Issue6 China's New Rules on Cross-border Data Transfer

Editorial Note

On March 22, 2024, the Cyberspace Administration of China ("CAC") issued the Regulations on Promoting and Regulating Cross-border Data Transfers (the "New CBDT Regulations"). The New CBDT Regulations follow a similar approach to the Draft Regulations, emphasizing orderly management and appropriate relaxation, while also incorporate necessary adjustments based on the implementation of data export security management in practice. With the goal of stabilizing the economy and promoting development, the Regulations respond to companies' expectations, facilitate cross-border data transfer, and reduce companies' compliance burden.

Catalogue

I. Analysis and interpretation of the key aspects of the New CBDT Regulations

1. Data processors are not obligated to conduct a data export security assessment for the export of important data if the data being processed has not been officially notified or publicly announced as such by relevant departments or regions.

2. Data export procedures do not apply to cross-border transfers that do not involve domestic personal information or important data.

3. The trigger thresholds and calculation periods for different types of data export procedures have been adjusted.

4. Certain personal information data export scenarios are exempt from the data export procedures.

5. Data processors located in free trade zones are also eligible for exemption from the data export procedures when providing data that is not included in the "negative list".

6. The legal requirements for cross-border data transfer and obligations for handling data security incidents are restated.

Observations and Recommendations

In general, the New CBDT Regulations adjust and optimize the mechanism for data export procedures, facilitate the cross-border data flows and reduce the compliance costs for enterprises while ensuring national data security. Under the guidance of the New CBDT Regulations, enterprises can refer to the following key points to evaluate and improve their compliance in cross-border data transfer scenarios.

1. Evaluating and assessing the applicability of the New CBDT Regulations to enterprises, and determining applicable compliance strategies based on their situations.

(1) For those which have not yet submitted a security assessment or standard contract filing, it is necessary to determine as soon as possible whether a data export security assessment, standard contract filing, or personal information protection certification is required, and to apply as soon as possible. If after reviewing the data export situation, the data processor still needs to complete a data export security assessment or conclude standard contracts for personal information export, they need to update and improve the application materials and submit them as soon as possible, according to "Guidelines for Data Export Security Assessment (Second Edition)" and "Guidelines for Standard Contract for Personal Information Export (Second Edition)" issued by the CAC on the same date of the New CBDT Regulation. Based on CAC official's explanation during the press conference[4], general applications can be submitted through the data export filing system.

(2) Assessing whether to proceed with or withdraw the submitted application for security assessment or standard contract filing. According to CAC official's explanation during the press conference, if an enterprise has already applied for a data export security assessment, or submitted a filing for a standard contract for personal information export before March 22, 2024, but is not required to carry out the above procedures according to the New CBDT Regulations, the data processor can proceed with the original procedures or withdraw the application and filing from the provincial cyberspace administration department. Although the specific process for withdrawal is not yet clear, it can be confirmed by contacting the relevant responsible officials later.

(3) Assessing the possibility of utilizing alternative methods for data export if the security assessment is unsuccessful or only partially successful. According to CAC official's explanation during the press conference, if an enterprise fails to pass or partially pass the data export security assessment by March 22, 2024, it can provide personal information to overseas entities through other means, such as entering into standard contract for exporting personal information or obtaining personal information protection certification, if exempt from the data export security assessment under the New CBDT Regulations. However, practical implementation is still needed to confirm whether the data export scenarios or specific data fields that did not pass or were only partially passed during the security assessment would satisfy the relevant requirements of other data export channels.

(4) The validity period of the security assessment passing result has been extended to 3 years, and renewal can be applied for upon expiration. If data processors have already conducted data export security assessments before March 22, 2024, they can continue based on their application. According to the New CBDT Regulations, the validity period of these assessment results is three years from the date of issuance. When the validity period expires and there is a need to continue exporting data without re-applying the security assessment, data processors can apply for a 3-year extension within 60 working days before the expiration of the validity period.

2. Improving internal compliance measures to meet the basic requirements for the cross-border transfer of personal information. While the New CBDT Regulations provide exemptions from data export procedures for certain circumstances, it is important to note that these exemptions do not relieve the compliance obligations for cross-border data transfers. In particular, Article 10 of the New CBDT Regulations emphasizes the general compliance obligations for the outbound transfer of personal information, including fulfilling the notification obligation, obtaining individual consent, and conducting a personal information protection impact assessment. This is also the basic compliance requirement for the outbound transfer of personal information under the "Personal Information Protection Law". When reviewing the process of outbound transfer of personal information, regardless of whether an assessment, standard contract filing, or certification is required, companies still need to assess whether there are compliance gaps and make necessary improvements, while keeping relevant records. This is also a basic requirement for companies to meet future personal information protection compliance audits.

