Cross-border Conundrums: The Chinese Deep Dive Against a Home Team Perspective

This article will iron out the complexities surrounding China’s privacy laws on cross-border transfers and offer practical context on how to apply the law to your organisation’s business processes. The rules on cross-border transfers are multi-layered not unlike our traditional local delight (lapis sagu or rainbow kueh). They need to be dissected, and the nuances need to be appreciated. But once you start peeling the layers, the rules become easy to navigate. The article also draws out a comparison with the cross-border transfer laws in Singapore.

1. This author’s experience (both past and present) in heading the APAC data privacy functions in multi-national companies¹Author currently holds the CIPP/E and CIPP/A certification. She is working on getting the CIPP/China certification at the time this article was sent for publishing. has brought her closer to navigating the travails of cross-border personal data transfers. An in-house regional data privacy lawyer has two archetypal roles: (1) keep abreast of developments in privacy laws; (2) apply principles garnered from the said privacy laws to the inner machina of the lawyer’s organisation with a view to delivering practical business-oriented solutions.
2. In the Asia-Pacific context, the countries with fledgling data privacy legislation are China and India. China has had variations of data security and cybersecurity legislation²https://www.pwc.com/id/en/pwc-publications/services-publications/legal-publications/a-comparison-of-cybersecurity-regulations/china.html but all either applicable to specific sectors or relevant to security of data. There are at least thirteen sets of Chinese legislation addressing consumer rights, privacy, and cybersecurity.³The Law on Protection of Rights and Interests of Consumers 2014The Cybersecurity Law 2017The Provisions on Cyber Protection of Personal Information of Children 2019The Methods for Identifying Unlawful Acts of Collection and Use of Personal Information via Mobile Applications 2019The Cryptography Law 2020The Data Security Law 2021The Regulations on Critical Information Infrastructure Security Protection 2021The Personal Information Protection Law 2021The Cybersecurity Review Measures 2022The Measures on Security Assessment of Cross-border Data Transfer 2022The Measures for the Standard Contract for Cross-border Transfer of Personal Information 2023The Regulations on Protection of Minors Online 2024Regulations on Promoting and Regulating the Cross-border Data Flow, 2024Network Data Security Regulation, 2025 The Personal Information Protection Law (PIPL) is the first comprehensive data privacy legislation to encompass key GDPR⁴Regulation (EU) 2016/679 (General Data Protection Regulation) -like principles.

