Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 24
24
to prepare and maintain a record of processing
under PIPL, but we are finding that in
practice a data inventory is essential to
effective compliance.
Data breach notification:
When a data breach occurs, remedial
measures must be immediately adopted. The
corresponding government departments and
the affected individuals must be notified in the
manner prescribed under PIPL.
Revenue-based fines:
Under PIPL, fines of up to RMB 1,000,000 could
be imposed on personal data handlers, with
fines of RMB 10,000 to 100,000 imposed on
responsible individuals. In more serious cases,
the fine could be increased to RMB 50,000,000
or 5% of the organisation’s annual revenue in
the preceding year, with fines of RMB
100,000 to 1,000,000 imposed on
responsible individuals.
Cross-border data transfer regulation
On March 22, 2024, CAC finalised the CBDT
Provisions, which refreshed the threshold of
Data Transfer Review and introduced a number
of exemptions to China’s restrictions on
cross-border personal data flows.
With CBDT Provisions taking effect, CAC
Security Assessments (the most rigorous form
of Data Transfer Review) will only apply to data
transfers undertaken:
· By CIIOs transferring any personal data
or important data collected and generated
within China; and
· By organisations other than CIIOs that,
from January 1 of the current year, have
cumulatively made international transfers of
personal data (excluding sensitive personal
data) of more than one million individuals or
sensitive personal data of more than
10,000 individuals.
Hogan Lovells
Organisations that have cumulatively
transferred non-sensitive personal data of more
than 100,000 but less than 1 million individuals
or transferred sensitive personal data of
less than 10,000 individuals are required to
complete one of the other two forms of Data
Transfer Review: i.e., either obtaining a Third
Party Certification or entering into and
filing SCCs.
With respect to important data, as mentioned
above, unless industry regulators or other
officials have published or notified industry
participants of a particular type of data as being
important data, the CAC Security Assessment
procedure will not apply.
In addition to making adjustments to the
thresholds for Data Transfer Review, the CBDT
Provisions also introduced some exemption
scenarios for Data Transfer Review:
No personal data or important data:
Export of data generated during activities such
as international trade, academic cooperation,
cross-border transportation, cross-border
manufacturing and marketing, which do not
contain personal data or important data, would
be exempted.
Offshore data:
Personal data collected and generated overseas
and subsequently transferred to China for
processing would be exempted, provided
that no domestic personal data or important
data is introduced during the processing
(an exemption that is most likely meant to
address situations in which China-based
shared services operations and outsourcing
arrangements process data originating from
outside mainland China).
Exemption for “contractual necessity”: Where it
is necessary to provide personal data overseas
for the conclusion or performance of a contract
to which the data subject is an interested party,
including cross-border shopping, cross-border