3. Continuously monitoring the updates in the catalog of important data and ensuring the identification and reporting of important data in compliance with the law. According to the New CBDT Regulations, data processors should identify and report important data in accordance with relevant regulations. Even if the data being processed has not been officially notified or publicly announced as such by relevant departments or regions, there is no need to apply for a security assessment for exporting important data. However, considering that different regions and departments will establish a data classification and protection system, and determine the specific catalog of important data for the local area, department, industry, and field, the practice will develop accordingly. Enterprises should still closely follow and continuously pay attention to the identification and reporting requirements for important data based on their own industry, data processing, and business activities.

Back to Top

II. Limit the scope of Security Assessments and Standard Contract Filings

The Relaxation Measures clarify the exemption of Security Assessments and Standard Contract Filings (or personal information protection certification, omitted below) for certain data export scenarios, and further delineate the threshold for Security Assessments and Standard Contract Filings.

a) Scenarios that exempt Security Assessments and Standard Contract Filings

The Relaxation Measures clarify the following data export scenarios that do not require Security Assessments or Standard Contract Filings:

1.Export of data (which does not contain important data or personal information) collected and generated in international trade, cross-border transportation, academic cooperation, cross-border manufacturing and marketing activities;

2.After the overseas personal information is transferred to the mainland for processing, it is then provided overseas with no domestic personal information or important data being introduced during the processing;

3.Outbound transfers of personal information (such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservations, visa applications, examination services, etc.) for the purpose of entering into and performing a contract to which the individual is a party;

4.Outbound transfers of employee personal information on the legal basis of necessary cross-border human resource management (please note that this scenario does not include the outbound transfers of job candidates' personal information);

5.In case of emergency, personal information is exported to protect the life, health, and property safety of natural persons.

6.Data processors in the Pilot Free Trade Zone (FTZ) are subject to a list of outbound data transfers enacted by the Pilot Free Trade Zone in accordance with the laws (combined with the Measures for the Classification and Grading of Cross-border Data Flows in the Lingang Special Area of the China (Shanghai) Pilot Free Trade Zone (for Trial Implementation), Notice on Promulgation of the Standards for Data Classification and Grading by Enterprises in China (Tianjin) Pilot Free Trade Zone it seems to mean that the FTZ is expected to promulgate and implement a more relaxed regulatory regime for data exports, which may be close to a whitelist system).

It is worth noting that the cross-border transfers of personal information in the above scenarios do not only exempt the Security Assessments or Standard Contract Filings requirements, but are also excluded from the number counted for the thresholds for applying for Security Assessments and Standard Contract Filings as described below.

b) Thresholds for Security Assessments and Standard Contract Filings

The Relaxation Measures raise the thresholds for Security Assessments and Standard Contract Filings.

Back to Top

III. Simplification of Standard Contract Filing Procedures

The Relaxation Measures, as well as the new Guidelines, have largely simplified the procedures for Security Assessments and Standard Contract Filings.

a) Extend the validity periods of Security Assessments

The validity periods of the Security Assessments have been extended from the original 2 years to 3 years (calculated from the date of issuance of the assessment results).

At the same time, the Relaxation Measures add a mechanism for applying for an extension of the validity period. If there is no substantial change in the data export activities, the data processor may submit an application to the CAC for an extension of the validity period through the provincial CAC, 60 working days before the expiration of the validity period. If the application is approved, the validity period can be extended by 3 years.

b) Simplify filling materials

According to the New Guidelines, the content of the personal information protection impact assessment report has been simplified. It is no longer required to analyze and discuss: (1) the personal information protection capabilities of the personal information processor, and (2) the personal information protection policies and regulations of the country or region where the overseas recipient is located.

However, the New Guidelines still require enterprises to provide IT-related information such as "the relevant information of the outbound link of personal information, the system platform and data center to store information after the transfer", and other relevant IT information that enterprises are reluctant to provide.

c) Simplify filing methods

According to the New Guidelines, data processors can submit Standard Contract Filings and Security Assessment applications online through the data export filing system, and it is no longer required to submit paper-based materials offline.

