China PIPL Security Assessment: How to Comply
Is your business subject to China’s Personal Information Protection Law (PIPL)? Do you need to transfer the data of Chinese residents overseas?
If so, you must understand China’s PIPL security assessment and whether it applies to you. Failing to do so may mean risking financial, operational, and reputational penalties.
This article will help you find out if your business must perform a security assessment under China’s law. We'll also walk you through the process step-by-step to achieve compliance seamlessly.
Let’s get started!
- The PIPL was enacted to strengthen data privacy and security in China as well as align China’s data protection with global standards.
- If your business engages in cross-border data transfers and meets certain thresholds, you must perform a security assessment under the PIPL.
- Failing to conduct a security assessment may result in administrative, civil, or even criminal penalties under China’s law.
What is China's PIPL?
The PIPL is a comprehensive data privacy law that was approved by China's National People's Congress on August 20, 2021, and took effect on November 1, 2021.
This landmark regulation is enforced by China's top cybersecurity regulator—the Cyberspace Administration of China (CAC)—and other relevant government agencies.
The PIPL is connected with and builds upon two other important laws:
Together, these laws form China's overarching framework for cybersecurity and data protection. They each address specific aspects, ensuring a comprehensive approach to Chinese data governance and security.
The PIPL gives Chinese residents several rights over their personal information (PI) while imposing stringent obligations on businesses that handle such data (regardless of their physical location).
Among other PIPL requirements, businesses must limit data usage to defined purposes, observe data localization obligations, and implement robust security measures to protect data from unauthorized access and breaches.
While China’s PIPL is often compared with the EU’s GDPR, the PIPL differs and, in some instances, goes beyond the GDPR’s strict provisions—case in point: the PIPL’s security assessment requirement.
What is China’s PIPL Security Assessment?
A unique requirement introduced under the PIPL is that businesses conduct a security assessment before transferring personal information out of China.
Specifically, Article 40 of the PIPL requires certain “personal information handlers” and “critical information infrastructure operators (CIIOs)” who need to transfer data overseas to pass a security assessment administered by the CAC.
This assessment ensures that the foreign recipient of personal information has adequate security safeguards to protect it.
Before looking at the specific criteria for conducting security assessments and how you can comply, it’s important first to understand how certain terms are defined under China’s law.
Key Definitions Under China’s PIPL
Like most data protection laws, China's PIPL provides its own specific meaning to standard data protection terms while introducing a few of its own.
Some of the most important ones are as follows:
- Personal Information.): The PIPL defines personal information as any data related to an identifiable individual, excluding anonymized data. It encompasses a wide range of data (electronic or otherwise), including names, email addresses, phone numbers, etc.
- Sensitive Personal Information (SPI): Under the PIPL, SPI is any data that, if leaked or misused, could infringe upon an individual's dignity or jeopardize personal or property safety.
This data category includes biometrics, religious beliefs, health records, financial details, location tracking, and any personal data of a minor under 14.
- Important Data: Unlike previous data types, ‘important data’ wasn’t addressed under the PIPL but rather by the CSL and DSL.
In short, ‘important data’ is any data that, if altered, compromised, leaked, or accessed without authorization, could threaten national security, economic activities, social stability, public health, and safety.
- Personal Information Handler: Under the PIPL, a personal information handler (or ‘PI handler') is any individual or business that independently decides the purposes and means of handling personal information. PI handlers are essentially data controllers under the GDPR.
- Critical Information Infrastructure Operator (CIIO): A CIIO is a business entity that manages vital network facilities and information systems in sectors like public telecommunication, energy, transportation, finance, e-government, and defense technologies.
CIIOs are especially important because any damage they suffer could significantly impact national security, economy, livelihood, and public welfare.
Who Needs a Security Assessment Under China’s PIPL?
As mentioned, the PIPL requires PI handlers and CIIOs who meet certain thresholds to conduct a security assessment before exporting data overseas.
In particular, security assessments are necessary for the following instances:
- The export of 'important data' outside China
- PI export by a CIIO or a PI handler who has processed the personal information of over 1,000,000 people
- PI export by a PI handler who has cumulatively transferred the personal information of over 100,000 people or SPI of over 10,000 people since the previous year
- Other circumstances, as specified by the CAC
How to Conduct a Security Assessment Under China’s PIPL
To help businesses correctly interpret and perform security assessments, the CAC released the Measures for the Security Assessment of Data Exports (or ‘Security Assessments Measures’).
This comprehensive guide explains how PI handlers and CIIOs can adequately conduct a security assessment under the PIPL. Let’s take a look.