Understanding the Long Arm of the Orient

3. The PIPL applies to organisations within and outside of China if the organisation processes personal information of residents in China, and the purpose of its processing activities is to provide products or services to those individuals, or to analyse/assess their behaviours. Once it is established that the PIPL applies to the organisation, cross-border considerations follow if the said personal information needs to leave the Chinese borders.
4. Cross-border transfer is the movement of data from one country to another, either physically or digitally through a computer system or network. Typical examples would be the sending of data overseas for the purpose of storage in a server with remote access by tech support (situated in the said overseas country) from time to time for maintenance⁵Interestingly, Thailand’s regulatory authority has issued an Adequacy Notification that the following scenarios of data transfer do not qualify as cross-border data transfer and, therefore, the requirements of cross-border data transfer would not apply to them:When personal data is passing through a system (such as an email server) without being accessed or altered.When data is stored temporarily or permanently on a cloud server located abroad where no third party has access to it. or when a server located in one country transmits data to a cloud service provider based in another country.
5. The PIPL⁶Article 38 requires the following elements to be met before a cross-border transfer is lawful:
   1. provide a privacy notice to data subjects on purpose of the transfer, potential recipients, retention period of the data
   2. establish a lawful processing basis (for example, consent⁷Chinese Court Concluded Landmark Case on Cross-Border Transfer of Personal Information – Publications clarifies the scope of a lawful processing legal basis and the process to obtain consent, if required as a legal basis.)
   3. conduct a privacy impact assessment and keep records of processing activities
   4. establish a suitable transfer mechanism in place before cross-border transfers can take place
6. (Transfer Mechanisms) Examples of the transfer mechanisms (referred to in Paragraph 5d) above) in descending order of complexity are as follows:
   • Mechanism 1: Undergoing a security assessment conducting by the Cyberspace Administration of China (CAC)⁸Article 40
   • Mechanism 2: Obtaining a personal information protection certification given by a specialized body (professional institution) according to provisions of the CAC⁹On 3 January 2025, the Cyberspace Administration of China (“CAC”) released for public consultation thedraft Measures for Certification of Personal Information Protection for Cross-Border Transfer of PersonalInformation (“Draft Measures “). If it is passed, the Draft Measures will provide significant clarity and a practical route to data exporters on how to obtain the certification route.
   • Mechanism 3: Filing with the CAC a signed contract with a foreign party per the standards and template set by the CAC, complete with a detailed questionnaire on the scope of the transfer.
7. (Transfer Mechanism 1) Let us understand when a security assessment is mandatory. The security assessment measures¹⁰The Measures for the Security Assessment of Data Export 2022 stipulate that companies must undergo a security assessment by the CAC if they wish to export data under any of the following scenarios:
   • The company is a Critical Information Infrastructure Operator (CIIO)¹¹A CIIO is defined in the Regulations on Critical Information Infrastructure Security Protection 2021 Regulations as companies engaged in “important industries or fields”, including:Public communication and information services;Energy;Transport;Water;Finance;Public services;E-government services;National defense; andany other important network facilities or information systems that may seriously harm national security, the national economy and people’s livelihoods, or public interest in case of incapacitation, damage, or data leaks.;
   • The company exports “important data” overseas¹²The final version of the Measures for the Security Assessment of Data Export 2022 adds a new article defining the scope of ‘important’ data as “data that may endanger national security, economic operation, social stability, or public health and safety once tampered with, destroyed, leaked, or illegally obtained or used”. Further, the Regulations on Promoting and Regulating the Cross-border Data Flow, issued on 22 March 2024, provides much-needed clarification on what constitutes “important data”. For important data, government has officially introduced the “Data Classification and Grading Requirements” in which an Appendix specifies guidelines for identifying important data. Examples of key industries that have conducted the identification of important data are industry and information technology, automobile, healthcare, finance, energy, aviation and education.;
   • The company has provided the Personal Information (excluding sensitive Personal Information¹³Meanwhile, ‘sensitive PI’ is defined in the PIPL includes (but is not limited to):Biometric data (such as fingerprints, iris and facial recognition information, and DNA)Data about religious beliefs or “specific identities”Medical historyFinancial accountsLocation and whereaboutsAny PI of minors under the age of 14) of 1 million or more people to overseas parties since January 1 of the current year;
   • The company has provided the sensitive Personal Information of 10,000 or more people to overseas parties since January 1 of the current year; or
   • The company comes under situations as stipulated by the CAC.
8. (Transfer Mechanisms 2 and 3) Companies that are not mandatorily required to comply with Mechanism 1 (for example, companies that are not considered CIIOs or do not meet the thresholds set out under Paragraph 7 above) will be able to rely on Mechanisms 2 or 3. For example, data handlers other than key information infrastructure operators shall have to meet Mechanisms 2 or 3 if they have cumulatively exported since January 1 of the current year¹⁴Article 8 of Regulations on Promoting and Regulating the Cross-border Data Flow, issued on 22 March 2024:
   1. Personal Information of 100,000 or more people but less than one million people (excluding sensitive personal information); or
   2. Sensitive Personal Information of less than 10,000 people.

To Exempt or Not to Exempt?

