The scope of cross-border data transfers
The publication of the General Data Protection Regulation (GDPR) on May 25, 2016 in the European Union, served as inspiration worldwide for the implementation of data privacy laws.
Many countries, following this, began to develop a very similar law to protect the rights and freedoms of individuals within their territories.
The scope of cross-border data transfers in China (PIPL) and the U.S. states of California (CCPA) or Virginia (VCDPA) will be examined below.
Countries that implemented their Data Protection Law in the wake of the GDPR:
China (PIPL):
The Personal Information Protection Law (PIPL) was passed on August 20, 2021 by the Standing Committee of the National People’s Congress of the People’s Republic of China, and came into force on November 1, 2021.
The purpose of this new Law is, according to its Article 1: “to regulate personal information processing activities” and “to promote the reasonable use of personal information”.
Territorial scope
Like the GDPR, the PIPL has extraterritorial scope over processing activities occurring outside China’s border.
As stated in Article 3 of that law, the PIPL will apply where the purpose of the processing activity is:
- Offering products or services to a person located in China.
- To analyze or evaluate the behavior of a person located in China.
Companies that conduct business outside China but process information of Chinese citizens will be subject to the PIPL, and must appoint a local representative or create a responsible entity in China in order to ensure compliance with the law.
Jihong Chen, an experienced data protection lawyer, points out that the new privacy law aims to regulate the way processors obtain and manage personal information (PI) of individuals in China, whether or not the processors are located in its territory.
Finally, under the PIPL, personal information must be stored within the territory of the People’s Republic of China.
California (CCPA)
The California Consumer Privacy Act (CCPA) became effective in 2020 and is the most comprehensive privacy legislation in the United States.
For-profit entities that conduct business in California or collect personal information from California citizens must comply with the requirements of the CCPA.
The CCPA protects the personal information of individuals, and is intended to prevent unwanted and unauthorized use of personal information by companies and their partners.
Territorial Scope
This law only protects both the rights and freedoms of consumers residing in California and those temporarily residing outside the state. It does not apply to temporary visitors to California.
It applies to anyone who:
- Owns a for-profit entity.
- Conducts business in California and serves at least 50,000 users or households.
- Equals or exceeds $25 million in annual revenue.
- Derives 50% or more of its gross revenues from sharing or selling consumers’ personal information.
Virginia (VCDPA)
The VCDPA regulates the collection and processing of personal data of Virginia residents.
It establishes key rights, such as the right to opt out of selling personal data to third parties or using it for targeted advertising.
The law was passed on March 2, 2021, however, enforcement by the Virginia Attorney General will not begin until January 1, 2023.
Territorial Scope
The VCDPA applies to organizations that conduct business in Virginia or offer products or services targeted to residents of Virginia territory:
- They process personal data of at least 100,000 Virginia residents.
- They derive more than 50% of gross revenues from the sale of personal data.
- Process personal data of at least 25,000 Virginia residents.
Awareness of the importance of establishing a law regulating the use of citizens’ personal data has been echoed.
As a result, more and more countries are working to implement such a law, regulating the scope of cross-border data transfers.
From Auratech Legal Solutions we hope that this post has been helpful for all those companies that maintain commercial activity in China, or in the states of California or Virginia of the United States of America, and know the degree of affectation of these new Data Protection laws in their businesses.
Leave a Reply
Want to join the discussion?Feel free to contribute!