The security assessment measures require PI handlers first to perform self-assessments of their data exports. Notably, self-assessments are quite similar to the GDPR’s Data Protection Impact Assessments (DPIAs).
To perform a self-assessment, Article 5 of the security assessment measures requires PI handlers to consider the following:
- The legality, appropriateness, and necessity of the purpose, methods, scope, etc, of exporting data and of the foreign recipient’s data practices
- The scale, types, sensitivity, and potential risks linked to national security, public interests, and individuals' rights due to PI export
- The foreign recipient’s obligations and their ability to ensure data security through effective management and technical measures
- The risks of data leakage, alteration, loss, destruction, or illegal access after export and the effectiveness of mechanisms for preserving individuals’ rights and interests over their personal information
- Whether contracts or other legally binding agreements with the foreign recipient sufficiently outline their data security responsibilities
- Any additional factors that may affect the security of data during its export
Application for Security Assessment
After the self-assessment, you’ll need to take a few more steps to ensure validation at the CAC's national level. Let’s briefly examine them:
Data Processing Agreements (DPAs)
Under Article 9, the security assessment measures require PI handlers to establish clear legal documents (i.e., DPAs) that spell out the obligations of foreign recipients.
The contents of these DPAs are identical to the GDPRs, save for a few slight differences. Your DPA should at least include the following:
- The scope of data, the purposes and methods, how it will be used by the foreign recipient, etc
- Where the data will be stored overseas, for how long, and how it will be managed once the agreed purposes are completed, or the legal documents expire
- Terms to restrict the foreign recipient from transferring the exported data to other parties
- Security measures to accommodate changes in the foreign recipient's authority, operational scope, regulations, or cybersecurity landscape of their location
- Consequences for breaching terms in the legal documents, along with dispute resolution methods
- Steps for appropriate emergency response and channels for individuals to protect their personal information in case of risks like data alteration, destruction, leakage, loss, or unauthorized use
Relevant Materials and Timeframes
Once your self-assessment and DPAs are complete, you'll need to prepare and submit the necessary documents for review at the CAC's provincial and national levels.
In particular, you’ll need to provide the following:
- A written statement confirming the export
- A detailed self-assessment report
- DPAs or other legal agreements between you and the foreign recipient
- Any additional materials necessary for the security assessment
After submitting the above, the provincial-level CAC will evaluate the completeness of your security assessment application within five working days. If they find everything in order, they'll forward it to the national-level CAC for further consideration.
The national-level CAC will then decide whether to accept your application within seven working days. If accepted, they’ll complete your assessment within at least 45 working days from the date of acceptance and communicate the results to you in writing.
If you disagree with the results, you can formally request a reassessment within 15 working days, the results of which will be final.
Note that your assessment results are valid for two years. However, if critical factors relevant to the security assessment change, you'll need to reapply for a new security assessment.
Penalties for Violating the Security Assessment Measures
Article 18 of the security assessment measures stipulates that violations will be regulated jointly by the PIPL, DSL, and CSL.
Accordingly, violations may result in administrative penalties, including:
- Fines of up to RMB 50 million or 5% of your company's most recent annual revenues
- Forfeiture of any illegal gains
- Suspension of business operations
- Revocation of business licenses
- Fines of up to RMB 1 million for individuals directly responsible for violations
Note: Severe violations that breach public security administration could lead to criminal liability, including imprisonment under China’s law.
After familiarizing yourself with China's PIPL security assessment, you're now ready to begin your PIPL compliance journey—and that's where we come in.
At Captain Compliance, we specialize in helping businesses like yours navigate this complex regulatory environment confidently.
We offer tailored services to guide you through each phase of the PIPL’s security assessment, ensuring careful preparation and submission of application materials.
Our experts will help you streamline this process, saving you time and effort while maximizing the chances of a successful assessment.
Your compliance journey starts here. Get in touch today!
What is the purpose of China’s PIPL security assessment?
A China PIPL security assessment aims to ensure adequate protection for certain “high-risk” data transfers out of China. This assessment helps identify and address security risks in your activities as a personal information handler.
How do I conduct a self-assessment under the PIPL?
PIPL self-assessments are nearly identical to DPIAs under the GDPR. Although you can perform the assessment yourself, outsourcing to dedicated experts (like Captain Compliance) is advisable to ensure a hitch-free compliance journey.
Can I appeal the security assessment results if I disagree with them?
Yes, if you dispute the assessment results, you can file a request for reassessment to the national-level CAC within 15 working days. However, keep in mind that the reassessment decisions are final.
What are the consequences of non-compliance with the security assessment?
Non-compliance with the security assessment rules could result in a range of penalties, including fines, suspension of business operations, cancellation of licenses, and, in extreme cases, criminal liability.