9. Let us understand the exemptions under the PIPL that provide flexibility to the rules set out under Paragraphs 5 to 8 above.
   • ¹⁵Regulations on Promoting and Regulating the Cross-border Data Flow, issued on 22 March 2024Companies do not need to follow transfer restrictions related to “important data” unless their data is officially designated as “important data” by Chinese authorities.
   • ¹⁶DittoPersonal Information imported into China for processing can be re-exported freely if no Chinese data is added.
   • ¹⁷DittoA transfer mechanism is not needed for exporting Personal Information under the following circumstances:
     • concluding and fulfilling contracts to which the individual is a party, such as cross-border shopping, cross-border mailing, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel booking, visa application, and examination services; or
     • implementation of cross-border human resources management per labor rules and regulations formulated per the law and collective contracts signed per the law, where there is a genuine need to provide personal information of employees outside the country; or
     • protecting natural persons in an emergency; or
     • if data handlers other than operators of critical information infrastructure operators have cumulatively provided less than 100,000 people’s personal information (excluding sensitive personal information) outside China since January 1 of the current year.
10. The Network Data Security Regulations¹⁸Network Data Security Regulation was released by the State Council on September 24, 2024, and will take effect on January 1, 2025. recently introduced a new exemption on cross-border transfer requirements. It is an implementation regulation of the Cyber Security Law (2017) (CSL), the Data Security Law (2021) (DSL), and the PIPL. If it is necessary to transfer personal information outside of China to fulfill a statutory duty or legal obligation, the relevant data exporter may conduct the transfer without implementing any “transfer mechanism”. It is unclear at this time how the new exemption rule will be interpreted and implemented in practice. For example, it is unclear whether the data transfers needed to fulfill legal obligations under foreign laws can be exempted. Legal tax requirements imposed by the parent company of a MNC may require transfers of Personal Information out of China, but will this come under exemption? Even if so, would the exemption extend to Sensitive Personal Information?
11. To summarise, the cross-border rules for companies that are not CIIOs or companies that deal with “important data” are as follows¹⁹The exemptions would override this table, wherever applicable.:

Flexing of Said Long Arm on Multi-national Companies: To Tackle or Not to Tackle?

