Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Knowledge Center » Data Privacy Automation

China’s Renewed Cross-Border Data Transfer Regime

By Aman Rehan | Reviewed By Muhammad Faisal Sattar

Published April 4, 2024

Introduction

China, being one of the most populous countries in the world, is considered a highly attractive data source. However, its cross-border data transfer (CBDT) regime was considered to be strict and rigid, facing criticisms regarding compliance burdens. On 22 March 2024, the Cyberspace Administration of China (CAC) enacted the Regulations on Promoting and Regulating Cross-Border Data Flows (the Regulations). The main aim of the provisions is to introduce relaxations from the previous CBDT regime. More notably, according to a circular published by the State Council entitled “Action Plan for Solidly Promoting High-Level Opening Up and Attracting and Utilizing Foreign Investment More Aggressively,” the Chinese government is working toward greater foreign investment. The proposed measures included support for data flows between foreign companies and their overseas headquarters, in particular with respect to research, development, production and sales.

The CAC has also issued the second edition of guidelines for filing standard contracts and for filing applications for security assessment with the CAC, and a press release entitled “Answers to Reporters’ Questions” containing additional explanation of the new rules. These rules supersede any previous provisions related to the CBDT regime in China to the extent of any inconsistency.

China’s Existing Cross-Border Data Transfer Regime

As mentioned in Article 1 of the Regulations, the Regulations are formulated to implement the CBDT system in China, comprised of the following three compliance requirements for entities:

Data export security assessment.
Personal information export standard contractual clauses (SCCs).
Personal information protection certification (certification).

Another layer of complexity to the CBDT regime arises due to different requirements for the following:

Critical information infrastructure operators (CIIO) and non-critical information infrastructure operators (non-CII). CIIOs are defined by Chinese laws and regulations and include service providers in industries such as communication, energy, transport, water, finance, public services, E-government services, and national defense.
Processing important data and different volume thresholds of processing of personal information..

To provide further context to the Regulations, it is important to first delve into the overarching CBDT regime in China. It is comprised of the following three laws and ancillary regulations:

Chinese Personal Information Protection Law (PIPL).
Data Security Law (DSL).
Cybersecurity Law (CSL).

The following are some important definitions with regard to the CBDT regime:

Important Data: refers to data that, if tampered with, may endanger national security, economic operations, social stability, and public health and safety. Examples: Geographic data, infrastructure data, energy sources related data, network and network security data, statistical analysis data, military and defense-related data, cutting-edge technology, industry data. Catalogs of important data will be formulated for each industry.
Critical information infrastructure: refers to infrastructure and facilities that, once compromised, may seriously endanger national security, national economy and people's livelihood, and public interests. These include industries and fields such as energy, transportation, and national defense.
Personal information (PI): refers to information related to an identified or identifiable natural person recorded electronically or by other means, but it does not include anonymized information. Additionally, the term “processing” includes personal information collection, storage, use, processing, transmission, provision, disclosure, and deletion, among other things.
Sensitive personal information (SPI): is PI that, once leaked or illegally used, may harm the personal dignity of a natural person or endanger his personal safety or property. SPI includes information such as biometrics, religious belief, specific identity, medical health status, financial accounts, and the person's whereabouts, as well as the personal information of a minor under the age of 14 years. The processing of sensitive personal information can only occur when there is a specific purpose and when it is of necessity, under the circumstances where strict protective measures are taken.

Analysis of the Relaxations Introduced by the Regulations

The following table provides a comparative analysis of the relaxations introduced by the new CBDT regime.

