China’s Renewed Cross-Border Data Transfer Regime

Introduction

China, being one of the most populous countries in the world, is considered a highly attractive data source. However, its cross-border data transfer (CBDT) regime was considered to be strict and rigid, facing criticisms regarding compliance burdens. On 22 March 2024, the Cyberspace Administration of China (CAC) enacted the Regulations on Promoting and Regulating Cross-Border Data Flows (the Regulations). The main aim of the provisions is to introduce relaxations from the previous CBDT regime. More notably, according to a circular published by the State Council entitled “Action Plan for Solidly Promoting High-Level Opening Up and Attracting and Utilizing Foreign Investment More Aggressively,” the Chinese government is working toward greater foreign investment. The proposed measures included support for data flows between foreign companies and their overseas headquarters, in particular with respect to research, development, production and sales.

The CAC has also issued the second edition of guidelines for filing standard contracts and for filing applications for security assessment with the CAC, and a press release entitled “Answers to Reporters’ Questions” containing additional explanation of the new rules. These rules supersede any previous provisions related to the CBDT regime in China to the extent of any inconsistency.

China’s Existing Cross-Border Data Transfer Regime

As mentioned in Article 1 of the Regulations, the Regulations are formulated to implement the CBDT system in China, comprised of the following three compliance requirements for entities:

• Data export security assessment.
• Personal information export standard contractual clauses (SCCs).
• Personal information protection certification (certification).

Another layer of complexity to the CBDT regime arises due to different requirements for the following:

1. Critical information infrastructure operators (CIIO) and non-critical information infrastructure operators (non-CII). CIIOs are defined by Chinese laws and regulations and include service providers in industries such as communication, energy, transport, water, finance, public services, E-government services, and national defense.
2. Processing important data and different volume thresholds of processing of personal information..

To provide further context to the Regulations, it is important to first delve into the overarching CBDT regime in China. It is comprised of the following three laws and ancillary regulations:

1. Chinese Personal Information Protection Law (PIPL).
2. Data Security Law (DSL).
3. Cybersecurity Law (CSL).

The following are some important definitions with regard to the CBDT regime:

1. Important Data: refers to data that, if tampered with, may endanger national security, economic operations, social stability, and public health and safety. Examples: Geographic data, infrastructure data, energy sources related data, network and network security data, statistical analysis data, military and defense-related data, cutting-edge technology, industry data. Catalogs of important data will be formulated for each industry.
2. Critical information infrastructure: refers to infrastructure and facilities that, once compromised, may seriously endanger national security, national economy and people's livelihood, and public interests. These include industries and fields such as energy, transportation, and national defense.
3. Personal information (PI): refers to information related to an identified or identifiable natural person recorded electronically or by other means, but it does not include anonymized information. Additionally, the term “processing” includes personal information collection, storage, use, processing, transmission, provision, disclosure, and deletion, among other things.
4. Sensitive personal information (SPI): is PI that, once leaked or illegally used, may harm the personal dignity of a natural person or endanger his personal safety or property. SPI includes information such as biometrics, religious belief, specific identity, medical health status, financial accounts, and the person's whereabouts, as well as the personal information of a minor under the age of 14 years. The processing of sensitive personal information can only occur when there is a specific purpose and when it is of necessity, under the circumstances where strict protective measures are taken.

Analysis of the Relaxations Introduced by the Regulations

The following table provides a comparative analysis of the relaxations introduced by the new CBDT regime.

​Detailed Understanding of Exemptions from CBDT Mechanisms

The Regulations provide six cases for an exemption from CBDT mechanisms (security assessment for cross-border transfer of data, to conclude a standard contract for outbound transfer of personal information, or to perform a personal information protection certification) to apply:

1. ​Where data (excluding personal information or important data) is exported, which is collected or generated during activities like international trading, cross-border transportation, academic cooperation, cross-border production and manufacturing, marketing, and promotion, etc., or
2. Where PI is collected overseas, transferred to and processed in China, and is again exported without adding personal information or important data generated in China during the data processing, or
3. Where PI must be exported to conclude and perform a contract for an individual as a party, such as cross-border shopping, mail, remittance, payment, account opening, as well as air ticket and hotel reservations, visa applications, exam services, etc., or
4. Where it is necessary to export PI of internal employees to implement human resources management, and this happens in accordance with the labor rules and regulations and the collective contracts signed according to law, or
5. Where it is necessary to export PI to protect the life, health, or property of natural persons in case of an emergency, or
6. ​Where a data processor (non-CIIO) exports personal information abroad (excluding sensitive personal information) of less than 100,000 individuals as of 1 January of the current year.