12. Now, let us get to the juicy bit. The actual application of the law on organisations. My focus is on multi-national companies (MNCs) as this article is meant for Singapore companies or other businesses operating out of China with a view to providing services, goods or a combination of both to Chinese residents. It would not be usual for MNCs to be dealing with “important data” pertaining to key infrastructure operations as such data if often so critical to the operation of China as a country are likely to remain in the hands of local companies or Government-linked organisations.
13. Introspective: No organisation exists without its employees. For MNCs, it is common for employees at a country location to be employed by the local entity/subsidiary but also be subjected to a regional HR or global HR work process. An example of a regional HR work process is a shared services model where payrolls or employee benefits could be managed outside of the country in a regional hub like India or a global HR work process is one where HR data is stored, accessed and managed in systems like a Workday platform with servers located in the United States.
14. To be able to fall under the cross-border human resource management exemption for cross-border transfers, you must determine if your employees are under (1) a collective contract and (2) if there is a genuine need to provide that data overseas. For (1), external legal advice may need to be obtained to figure out if the employment contract entered with employees is sufficient. (2), there is a need to internally assess whether the overseas export of the data is a genuine necessity. Examples of what makes up a necessity could be a genuine requirement to centrally maintain employee data for the purpose of benefit allocation, resource management and career progression.
15. After answering (1) and (2) under paragraph 14 above, there are still other cross-border transfer requirements as set out under Paragraphs 5(a) to 5(c) that need to be met. For instance, are your employment contracts providing the adequate privacy notice and have you sought consent from your employees? In addition, have you done a privacy impact assessment to determine if you are only sending information on employees that is absolutely needed overseas and/or assessed the security measures facilitating the transfers?
16. When you finally think you are out of the weeds – i.e., you have managed the transfer requirements of employees’ data, there is an interesting angle of how to manage employees’ relative data. Employers would typically confer benefits on employees’ dependants under employees’ insurance policies or other ancillary benefits. The Personal Information (PI) of dependants would likely be stored in systems similar in nature to that of where employees’ data is stored. Whilst overseas transfers of employee data would fall under the cross-border human resource management exemption, the Sensitive Personal Information (SPI) belonging to their dependants would not. There is then that interesting conundrum of ensuring a transfer mechanism is in place for those transfers and having to meet other the requirements under Paragraph 5.
17. How about people you interview for jobs? Recruitment candidates – how and when is their PI being processed? If, for example, candidate profiles containing SPI are collected and then processed out of China by sending to Human Resource personnel based overseas or supervisors/team leads based out of China for consideration and review, please note that at the point of sending the profiles overseas, the cross-border human resource management exemption does not apply as these candidates are not employees. It is worthwhile to consider whether such SPI could be ringfenced within China. If data pertaining to recruitment candidates needs to be sent overseas because of the way the organisation is set up, another approach would be to collect only non-sensitive PI at the stage of considering employment²¹Recall – non-sensitive PI of 1-99,999 individuals does not require a transfer mechanism. and follow-up with collection and processing of SPI only after employment has been offered and accepted. What happens with the profiles after the vacancy has been filled? Some companies may store these profiles in their internal systems, backups that again may have severs in overseas locations. Again, these profiles are not covered by the cross-border human resource management exemption and if these profiles have SPI, care must be taken in where these profiles are sent and how they are processed.²²A transfer mechanism may need to be in place, plus a privacy notice to candidates which could be managed through employment application forms, and an internal privacy impact assessment as well.
18. Extrospective: Let us touch on PI organisations may collect from external third parties. Customers are a common example and could include consumers’ data collected for the purpose of marketing, existing customer databases, customer information collected when processing service quality feedback or complaints. For example, names, contact details and even addresses of external parties would not amount to SPI unless financial account information or medical history/health data was needed. If SPI needs to be collected, whether a Transfer Mechanism is necessary depends on where the PI is going to be transferred and stored – centrally – in an overseas marketing database or a cloud-based platform? Even cloud-based platforms make up servers located all over the world and, so sending PI of individuals to this platform comprises a cross-border transfer. Again, what is worth considering is what information is absolutely needed, whether this information needs to be stored and transferred overseas and what the threshold numbers are?
19. If the first probative questions are addressed and the result is that a Transfer Mechanism is needed, MNCs then must take steps to comp to ensure the required Transfer Mechanism 1, 2 or 3 is in place. There are then other considerations: (a) whether a privacy notice is in place seeking separate consent for the cross-border transfer. If external third-party information is collected through the company’s e-commerce platforms or through a complaint feedback portal on the MNC website, careful consideration must go into how the consent statements and privacy notices on these platforms and/or portals are set up – have you explained that data is being sent overseas, purposes for which the data is being collected and sought separate consent? (b) A privacy impact assessment is also needed.
20. It becomes trickier when PI of transactional matters like day-to-day goods or services and purchase orders are also centrally stored in cloud-based platforms based overseas. Whilst a Transfer Mechanism may not be needed if there is only non-sensitive PI of under 100,000 individuals collected in a year, a privacy notice is still needed with separate consent before the non-Sensitive PI can be sent overseas. The question is how will that notice, and consent be sought for transactional matters and orders? Does the cross-border transfer need to be mentioned in the sales order terms and conditions and separate consent be sought as part of the sales or Purchase Order acceptance confirmation? Also, an internal privacy impact assessment should be undertaken establishing the impact of the transfer and whether it is critical for such data to be stored overseas.
21. In short, whilst the cross-border transfer laws in China still permit data transfers (since, data localization is not mandated), the rules surrounding data transfers are still complicated to circumnavigate (see Paragraph 5) and some would argue that the Transfer Mechanisms are onerous.
22. Let us now take a sharp swerve southeast to Singapore and compare against the transfer requirements back home.