CBDT Requirement	Old Regime	New Regime	Insight
Exemptions	No Volume related exemptions: organizations exporting any amount of PI were required to fulfill one of the prescribed data transfer mechanisms.	Volume Exemptions: No export mechanism required for a PI handler that, since January 1 of the current year, has exported PI of less than 100,000 individuals, given that such data do not contain any SPI. Category exemptions (explained in more detail below): (i) signing or performing contracts for cross-border shopping, transportation, bank account opening, payment, hotel booking, visa application, and exam services. (ii) cross-border HR management according to applicable labor rules or collective employment contracts. (iii) Emergency for protecting life and assets.	The exemption from compliance with the various regulatory filing and related requirements of the CBDT regime for companies that export only small volumes of PI is particularly welcome. Even with category exemptions, organizations are still required to fulfill pre-transfer requirements as prescribed under PIPL. The category exemptions allow for ease of compliance with certain categories of data processing, such as routine performance of the contracts specified. The HR management exemption will be very helpful in many day-to-day scenarios for MNCs. It should be noted that the exemptions exclude prospective employees/job applicants, and there is significant ambiguity regarding whether sensitive employee data, such as bank account information or health data, can be transferred abroad without triggering the CBDT legal mechanisms. This may be further clarified in subsequent guidelines issued by the CAC.
Security Assessment	Export of PI by a CIIO.	Export of PI by a CIIO.	No change.
	Export of PI by a PI handler that, since January 1 of the previous year, has already exported (i) PI of 100,000 or more individuals or (ii) sensitive PI of 10,000 or more individuals	Export of PI by a PI handler that, since January 1 of the current year, has already exported (i) PI of more than one million individuals or (ii) sensitive PI of more than 10,000 individuals	This is a welcome change for companies that export only small volumes of PI. It is important to note that these relaxed thresholds only apply to data handlers who are not classified as critical infrastructure information (CII) operators. The CII designation will be determined by regulators, therefore, a data handler can assume it is not a CII operator unless notified otherwise.
	Export of important data	Export of important data that has clearly been identified as important data pursuant to published rules or notice of the relevant sectoral or regional regulator.	Clarity is provided regarding the classification of data as important data as it is expressly stated that data (other than PI) that has not yet clearly been identified as important data may be exported without complying with the CBDT regime. It is still important for data exporters to closely monitor the fast-evolving landscape relevant to important data. Companies are still mandated by the CBDT regime to take certain self-regulating compliance steps by performing data mapping and identifying and reporting important data in accordance with relevant regulations. As of today, the identification of important data and its formulation into a catalog are still at the preliminary stage. The implementation of the Regulations will assist in improving important data management systems.
	Validity up to 2 years.	Validity up to 3 years.	The procedural burden for companies has been reduced by the increased validity period.
SCCs / Certification	A PI handler may opt for SCCs filing or the certification mechanism when a security assessment is not triggered.	Export of PI by a PI handler that, since January 1 of the current year, has already exported: (i) PI of between 100,000 and one million individuals; or (ii) sensitive PI of less than 10,000 individuals A PI handler meeting this criterion may opt to comply with either the SCCs filing or the certification mechanism	The threshold for opting for SCCs or the certification requirement has been specified and reduced. This will make compliance easier for organizations. Despite the relaxed requirements noted above, the CBDT Regulations emphasize data compliance, including the pre-transfer requirements in accordance with applicable laws and regulations: notifying the data subjects; obtaining separate consent; Conducting data transfer impact assessment; and ensuring data security, in accordance with applicable laws and regulations. Therefore, routine data compliance remains unchanged.
Negative Lists	None	A Free Trade Zone (FTZ) may formulate its own negative list of data that is subject to data export mechanisms upon completing certain approval and filing procedures.	This will promote greater economic activity within the specified free trade zones and ease compliance for companies due to no filing or application formality with the CAC. The FTZs in Tianjin, Beijing and Shanghai have already introduced regulations that stipulate relaxed compliance requirements for CBDT. Organizations should stay vigilant on any subsequent negative lists being published by relevant FTZs.

Detailed Understanding of Exemptions from CBDT Mechanisms

The Regulations provide six cases for an exemption from CBDT mechanisms (security assessment for cross-border transfer of data, to conclude a standard contract for outbound transfer of personal information, or to perform a personal information protection certification) to apply:

Where data (excluding personal information or important data) is exported, which is collected or generated during activities like international trading, cross-border transportation, academic cooperation, cross-border production and manufacturing, marketing, and promotion, etc., or
Where PI is collected overseas, transferred to and processed in China, and is again exported without adding personal information or important data generated in China during the data processing, or
Where PI must be exported to conclude and perform a contract for an individual as a party, such as cross-border shopping, mail, remittance, payment, account opening, as well as air ticket and hotel reservations, visa applications, exam services, etc., or
Where it is necessary to export PI of internal employees to implement human resources management, and this happens in accordance with the labor rules and regulations and the collective contracts signed according to law, or
Where it is necessary to export PI to protect the life, health, or property of natural persons in case of an emergency, or
Where a data processor (non-CIIO) exports personal information abroad (excluding sensitive personal information) of less than 100,000 individuals as of 1 January of the current year.

An important clarification is provided in Article 4 of the Regulations: personal information originally collected and generated outside of China, and then transferred into China for processing is exempted from a security assessment, as well as the signing and filing of a standard contract, provided that no domestic personal information or important data is introduced during the processing.