In particular, according to the Guidelines on the Use of Data Export Filing System, data processors who file the Security Assessment applications only need to upload the scanned copies of all materials; moreover, the New Guidelines no longer require the processor to submit the original materials of power of attorney, letter of commitment, and standard contracts, which reduces the time spent on the chopping and mailing process of such materials.

Back to Top

IV. Regulatory Forecast for Data Export

Although the regulatory procedures for the export of data and personal information have been simplified, compliance obligations for data exporters have not been reduced. Regardless of the volume of the personal information to be exported, processors are required to comply with the requirements for export under the PIPL, no matter whether a Security Assessment or a Standard Contract Filing is required. This includes, but is not limited to, informing and seeking separate consents from relevant individuals, and performing the personal information protection impact assessment.

At the same time, with the implementation of the Relaxation Measures, the CAC will be relieved from the onerous burden of reviewing Security Assessments and Standard Contract Filings, and will carry out more comprehensive and frequent law enforcement (including but not limited to data exports).

Back to Top

V. FAQs pertaining to cross-border data transfer in enterprises' business operations

1. What are the key regulatory requirements for transferring data collected in China to abroad?

Under the current regulatory framework, a domestic data processor would have to take one of the following three routes so as to legally export personal information or Important Data to abroad.

Route 1 (Security Assessment). The following data exporters must pass a security assessment for outbound data transfer ("Security Assessment") organized by the CAC before transferring data to abroad:

  • Data processors seeking to transfer Important Data to abroad;
  • Critical information infrastructure operators ("CIIOs") seeking to transfer personal information to abroad; and
  • Data processors other than CIIOs who have cumulatively transferred personal information of more than one million individuals (excluding sensitive personal information) or sensitive personal information of more than 10,000 individuals out of China since Jan. 1 of the year.

Route 2 (Standard Contract). If none of the thresholds for the Security Assessment listed above is triggered, a data exporter who has cumulatively transferred personal information of more than 100,000 individuals but less than one million individuals (excluding sensitive personal information) or sensitive personal information of less than 10,000 individuals out of China since Jan. 1 of the year, is seeking to transfer any personal information out of China can opt to conclude a contract with the foreign recipient in the form of the Standard Contract for Cross-border Transfer of Personal Information formulated by the CAC ("Standard Contract") and file the executed Standard Contract with the CAC's local branch at provincial level.

Route 3 (Protection Certification). As an alternative for Route 2, a data exporter who has cumulatively transferred personal information of more than 100,000 individuals but less than one million individuals (excluding sensitive personal information) or sensitive personal information of less than 10,000 individuals out of China since Jan. 1 of the year, may opt to undergo the personal information protection certification conducted by specialized institutions according to the requirements of the CAC ("Protection Certification").

Exemption. According to the New Provisions, data processors that meet at least one of the following exemption conditions ("Exemption Condition") do not need to take any of the three routes mentioned above:

  • Export of personal information generated and collected outside China after they are processed within China, without involving any personal information or Important Data generated or collected domestically in China;
  • Export of personal information that is necessary for the conclusion or performance of a contract to which the personal information subject is a party, such as cross-border shopping, shipping, remittance, account opening, flight ticket and hotel bookings, visa applications, examination services, etc.;
  • Export of employees' personal information that is necessary for purposes of implementing cross-border human resource management according to the legally-formulated internal labor policies or legally-signed collective labor contracts;
  • Export of personal information that is necessary for purposes of protecting individuals' life, health, or property security in emergency situations; or
  • Export of personal information by data processors other than CIIOs that have cumulatively transferred personal information of no more than 100,000 individuals (excluding sensitive personal information) out of China since Jan. 1 of the current year.

2. What are the regulatory requirements for transferring employees' personal information collected in China to overseas affiliates for centralized human resource administration?

No pre-procedure (i.e., Security Assessment, Standard Contract or Protection Certification) is required for the transfer of employees' information collected in China to overseas affiliates, as long as such transfer is necessary for purposes of implementing cross-border human resource management according to the legally-formulated internal labor policies or legally-signed collective labor contracts.

Nevertheless, the New Provisions has been silent on the criteria in determining whether a cross-border transfer is necessary or not. In our view, the "necessary" criteria should be a relatively subjective call – from employer's perspective, if the cross-border transfer of employees' certain type of personal information can be reasonably justified for achieving a specific purpose clearly stated in the abovementioned internal labor policies or collective labor contracts, the transfer may be deemed "necessary" under the New Provisions.

