Introduction
China, being one of the most populous countries in the world, is considered a highly attractive data source. However, its cross-border data transfer (CBDT) regime was considered to be strict and rigid, facing criticisms regarding compliance burdens. On 22 March 2024, the Cyberspace Administration of China (CAC) enacted the Regulations on Promoting and Regulating Cross-Border Data Flows (the Regulations). The main aim of the provisions is to introduce relaxations from the previous CBDT regime. More notably, according to a circular published by the State Council entitled “Action Plan for Solidly Promoting High-Level Opening Up and Attracting and Utilizing Foreign Investment More Aggressively,” the Chinese government is working toward greater foreign investment. The proposed measures included support for data flows between foreign companies and their overseas headquarters, in particular with respect to research, development, production and sales.
The CAC has also issued the second edition of guidelines for filing standard contracts and for filing applications for security assessment with the CAC, and a press release entitled “Answers to Reporters’ Questions” containing additional explanation of the new rules. These rules supersede any previous provisions related to the CBDT regime in China to the extent of any inconsistency.
China’s Existing Cross-Border Data Transfer Regime
As mentioned in Article 1 of the Regulations, the Regulations are formulated to implement the CBDT system in China, comprised of the following three compliance requirements for entities:
- Data export security assessment.
- Personal information export standard contractual clauses (SCCs).
- Personal information protection certification (certification).
Another layer of complexity to the CBDT regime arises due to different requirements for the following:
- Critical information infrastructure operators (CIIO) and non-critical information infrastructure operators (non-CII). CIIOs are defined by Chinese laws and regulations and include service providers in industries such as communication, energy, transport, water, finance, public services, E-government services, and national defense.
- Processing important data and different volume thresholds of processing of personal information..
To provide further context to the Regulations, it is important to first delve into the overarching CBDT regime in China. It is comprised of the following three laws and ancillary regulations:
- Chinese Personal Information Protection Law (PIPL).
- Data Security Law (DSL).
- Cybersecurity Law (CSL).
The following are some important definitions with regard to the CBDT regime:
- Important Data: refers to data that, if tampered with, may endanger national security, economic operations, social stability, and public health and safety. Examples: Geographic data, infrastructure data, energy sources related data, network and network security data, statistical analysis data, military and defense-related data, cutting-edge technology, industry data. Catalogs of important data will be formulated for each industry.
- Critical information infrastructure: refers to infrastructure and facilities that, once compromised, may seriously endanger national security, national economy and people's livelihood, and public interests. These include industries and fields such as energy, transportation, and national defense.
- Personal information (PI): refers to information related to an identified or identifiable natural person recorded electronically or by other means, but it does not include anonymized information. Additionally, the term “processing” includes personal information collection, storage, use, processing, transmission, provision, disclosure, and deletion, among other things.
- Sensitive personal information (SPI): is PI that, once leaked or illegally used, may harm the personal dignity of a natural person or endanger his personal safety or property. SPI includes information such as biometrics, religious belief, specific identity, medical health status, financial accounts, and the person's whereabouts, as well as the personal information of a minor under the age of 14 years. The processing of sensitive personal information can only occur when there is a specific purpose and when it is of necessity, under the circumstances where strict protective measures are taken.
Analysis of the Relaxations Introduced by the Regulations
The following table provides a comparative analysis of the relaxations introduced by the new CBDT regime.
| CBDT Requirement |
Old Regime |
New Regime |
Insight |
| Exemptions |
No Volume related exemptions: organizations exporting any amount of PI were required to fulfill one of the prescribed data transfer mechanisms. |
Volume Exemptions:
No export mechanism required for a PI handler that, since January 1 of the current year, has exported PI of less than 100,000 individuals, given that such data do not contain any SPI.
Category exemptions (explained in more detail below):
(i) signing or performing contracts for cross-border shopping, transportation, bank account opening, payment, hotel booking, visa application, and exam services.
(ii) cross-border HR management according to applicable labor rules or collective employment contracts.
(iii) Emergency for protecting life and assets.
|
The exemption from compliance with the various regulatory filing and related requirements of the CBDT regime for companies that export only small volumes of PI is particularly welcome.
Even with category exemptions, organizations are still required to fulfill pre-transfer requirements as prescribed under PIPL.