Home Team

23. The Singapore Personal Data Protection Act (PDPA) does not have a separate definition for Sensitive Personal Information. However, the guidelines²³See section 49 of the Personal Data Protection Act. issued by the Personal Data Protection Commission do stipulate that the sensitive nature of data should be considered when implementing organisational policies. In particular, the Commission has a set of advisory guidelines specific to use of National Identification Registration Card (NRIC) numbers. Arguably, NRIC numbers are considered higher risk and more sensitive in the Singapore context.
24. Once we understand the groundwork for what is considered personal data, then let us dive into specific requirements surrounding cross-border transfers in Singapore. There is no divergent approach in Singapore for personal data versus higher risk data when it comes to cross-border transfers. There is no approach premised on numbers either where a certain threshold number warrants a different approach.
25. The requirements are simply captured: The entity sending the data overseas (data exporter) requires the organisation receiving personal data overseas (data importer) to have in place via legally enforceable obligations, protection that is “comparable” to the standards set out in the PDPA when transferring personal data outside of Singapore.
26. Paragraphs 19.5 and 19.6 of the Advisory Guidelines²⁴https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/advisory-guidelines-on-key-concepts-in-the-pdpa-17-may-2022.pdf set out a number of mechanisms to impose legally enforceable obligations on the data importer. Arguably, data transfer agreements are the most relevant mechanism for most companies based in Singapore. Binding corporate rules are another option but these are not common for companies headquartered in the Asia Pacific.²⁵Typically, companies bound by EU privacy laws for a variety of reasons because they are based out of the EU or have significant operations out of the EU, tend to have adopted Binding Corporate Rules as these are prevalent in the EU and have gained traction and popularity. A certification is also considered to have satisfied this requirement.²⁶Certifications under the Asia Pacific Economic Cooperation Cross Border Privacy Rules (“APEC CBPR”) System, and the Asia Pacific Economic Cooperation Privacy Recognition for Processors (“APEC PRP”) System, depending on whether the overseas recipient receives the Personal Information as an organization or a data intermediary.
27. Interestingly,²⁷Paragraph 19.7 https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/advisory-guidelines-on-key-concepts-in-the-pdpa-17-may-2022.pdf if a data exporter is unable to rely on a legally enforceable obligation, binding corporate rules or certification, the data exporter could rely on any of these disjunctive options to legitimize the export:
    1. the individual has given consent with proper notice on why data needs to be transferred overseas and after having been notified as to how his Personal Information will be protected in the recipient country; or
    2. the transfer is considered necessary for the performance of a contract with the data subject; or
    3. when the Personal Information is publicly available.
28. In essence, a company bound by the PDPA in Singapore could transfer Personal Information to an overseas recipient (data importer) or a vendor based overseas for a variety of reasons with either a data transfer agreement in place with the recipient/vendor, or established certification or binding corporate rules (provided recipient is an affiliate company) or with data subject’s written consent or under a contract with the data subject.
29. Compared to the PIPL in China which is highly prescriptive when it comes to cross-border transfers, the PDPA’s approach is comparatively more flexible. There are flipsides to being flexible. For example, it would appear that where a transfer is necessary for the performance of a contract with the data subject, its not technically necessary to document privacy standards and security protections in a contract with the overseas recipient or have to carefully consider how the Personal Information will be protected (since there is no need to notify the data subject and receive consent). Would this mean that the data exporter might not need to make a carefully considered decision before undertaking overseas transfers? Technically speaking, the PDPA imposes the duty of protecting Personal Information and a couple of other obligations²⁸Retention Obligation and Data Breach Notification (Section 4(2) of the PDPA) on data intermediaries. The whole host of obligations under the PDPA are also imposed on organisations. Interestingly, the definitions of “organization”²⁹”organization” includes any individual, company, association or body of persons, corporate or unincorporated, whether or not —(a) formed or recognized under the law of Singapore; or(b) resident, or having an office or a place of business, in Singapore. and “data intermediary”³⁰”data intermediary” means an organization which processes personal data on behalf of another organization but does not include an employee of that other organization. under the PDPA imply that entities outside of Singapore could be covered. Therefore, data intermediaries or organisations based overseas acting as data importers are subjected to the PDPA but whether they will respond to enforcement action in Singapore is a whole other question. Or perhaps all is not lost because, the data exporter, an organisation bound by the PDPA will still in any case ensure the necessary protections are in place before transfer since it could be taken to task in Singapore.

Stay Connected

30. Connection is key. Businesses thrive on staying connected. Data must move borders. Even in China, laws prohibiting data transfers and mandating data localization, are slim to none. There is always a mechanism that can be leveraged to facilitate the data transfer. What businesses need to understand is the types of data they need to move, the recipients’ locations, the legal arrangements surrounding the transfer. Having requirements in place is not synonymous with an outright data transfer prohibition. Though the laws in China are less flexible than that of Singapore, I welcome that difference as it makes my work interesting.

The post Cross-border Conundrums: The Chinese Deep Dive Against a Home Team Perspective appeared first on The Singapore Law Gazette.