Provisions on Facilitating and Regulating Cross-border Data Flow
Provisions on Facilitating and Regulating Cross-border Data Flow
Provisions on Facilitating and Regulating Cross-border Data Flow
Order of the Cyberspace Administration of China No. 16
March 22, 2024
The Provisions on Facilitating and Regulating Cross-border Data Flow, which have been deliberated and adopted at the 26th executive meeting of the Cyberspace Administration of China in 2023 on November 28, 2023, are hereby promulgated and shall become effective from the date of promulgation.
Zhuang Rongwen, Director of the Cyberspace Administration of China
Provisions on Facilitating and Regulating Cross-border Data Flow
Article 1 These Provisions are formulated in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and other laws and regulations for the implementation of relevant cross-border data transfer systems, such as those for security assessment of outbound data transfer, standard contract for outbound cross-border transfer of personal information, and personal information protection certification, with a view to safeguarding data security, protecting the rights and interests in personal information, and facilitating the lawful, orderly, and free flow of data.
Article 2 Data processors shall identify and declare important data pursuant to relevant regulations. If any data is not announced or published by relevant department or locality as important data, data processors are not required to apply for the security assessment for such data.
Article 3 For the outbound transfer of the data generated during international trade, cross-border transportation, academic cooperation, and transnational production, manufacturing, and marketing activities, the declaration for the security assessment of outbound data transfer (the "security assessment"), the conclusion of a standard contract for outbound cross-border transfer of personal information (the "standard contract"), and the personal information protection certification are exempted, provided that such data does not include personal information or important data.
Article 4 For the outbound transfer of the personal information collected and generated overseas by data processors, which had been transferred to and processed in the territory of China, the declaration for the security assessment, the conclusion of the standard contract, and the personal information protection certification are exempted, provided that no personal information or important data from the territory of China is introduced in the course the processing.
Article 5 Where the outbound transfer of personal information by a data processor falls within any of the following circumstances, the declaration for the security assessment, the conclusion of the standard contract, and the personal information protection certification are exempted:
(1) where it is truly necessary to transfer any personal information overseas for the purpose of executing and performing a contract to which the individual is a party concerned, such as cross-border shopping, cross-border consignment, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservation, visa application, and examination services;
(2) where it is truly necessary to transfer any personal information of an internal staff member overseas for the purpose of cross-border human resources management under lawfully established labor rules and regulations and pursuant to a lawfully executed collective contract;
(3) where it is truly necessary to transfer any personal information overseas in emergency for the purpose of protecting the health, life, and property safety of a natural person; or
(4) where a data processor other than critical information infrastructure operator transfers overseas the personal information of less than 100,000 individuals on a cumulative basis (excluding sensitive personal information) starting from January 1 of the said year.
The personal information provided overseas as mentioned in the preceding paragraph does not include important data.
Article 6 Under the national classified and graded data protection system and framework, a pilot free trade zone may independently formulate a list of the data to be included in the management scope of the security assessment, the standard contract, and the personal information protection certification (the "negative list") for the said free trade zone, which shall be reported to the provincial-level cyberspace affairs commission for approval and then submitted to the national cyberspace administration authority and national data management authority for record-filing.
For any outbound transfer of the data beyond the negative list by data processors in the pilot free trade zone, the declaration for the security assessment, the conclusion of the standard contract, and the personal information protection certification are exempted.
Article 7 Where a data processor transfers any data overseas and has any of the following circumstances, it shall apply to the national cyberspace administration authority for security assessment via the provincial-level cyberspace administration authority at its location:
(1) where a critical information infrastructure operator provides personal information or important data overseas; or
(2) where a data processor other than critical information infrastructure operator transfers overseas the personal information of more than one million individuals (excluding sensitive personal information) or the sensitive personal information of more than 10,000 individuals on a cumulative basis starting from January 1 of the said year.
Where any circumstance falls within the circumstances specified in Articles 3, 4, 5, and 6 hereof, such provisions shall prevail.
Article 8 Where a data processor other than critical information infrastructure operator transfers overseas the personal information of more than 100,000 but less than one million individuals (excluding sensitive personal information) or the sensitive personal information of less than 10,000 individuals on a cumulative basis starting from January 1 of the said year, it shall conclude a standard contract with the overseas recipient or pass the personal information protection certification pursuant to the law.
Where any circumstance falls within the circumstances specified in Articles 3, 4, 5, and 6 hereof, such provisions shall prevail.