Further, many may have a false sense that the exemptions proposed by the New Provisions has lifted the requirements of conducting a personal information protection impact assessment (the "PI Assessment"). This is not true. PIA Assessment is to evaluate (i) if the cross-border transfer of personal information is legal and necessary; (ii) if the protective measures adopted are legal, effective, and match the risks; and (iii) the impacts on the rights and interests of relevant data subjects, etc. Data processors eligible for the Exemption Conditions should still conduct PIA assessment but will no longer be required to submit the PI Assessment reports to the local authorities for filing or approval.

3. Which party is to undertake compliance obligations in the scenario where overseas affiliates directly provide services to and collect data from Chinese domestic customers?

Neither overseas affiliates nor the Chinese subsidiaries will be deemed as to undertake compliance obligations of the PI Exporters under the PIPL when the overseas affiliates directly provide services to and collect data from domestic customers.

To be more specific, some MNCs may choose to set up a subsidiary in China for the purpose of market promotion and/or customer retaining. In case a Chinese customer (could be either an individual user or a company customer) subscribes the services, it is the foreign headquarter (or another foreign entity) rather than the Chinese subsidiary, that would be providing the services (e.g., cloud services) to the Chinese customers directly. In this scenario, the foreign entity would directly collect personal information from the Chinese customers so as to provide the subscribed services, though the Chinese customers may have entered services contracts with the Chinese subsidiary.

The PIPL defines "personal information processor" as the entity or individual who on its own decides for what purpose and how the personal information would be processed in personal information processing activities. As the Chinese subsidiary neither provides the services nor collects, stores, otherwise processes the personal information provided by the Chinese customers, the Chinese subsidiary would not be deemed a personal information processor under the PIPL. In this connection, the issue is which party, as the PI Exporter, is to undertake the compliance obligations of cross-border data transfer – it really depends on if the Chinese customer is a data subject or a personal information processor:

  • If the Chinese customer is an individual user who directly transfers his/her own personal information to abroad: in this case, the Chinese customer is not a personal information processor under the PIPL and the compliance requirements thereunder would not be applicable;
  • If the Chinese customer is a personal information processor who process the personal information of others: in this case, the Chinese customer as the PI Exporter shall undertake the compliance obligations pertaining to cross-border transfer of personal information.

4. Does the personal information processor need to enter into the Standard Contract or undergo the Protection Certification for occasional cross-border transfer of personal information?

No Standard Contract or Protection Certification is required, as long as the occasional cross-border transfer of personal information meet at least one of the following Exemption Conditions as described in Question 1 (Articles 4 and 5 of the New Provisions):

  • The personal information to be exported was generated and collected outside China, without involving any personal information or Important Data generated or collected domestically in China;
  • Export of the personal information that is necessary for the conclusion or performance of a contract to which the personal information subject is a party, such as cross-border shopping, shipping, remittance, account opening, flight ticket and hotel bookings, visa applications, examination services, etc.;
  • Export of employees' personal information that is necessary for purposes of implementing cross-border human resource management according to the legally-formulated internal labor policies or legally-signed collective labor contracts;
  • Export of personal information that is necessary for purposes of protecting individuals' life, health, or property security in emergency situations; or
  • Export of personal information by data processors other than CIIOs that have cumulatively transferred personal information of no more than 100,000 individuals (excluding sensitive personal information) out of China since Jan. 1 of the current year.

5. Are personal information processors of more than one million individuals required to conduct the Security Assessment?

According to the Measures on Security Assessments of Cross-border Data Transfers (the "Security Assessment Measures"), a personal information processor who has processed personal information of one million people shall first pass the Security Assessment before transferring personal information to abroad. This requirement generally focuses on large-scale internet platforms processing a great amount of personal information in China. In this connection, even only one small amount of personal information is to be transferred abroad, such processors shall file for Security Assessment. Theoretically speaking, a personal information processor may eventually meet the "one million people" threshold if it continues to collect and process personal information over years. And it is quite burdensome for a personal information processor to undergo Security Assessment upon exceeding the said threshold even if only one piece of personal information is to be exported. This compliance requirement does cause confusion among domestic PI Exporters.

The New Provisions aim to fix this problem. According to the New Provisions, when transferring data to aboard, personal information processors are required to conduct the Security Assessment only if one of the following conditions is triggered:

  • These personal information processors seek to transfer Important Data to abroad;
  • These personal information processors are also deemed as CIIOs and seek to transfer personal information to abroad; or
  • These personal information processors have cumulatively transferred personal information of more than one million individuals (excluding sensitive personal information) or sensitive personal information of more than 10,000 individuals out of China since Jan. 1 of the current year.

