Cross-Border-Transfer

China’s Personal Information Protection Law of 2021 is often compared to GDPR but operates in a fundamentally different legal context. PIPL provides individual rights: informed consent for processing, access to personal information, correction of errors, deletion rights, and data portability. Processing requires a lawful basis (consent, contract, legal obligation, public interest, etc.). Cross-border transfers need individual consent plus one of: government security assessment, standard contractual clauses, or certification. However, PIPL explicitly exempts state security and emergency response activities. The coexistence of PIPL’s individual protections with the National Intelligence Law’s access requirements creates an unusual framework: organizations must protect personal data while simultaneously being prepared to disclose it to state security when requested. For international data transfers involving China, this dual nature complicates compliance.

China’s Data Security Law of 2021 complements the Cybersecurity Law with comprehensive data governance. It establishes a classification system: ‘core data’ relating to national security receives the highest protection; ‘important data’ in regulated catalogs requires security assessments before cross-border transfer; ‘general data’ faces fewer restrictions. All data processing must serve China’s national security and development interests. Organizations must cooperate with government data requests and maintain security measures. The law has extraterritorial reach: activities outside China harming Chinese national security or citizens’ interests can be penalized. For international organizations, the Data Security Law complicates cross-border data flows—transferring data from China to headquarters may require government approval and security assessments.

Japan’s APPI, originally enacted in 2003, was substantially revised in 2020 and 2022 to align with GDPR and strengthen protections. Business operators must specify utilization purposes, obtain consent for sensitive data, implement security measures, and respond to individual requests for disclosure, correction, and deletion. The 2020 amendments introduced rights to request deletion and usage suspension, created penalties for database theft, and strengthened the Personal Information Protection Commission’s enforcement powers. Cross-border transfers require consent plus adequacy assessment, consent plus contractual safeguards, or group company systems with equivalent protections. Japan and the EU recognize each other’s adequacy, creating a ‘data free-flow highway’ between the two economies. The PPC actively updates guidelines for emerging technologies including cookies, AI, and biometrics.