The category exemptions allow for ease of compliance with certain categories of data processing, such as routine performance of the contracts specified.
The HR management exemption will be very helpful in many day-to-day scenarios for MNCs.
It should be noted that the exemptions exclude prospective employees/job applicants, and there is significant ambiguity regarding whether sensitive employee data, such as bank account information or health data, can be transferred abroad without triggering the CBDT legal mechanisms. This may be further clarified in subsequent guidelines issued by the CAC.
|
| Security Assessment |
Export of PI by a CIIO. |
Export of PI by a CIIO. |
No change. |
| Export of PI by a PI handler that, since January 1 of the previous year, has already exported
(i) PI of 100,000 or more individuals or
(ii) sensitive PI of 10,000 or more individuals
|
Export of PI by a PI handler that, since January 1 of the current year, has already exported
(i) PI of more than one million individuals or
(ii) sensitive PI of more than 10,000 individuals
|
This is a welcome change for companies that export only small volumes of PI.
It is important to note that these relaxed thresholds only apply to data handlers who are not classified as critical infrastructure information (CII) operators. The CII designation will be determined by regulators, therefore, a data handler can assume it is not a CII operator unless notified otherwise.
|
| Export of important data |
Export of important data that has clearly been identified as important data pursuant to published rules or notice of the relevant sectoral or regional regulator. |
Clarity is provided regarding the classification of data as important data as it is expressly stated that data (other than PI) that has not yet clearly been identified as important data may be exported without complying with the CBDT regime. It is still important for data exporters to closely monitor the fast-evolving landscape relevant to important data.
Companies are still mandated by the CBDT regime to take certain self-regulating compliance steps by performing data mapping and identifying and reporting important data in accordance with relevant regulations. As of today, the identification of important data and its formulation into a catalog are still at the preliminary stage. The implementation of the Regulations will assist in improving important data management systems.
|
| Validity up to 2 years. |
Validity up to 3 years. |
The procedural burden for companies has been reduced by the increased validity period. |
| SCCs / Certification |
A PI handler may opt for SCCs filing or the certification mechanism when a security assessment is not triggered. |
Export of PI by a PI handler that, since January 1 of the current year, has already exported:
(i) PI of between 100,000 and one million individuals; or
(ii) sensitive PI of less than 10,000 individuals
A PI handler meeting this criterion may opt to comply with either the SCCs filing or the certification mechanism
|
The threshold for opting for SCCs or the certification requirement has been specified and reduced. This will make compliance easier for organizations.
Despite the relaxed requirements noted above, the CBDT Regulations emphasize data compliance, including the pre-transfer requirements in accordance with applicable laws and regulations:
- notifying the data subjects;
- obtaining separate consent;
- Conducting data transfer impact assessment; and
- ensuring data security, in accordance with applicable laws and regulations.
Therefore, routine data compliance remains unchanged.
|
| Negative Lists |
None |
A Free Trade Zone (FTZ) may formulate its own negative list of data that is subject to data export mechanisms upon completing certain approval and filing procedures. |
This will promote greater economic activity within the specified free trade zones and ease compliance for companies due to no filing or application formality with the CAC.
The FTZs in Tianjin, Beijing and Shanghai have already introduced regulations that stipulate relaxed compliance requirements for CBDT. Organizations should stay vigilant on any subsequent negative lists being published by relevant FTZs.
|
Detailed Understanding of Exemptions from CBDT Mechanisms
The Regulations provide six cases for an exemption from CBDT mechanisms (security assessment for cross-border transfer of data, to conclude a standard contract for outbound transfer of personal information, or to perform a personal information protection certification) to apply:
- Where data (excluding personal information or important data) is exported, which is collected or generated during activities like international trading, cross-border transportation, academic cooperation, cross-border production and manufacturing, marketing, and promotion, etc., or
- Where PI is collected overseas, transferred to and processed in China, and is again exported without adding personal information or important data generated in China during the data processing, or
- Where PI must be exported to conclude and perform a contract for an individual as a party, such as cross-border shopping, mail, remittance, payment, account opening, as well as air ticket and hotel reservations, visa applications, exam services, etc., or
- Where it is necessary to export PI of internal employees to implement human resources management, and this happens in accordance with the labor rules and regulations and the collective contracts signed according to law, or
- Where it is necessary to export PI to protect the life, health, or property of natural persons in case of an emergency, or
- Where a data processor (non-CIIO) exports personal information abroad (excluding sensitive personal information) of less than 100,000 individuals as of 1 January of the current year.