Article 9 The results of passing the security assessment shall be valid for three years, starting from the date when the assessment results are issued.
......
Order of the Cyberspace Administration of China No. 16
March 22, 2024
The Provisions on Facilitating and Regulating Cross-border Data Flow, which have been deliberated and adopted at the 26th executive meeting of the Cyberspace Administration of China in 2023 on November 28, 2023, are hereby promulgated and shall become effective from the date of promulgation.
Zhuang Rongwen, Director of the Cyberspace Administration of China
Provisions on Facilitating and Regulating Cross-border Data Flow
Article 1 These Provisions are formulated in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and other laws and regulations for the implementation of relevant cross-border data transfer systems, such as those for security assessment of outbound data transfer, standard contract for outbound cross-border transfer of personal information, and personal information protection certification, with a view to safeguarding data security, protecting the rights and interests in personal information, and facilitating the lawful, orderly, and free flow of data.
Article 2 Data processors shall identify and declare important data pursuant to relevant regulations. If any data is not announced or published by relevant department or locality as important data, data processors are not required to apply for the security assessment for such data.
Article 3 For the outbound transfer of the data generated during international trade, cross-border transportation, academic cooperation, and transnational production, manufacturing, and marketing activities, the declaration for the security assessment of outbound data transfer (the "security assessment"), the conclusion of a standard contract for outbound cross-border transfer of personal information (the "standard contract"), and the personal information protection certification are exempted, provided that such data does not include personal information or important data.
Article 4 For the outbound transfer of the personal information collected and generated overseas by data processors, which had been transferred to and processed in the territory of China, the declaration for the security assessment, the conclusion of the standard contract, and the personal information protection certification are exempted, provided that no personal information or important data from the territory of China is introduced in the course the processing.
Article 5 Where the outbound transfer of personal information by a data processor falls within any of the following circumstances, the declaration for the security assessment, the conclusion of the standard contract, and the personal information protection certification are exempted:
(1) where it is truly necessary to transfer any personal information overseas for the purpose of executing and performing a contract to which the individual is a party concerned, such as cross-border shopping, cross-border consignment, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservation, visa application, and examination services;
(2) where it is truly necessary to transfer any personal information of an internal staff member overseas for the purpose of cross-border human resources management under lawfully established labor rules and regulations and pursuant to a lawfully executed collective contract;
(3) where it is truly necessary to transfer any personal information overseas in emergency for the purpose of protecting the health, life, and property safety of a natural person; or
(4) where a data processor other than critical information infrastructure operator transfers overseas the personal information of less than 100,000 individuals on a cumulative basis (excluding sensitive personal information) starting from January 1 of the said year.
The personal information provided overseas as mentioned in the preceding paragraph does not include important data.
Article 6 Under the national classified and graded data protection system and framework, a pilot free trade zone may independently formulate a list of the data to be included in the management scope of the security assessment, the standard contract, and the personal information protection certification (the "negative list") for the said free trade zone, which shall be reported to the provincial-level cyberspace affairs commission for approval and then submitted to the national cyberspace administration authority and national data management authority for record-filing.
For any outbound transfer of the data beyond the negative list by data processors in the pilot free trade zone, the declaration for the security assessment, the conclusion of the standard contract, and the personal information protection certification are exempted.
Article 7 Where a data processor transfers any data overseas and has any of the following circumstances, it shall apply to the national cyberspace administration authority for security assessment via the provincial-level cyberspace administration authority at its location:
(1) where a critical information infrastructure operator provides personal information or important data overseas; or
(2) where a data processor other than critical information infrastructure operator transfers overseas the personal information of more than one million individuals (excluding sensitive personal information) or the sensitive personal information of more than 10,000 individuals on a cumulative basis starting from January 1 of the said year.
Where any circumstance falls within the circumstances specified in Articles 3, 4, 5, and 6 hereof, such provisions shall prevail.
Article 8 Where a data processor other than critical information infrastructure operator transfers overseas the personal information of more than 100,000 but less than one million individuals (excluding sensitive personal information) or the sensitive personal information of less than 10,000 individuals on a cumulative basis starting from January 1 of the said year, it shall conclude a standard contract with the overseas recipient or pass the personal information protection certification pursuant to the law.
Where any circumstance falls within the circumstances specified in Articles 3, 4, 5, and 6 hereof, such provisions shall prevail.
Article 9 The results of passing the security assessment shall be valid for three years, starting from the date when the assessment results are issued.
......