Cross-border data flow subject to standard contract or certification

Where a data processor (non-CIIO) transfers PI abroad of 100,000 individuals or more but less than 1 million individuals or SPI of less than 10,000 individuals as of 1 January of the current year, the transferor and transferee must either:

conclude and file SCCs for outbound transfer of personal information with the CAC, or
complete a personal information protection certification and apply at the designated website and with the qualified certification institute.

Additionally, a PIPIA and other documentation need to be submitted to the CAC. The process may have to be repeated or modified in case of any change in data processing activities or circumstances for the CBDT. The certification is valid for three years and renewable upon the fulfillment of the supervision requirements.

Negative Lists - FTZs

The FTZs may prescribe local preferential policies for companies within their respective jurisdictions. Therefore, they may develop their own negative lists for data transfer, setting out data that are subject to the cross-border security assessment, conclusion and filing of SCCs for outbound transfer of personal information, or personal information protection certification. If data is not mentioned in the negative list, it can be freely exported without any filing or application formality with CAC.

Identification of important data

The Regulations obligate data processors to identify and report their “important data” in case the data has been notified or identified by the relevant regulations. Thus, in the absence of regulations defining important data, a data processor need not conduct a security assessment for the cross-border data transfer. The DSL provides that all regions and departments shall determine the specific catalog of important data for their respective regions and departments and relevant industries and fields. More specifically, Article 21 of the DSL provides that the government of China will establish a hierarchical data classification management and data protection system focused on the importance of different types of data to the national economy, national security, and public interest.

Updated security assessment guide and standard contract guide

According to the updated security assessment guide and standard contract guide, an official website is provided as an official online channel for SCC filing and security assessments. Of specific interest to foreign entities is the clarification that the processing of personal information of domestic natural persons by overseas entities is also a cross-border transfer of PI. This may be the case where overseas entities collect personal information from China either for the purpose of provision of products or services to domestic natural persons or when they analyze and evaluate the activities of domestic natural persons. Therefore, overseas entities must establish a special agency or designate a representative in China according to Article 53 of the PIPL to fulfill the personal information protection compliance requirements under Chinese laws and regulations.

Organizational Compliance for CBDT

It is widely acknowledged that with the introduction of the Regulations, the CBDT regime in China has been significantly relaxed. However, this does not constitute a complete relaxation from CBDT mechanisms even if a CBDT activity falls within an exempted scenario or outside the stipulated volume thresholds for PI or SPI transfer. The following are key compliance considerations for organizations:

In case exemptions apply:

Ensure the following pre-transfer requirements:

Obtain separate, informed, and explicit consent of the individual whose personal information is being transferred.
Carry out a Personal Information Protection Impact Assessment before they can initiate the process of transferring personal information out of China. This should include legitimacy, the necessity of the purpose, scope, impact on individuals’ rights and interests, security risks, and security measures.
Adequately inform the users whose personal information is to be transferred about the potential transfer with information regarding the name of the overseas recipient, contact information, purpose and method of processing, type of personal information and how they can exercise their data rights against the recipient.

It is also important to ensure documentation to show compliance incase of any enforcement actions against non-compliance imposed by Chinese authorities.

In case any of the CBDT mechanisms apply:

Ensure the above pre-transfer requirements are fulfilled.
Review and update existing privacy notices, consent policies, labor contracts, employee handbooks and data protection policy documents.
If the organization is located in the FTZ, the negative list should be monitored to avail exemptions.
Ensure routine efforts with regard to data protection and data security.
Conduct regular compliance training for employees to ensure risk prevention awareness.

For ease of compliance, please refer to the decision tree below:

China’s Renewed Cross-Border Data Transfer Regime

Introduction

China’s Existing Cross-Border Data Transfer Regime

Analysis of the Relaxations Introduced by the Regulations

Detailed Understanding of Exemptions from CBDT Mechanisms

Organizational Compliance for CBDT

More Stories that May Interest You

Newsletter

Company

Resources

Terms

Get in touch

China’s Renewed Cross-Border Data Transfer Regime

Introduction

China’s Existing Cross-Border Data Transfer Regime

Analysis of the Relaxations Introduced by the Regulations

​Detailed Understanding of Exemptions from CBDT Mechanisms

Organizational Compliance for CBDT

Join Our Newsletter

Share

More Stories that May Interest You

China’s New Measures on the Administration of Internet Advertising: Basics To Know

An Overview of Thailand’s Cross-Border Data Transfer Regime

China’s Regulation on Protection of Minors in Cyberspace

Newsletter

Company

Resources

Terms

Get in touch

What'sNew

Detailed Understanding of Exemptions from CBDT Mechanisms

What's
New