An important clarification is provided in Article 4 of the Regulations: personal information originally collected and generated outside of China, and then transferred into China for processing is exempted from a security assessment, as well as the signing and filing of a standard contract, provided that no domestic personal information or important data is introduced during the processing.
Cross-border data flow subject to standard contract or certification
Where a data processor (non-CIIO) transfers PI abroad of 100,000 individuals or more but less than 1 million individuals or SPI of less than 10,000 individuals as of 1 January of the current year, the transferor and transferee must either:
- conclude and file SCCs for outbound transfer of personal information with the CAC, or
- complete a personal information protection certification and apply at the designated website and with the qualified certification institute.
Additionally, a PIPIA and other documentation need to be submitted to the CAC. The process may have to be repeated or modified in case of any change in data processing activities or circumstances for the CBDT. The certification is valid for three years and renewable upon the fulfillment of the supervision requirements.
Negative Lists - FTZs
The FTZs may prescribe local preferential policies for companies within their respective jurisdictions. Therefore, they may develop their own negative lists for data transfer, setting out data that are subject to the cross-border security assessment, conclusion and filing of SCCs for outbound transfer of personal information, or personal information protection certification. If data is not mentioned in the negative list, it can be freely exported without any filing or application formality with CAC.
Identification of important data
The Regulations obligate data processors to identify and report their “important data” in case the data has been notified or identified by the relevant regulations. Thus, in the absence of regulations defining important data, a data processor need not conduct a security assessment for the cross-border data transfer. The DSL provides that all regions and departments shall determine the specific catalog of important data for their respective regions and departments and relevant industries and fields. More specifically, Article 21 of the DSL provides that the government of China will establish a hierarchical data classification management and data protection system focused on the importance of different types of data to the national economy, national security, and public interest.
Updated security assessment guide and standard contract guide
According to the updated security assessment guide and standard contract guide, an official website is provided as an official online channel for SCC filing and security assessments. Of specific interest to foreign entities is the clarification that the processing of personal information of domestic natural persons by overseas entities is also a cross-border transfer of PI. This may be the case where overseas entities collect personal information from China either for the purpose of provision of products or services to domestic natural persons or when they analyze and evaluate the activities of domestic natural persons. Therefore, overseas entities must establish a special agency or designate a representative in China according to Article 53 of the PIPL to fulfill the personal information protection compliance requirements under Chinese laws and regulations.
Organizational Compliance for CBDT
It is widely acknowledged that with the introduction of the Regulations, the CBDT regime in China has been significantly relaxed. However, this does not constitute a complete relaxation from CBDT mechanisms even if a CBDT activity falls within an exempted scenario or outside the stipulated volume thresholds for PI or SPI transfer. The following are key compliance considerations for organizations:
In case exemptions apply:
Ensure the following pre-transfer requirements:
- Obtain separate, informed, and explicit consent of the individual whose personal information is being transferred.
- Carry out a Personal Information Protection Impact Assessment before they can initiate the process of transferring personal information out of China. This should include legitimacy, the necessity of the purpose, scope, impact on individuals’ rights and interests, security risks, and security measures.
- Adequately inform the users whose personal information is to be transferred about the potential transfer with information regarding the name of the overseas recipient, contact information, purpose and method of processing, type of personal information and how they can exercise their data rights against the recipient.
It is also important to ensure documentation to show compliance incase of any enforcement actions against non-compliance imposed by Chinese authorities.
In case any of the CBDT mechanisms apply:
- Ensure the above pre-transfer requirements are fulfilled.
- Review and update existing privacy notices, consent policies, labor contracts, employee handbooks and data protection policy documents.
- If the organization is located in the FTZ, the negative list should be monitored to avail exemptions.
- Ensure routine efforts with regard to data protection and data security.
- Conduct regular compliance training for employees to ensure risk prevention awareness.
For ease of compliance, please refer to the decision tree below:
