China's newly released draft PRC Personal Information Protection Law (PIPL) (中华人民共和国网络安全法) has taken elements of the European Union's General Data Protection Regulation (GDPR) to reduce government involvement in the new data transfer mechanisms (read part one of our analysis here).

But uncertainty remains surrounding the types of companies subject to security assessments and the kinds of data transfer will be subject to scrutiny; thus, businesses in China have mostly adopted a data processing strategy of localizing where possible while exporting where necessary.