China Releases New Regulation on Cross-Border Data Transfers
At a Glance
- The Cyberspace Administration of China released the long-awaited finalized Provisions on Facilitating and Regulating Cross-Border Data Flow on March 22, 2024.
- The Regulation eases some of the thresholds that would trigger the requirements of Security Assessments or Standard Contract Filings or Certification
- The Regulation leaves space for special policies in Free Trade Zones.
Six months after the release of the draft Provisions on Regulating and Facilitating Cross-Border Data Flow, the Cyberspace Administration of China (CAC) officially released the long-awaited finalized Provisions on Facilitating and Regulating Cross-Border Data Flow (Regulation) on March 22, effective immediately. The final version prioritizes “Facilitating” over “Regulating,” reflecting that the Chinese government takes a positive posture to ease the lawful, orderly and free flow of data. CAC also updated the Guidelines to Applications for Security Assessment of Outbound Data Transfer and the Guidelines for Filing the Standard Contract for Outbound Cross-Border Transfer of Personal Information to reflect the current rules for cross-border data transfers. The Regulation and the new guidelines adjust the thresholds, methods and procedures for the security assessment for cross-border data transfers (Security Assessments) and filings of standard contract for cross-border transfer of personal information (Standard Contract Filings) as required by the Personal Information Protection Law (PIPL).
Under the PIPL which took effect on November 1, 2021, personal information exports from China are subject to any of three conditions: completing the security assessment, entering into and filing standard contract clauses or obtaining the personal information protection certification (Certification”) (collectively, Personal Information Export Requirements).
New Exceptions to Personal Information Export Requirements
After the release of Regulation, personal information exports are exempt from the Data Export Requirements in the following scenarios:
- Cross-border transfer of personal information that is necessary for the conclusion or performance of a contract to which the personal information subject is a party, such as cross-border shopping, delivery, remittance, payments, bank account opening, air ticket and hotel bookings, visa applications, examination services, etc.
- Cross-border transfers of employee personal information in accordance with enforceable employment policies and collective bargaining agreement for necessary cross-border human resource management.
- Exporting personal information for purposes of protecting individuals’ life, health or property security in emergency situations.
- After the overseas personal information is transferred to the mainland China for processing, it is then provided overseas with no domestic personal information or important data being introduced during the processing.
- Exporting data not involving personal information and important data that is collected or generated during international trade, cross-border shipping, academic cooperation, cross-border manufacturing and marketing scenarios.
Thresholds for Personal Information Export Requirements
The Regulation eases some of the thresholds that would trigger the Personal Information Export Requirements. For companies do not qualify for the exceptions as discussed above, it is needed to assess and evaluate the amount and nature of personal information to be transferred abroad. The current threshold under the Regulation is summarized as follows:
Identities |
Nature of data to be transferred |
Volume of data to be transferred (calculated from January 1 of the current year) |
Requirements |
CIIOs |
N/A |
N/A |
Security Assessments |
Non-CIIOs |
Important Data |
N/A |
Security Assessments |
Sensitive Personal Information |
More than 10,000 individuals |
Security Assessments |
|
Fewer than 10,000 individuals |
Standard Contract Filings or Certification |
||
General personal information (not including Sensitive Personal Information |
More than 1 million individuals |
Security Assessments |
|
More than 100,000 but fewer than 1 million |
Standard Contract Filings or Certification |
||
Fewer than 100,000 individuals |
Exempted from Security Assessments Standard Contract Filings and Certification |
Free Trade Zone (FTZ)’s Special Rules
The Regulation leaves space for special policies in the FTZs. FTZs can develop their own data list in accordance with laws (combined with the Measures for the Classification and Grading of Cross-border Data Flows in the Lingang Special Area of the China (Shanghai) Pilot Free Trade Zone (for Trial Implementation), Notice on Promulgation of the Standards for Data Classification and Grading by Enterprises in China (Tianjin) Pilot Free Trade Zone) to satisfy Personal Information Export Requirements.
Our Observations
The Regulation comes into force with immediate effect, so now is the time for MNCs to take actions to comply. It is important to understand that reliance on any of the exemptions under the Regulation only applies to the data export mechanisms. Compliance obligations for data processors in the cross-border data transfer scenarios have not been reduced, despite the fact that the regulatory procedures for the export of data and personal information have been relaxed. Complying with general personal information protection and data privacy obligations is still an essential compliance task for multinational companies, with steps including:
- Revisiting the data inventory and specifically sorting out the sensitivity of personal information to be transferred abroad.
- Informing and obtaining separate consent in processing sensitive personal information and cross-border personal information transfer scenarios1.
- Putting necessary contractual terms in place with overseas recipients to ensure equivalent personal information protection standards for exported data.
- Notably, conducting internal personal information protection impact assessment, even if the transfer scenarios qualify the new exemptions.
Certain aspects of the Regulation still need further clarification from the CAC. For example, in the absence of an express test as to what amounts to “necessity,” questions remain as to what HR management activities can be justified in the practice of transferring employee personal information abroad and how to determine that the transfer of specific fields of personal information is for the purpose of carrying out HR management. The ambiguities would need to be explored in practice and multinational companies are encouraged to consult with professionals for guidance and interpretation.
For companies registered in the FTZs, it is critical to closely monitor the developments and implementations of special policies and data lists to adapt for a more relaxed transfer environment. For ongoing applications and filings already submitted to CAC, applicants whose data exports are now exempted from such applications and filings can choose either to continue the process or to withdraw the filing application from the local CACs. For companies that ceased their Security Assessments or Standard Contract Filings last September in anticipation of the finalized regulations, it is now time to re-assess their projects under the Regulation.
- If the legal basis of processing personal information is secured upon obtaining consent.