An important clarification is provided in Article 4 of the Regulations: personal information originally collected and generated outside of China, and then transferred into China for processing is exempted from a security assessment, as well as the signing and filing of a standard contract, provided that no domestic personal information or important data is introduced during the processing.

​Cross-border data flow subject to standard contract or certification​

Where a data processor (non-CIIO) transfers PI abroad of 100,000 individuals or more but less than 1 million individuals or SPI of less than 10,000 individuals as of 1 January of the current year, the transferor and transferee must either:

1. conclude and file SCCs for outbound transfer of personal information with the CAC, or
2. complete a personal information protection certification and apply at the designated website and with the qualified certification institute.

Additionally, a PIPIA and other documentation need to be submitted to the CAC. The process may have to be repeated or modified in case of any change in data processing activities or circumstances for the CBDT. The certification is valid for three years and renewable upon the fulfillment of the supervision requirements.

Negative Lists - FTZs

The FTZs may prescribe local preferential policies for companies within their respective jurisdictions. Therefore, they may develop their own negative lists for data transfer, setting out data that are subject to the cross-border security assessment, conclusion and filing of SCCs for outbound transfer of personal information, or personal information protection certification. If data is not mentioned in the negative list, it can be freely exported without any filing or application formality with CAC.

​Identification of important data​

The Regulations obligate data processors to identify and report their “important data” in case the data has been notified or identified by the relevant regulations. Thus, in the absence of regulations defining important data, a data processor need not conduct a security assessment for the cross-border data transfer. The DSL provides that all regions and departments shall determine the specific catalog of important data for their respective regions and departments and relevant industries and fields. More specifically, Article 21 of the DSL provides that the government of China will establish a hierarchical data classification management and data protection system focused on the importance of different types of data to the national economy, national security, and public interest.

​Updated security assessment guide and standard contract guide​

According to the updated security assessment guide and standard contract guide, an official website ​is provided as an official online channel for SCC filing and security assessments. Of specific interest to foreign entities is the clarification that the processing of personal information of domestic natural persons by overseas entities is also a cross-border transfer of PI. This may be the case where overseas entities collect personal information from China either for the purpose of provision of products or services to domestic natural persons or when they analyze and evaluate the activities of domestic natural persons. Therefore, overseas entities must establish a special agency or designate a representative in China according to Article 53 of the PIPL to fulfill the personal information protection compliance requirements under Chinese laws and regulations.

Organizational Compliance for CBDT

It is widely acknowledged that with the introduction of the Regulations, the CBDT regime in China has been significantly relaxed. However, this does not constitute a complete relaxation from CBDT mechanisms even if a CBDT activity falls within an exempted scenario or outside the stipulated volume thresholds for PI or SPI transfer.  The following are key compliance considerations for organizations:

In case exemptions apply:

Ensure the following pre-transfer requirements:

1. Obtain separate, informed, and explicit consent of the individual whose personal information is being transferred.
2. Carry out a Personal Information Protection Impact Assessment before they can initiate the process of transferring personal information out of China. This should include legitimacy, the necessity of the purpose, scope, impact on individuals’ rights and interests, security risks, and security measures.
3. Adequately inform the users whose personal information is to be transferred about the potential transfer with information regarding the name of the overseas recipient, contact information, purpose and method of processing, type of personal information and how they can exercise their data rights against the recipient.

It is also important to ensure documentation to show compliance incase of any enforcement actions against non-compliance imposed by Chinese authorities.

In case any of the CBDT mechanisms apply:

1. Ensure the above pre-transfer requirements are fulfilled.
2. Review and update existing privacy notices, consent policies, labor contracts, employee handbooks and data protection policy documents.
3. If the organization is located in the FTZ, the negative list should be monitored to avail exemptions.
4. Ensure routine efforts with regard to data protection and data security.
5. Conduct regular compliance training for employees to ensure risk prevention awareness.

For ease of compliance, please refer to the decision tree below: