Now all products do not ship to the United States, Canada, Mexico area.

Challenges arise for conducting investigations in China with new data protection laws

China has recently implemented several significant data protection laws, such as the Personal Information Protection Law (PIPL) and the Data Security Law (DSL). These laws have introduced a comprehensive regulatory framework for safeguarding personal information in China. They impose strict requirements on data collection, consent, and cross-border data transfers, accompanied by substantial penalties for non-compliance.

When conducting or responding to investigations in China, companies may face challenges in adhering to these new laws. For instance, they may need to address investigations initiated by foreign government regulators concerning their China-based operations or provide evidence in offshore judicial proceedings.

Obtaining consent and managing employee data present notable challenges under the PIPL. In investigations involving employee data, such as HR files or email data analysis, it is crucial to obtain express and informed consent from the data subjects. This requirement becomes even more critical when dealing with sensitive personal information or when transferring data to external parties or beyond China’s borders.

Navigating Cross-Border Data Transfers in Investigations

Navigating cross-border data transfers during investigations can be complex. Logistics and practical difficulties often arise, especially when employee data is intertwined with company and business-related data. Moreover, employees might be hesitant to surrender personal devices for data collection. Existing company data privacy policies frequently lack clear guidelines on the collection and utilization of employee data in regulatory investigations.

Additionally, the PIPL and recent administrative rules impose restrictions on cross-border transfers of personal information. Companies must fulfill specific steps and obtain regulatory approval, such as undergoing a security assessment approved by the Cyberspace Administration of China or entering into data transfer agreements with overseas recipients, prior to transferring personal information outside of China. Due to the intricate nature of this process and the absence of explicit guidance, it is advisable for companies to process and review all China-related data within the country. Utilizing local teams or seeking assistance from China-based legal experts can help avoid the need for data transfers out of China.

Restrictions on Data Transfer to Foreign Authorities

Restrictions on data transfers to foreign authorities further complicate matters. The DSL and PIPL prohibit the transfer of data stored within China to foreign legal or enforcement authorities without approval from competent Chinese authorities. However, the specific scope of this restriction and the procedure for obtaining approval remain ambiguous, causing uncertainty and complexity for companies.

To conclude, companies operating in or conducting business in China should stay updated with the latest regulatory developments. It is crucial to proactively review compliance programs and policies to ensure alignment with the PIPL, DSL, and other data protection laws. Specifically, in the context of investigations in China, companies should review and update investigation protocols, establish tailored consent mechanisms, and develop protocols for handling cross-border data transfers. Striking a balance between compliance with data protection regulations and conducting effective investigations is of utmost importance.


您的电子邮箱地址不会被公开。 必填项已用*标注

Scroll to Top