on the books in China, the new PRC Data Protection Laws will require approval from the relevant Chinese authorities prior to conducting a cross-border data transfer to foreign judicial or enforcement authorities.
This mirrors China’s legislative trend to limit long-arm jurisdiction overreach by foreign governments into China, strengthen its sovereignty by re-directing these requests to relevant treaties or diplomatic channels, and react to laws by Western nations such as the U.S. CLOUD Act.
Moreover, it also elevates personal information and data protection into the realm of national security, implying that China will apply more scrutiny to the regulation of these matters, and particularly the cross-border transfer of such data and information.
The linked article seeks to discuss the background of the PIPL and DSL, provide a basic overview of the pending laws, discuss restrictions in cross-border transfers, and finally offer some potential impacts and suggestions for those operating in China.