In other words, the threshold of "one million individuals" should be calculated from Jan.1 of each year instead of "day one" of processing personal information.

6. Will Security Assessment be required if a data processor exports data that is not clearly defined as Important Data?

Data processors are not required to apply for the Security Assessment if the exported data has not been notified or published as Important Data by relevant authorities or regions. (Article 2 of the New Provisions)

To be more specific, according to the Measures for Security Assessment of Outbound Data Transfers, which was issued by the CAC on July 7, 2022 and took effect on the September 1, 2022, "Important Data" refers to data that may jeopardize national security, economic operation, social stability, public health and safety if it is tampered with, damaged, leaked, or illegally accessed or illegally utilized. In case the data processed by a data processor falls within the scope of Important Data, the data processor would be required to comply with the applicable requirements relating to Important Data under the PRC law. For example, a processor will be required to file for the Security Assessment if the processor is intending to export Important Data to abroad, without regard to the amount of Important Data to be exported

However, the definitive scope of Important Data is yet to be clearly defined by law. According to the Data Security Law of China, the regional and industry authorities shall formulate specific catalogues of Important Data for their relevant regions and industries. By far, the regional and industry authorities have been mulling over the formulation of the catalogues of Important Data, except in the automobile industry - in August of 2021, the CAC, the Ministry of Transport of China and several other ministries of the PRC jointly issued the Several Provisions on the Security Management of Automobile Data (Trial) (the "Automobile Data Provisions"). Article 3 of the Automobile Data Provisions fleshes out the scope of Important Data in the automotive industry. For other industries and regions, the scope of Important Data remains unclear.

On March 15, 2024, the Chinese authorities released the recommended national standard Information Security Technology – Rules for Data Classification and Grading (the "Data Standard"), which will take effect on October 1, 2024. The Data Standard provides some criteria and guidance on identifying Important Data, aiming to add some clarity on the complicated rules regulating Important Data regime.

The New Provisions effectively reduces the burden on the data processors, and according to Article 2 of the New Provisions, the data processors are not required to apply for the Security Assessment if the exported data has not been notified or published as Important Data by the authorities in relevant regions and industries.

7. What are the compliance requirements for exporting personal information collected outside China?

The export of personal information collected or generated outside China and subsequently processed within China is not subject to the Security Assessment, Standard Contract or Protection Certification. (Article 4 of the New Provisions)

In reality, many Chinese companies may provide services outside China, with their overseas affiliates directly collecting personal information outside China and then transferring the personal information back to a server located in China for storage. Every time the overseas affiliate accesses or processes the personal information stored in China, the server in China provides the personal information to the overseas affiliate. In this case, the export activity will no longer trigger the requirement for the Security Assessment, Standard Contract or Protection Certification under the New Provisions.

8. How long is the Security Assessment valid for?

The result of the Security Assessment would be valid for three years, calculated from the date of issuance of the result. Upon the expiration of the validity period, if the cross-border data transfer still needs to continue and no incidents requiring the re-application of the Security Assessment occur, the data processor may, within 60 business days prior to the expiration of the validity period, apply for an extension for the Security Assessment through the CAC's local branch at provincial level. Upon approval by the national CAC, the validity period of the result of the Security Assessment can be extended for additional three years. (Article 9 of the New Provisions)

9. How should the data processors deal with the Security Assessment or the Standard Contract completed or in the process before the implementation of the New Provisions?

For data export activities that have passed the Security Assessment before the implementation of the New Provisions, the data processors may continue to transfer the data to aboard in accordance with the Security Assessment.

For data export activities that have not passed or partially failed the Security Assessment before the implementation of the New Provisions and are now exempted from the Security Assessment in accordance with the New Provisions, the data processors may transfer the data to aboard by undergoing either the Standard Contract procedure or the Protection Certification procedure.

If a data processor has already applied for the Security Assessment or the Standard Contract filing prior to the implementation of the New Provisions, and is now not required to carry out these procedures in accordance with the New Provisions, the data processor may continue to proceed with the original procedure, or withdraw the application for the Security Assessment or the Standard Contract filing. (Press conference regarding the New Provisions dated March 22, 2024)

Back to Top

VI. More Commentaries

Back to Top


Copyright © LexisNexis, a division of Reed Elsevier Inc. All rights reserved.