The Cyberspace Administration of China (CAC) has issued the long-waited Provisions on Facilitating and Standardising Cross-Border Data Flow. This signals a moderate relaxation of the country’s stringent control over cross-border data transfer (CBDT) activities.
The move, effective from 22 March 2024, comes as a positive step following the promulgation of the Personal Information Protection Law in 2021, and the implementation of CBDT security assessment and China Standard Contract for Cross-Border Transfer of Personal Information from late 2022.
As background, the CAC released the draft rules for public comment six months earlier, responding to concerns and complaints raised by many companies operating in China, especially those with foreign investment. The main bones of contention were sweeping and onerous obligations on outbound data provision/CBDT, and the lengthy and opaque administrative formalities and processes for CDBT security assessment applications.
As expected, the draft rules were finalised by the CAC before the end of November 2023. However, presumably due to controversies around policy orientation towards regulation and relaxation of CBDT activities, the finalised rules were not published until recently.
What data is regulated?
The new rules and CAC’s official responses to the press reiterate that the secure administration of CBDT activities only apply to two categories of data: personal information and important data.
Other data is not be subject to any of the following requirements of CBDT formality:
- Application for a CBDT security assessment;
- Conclusion and filing of a standard contract for personal information export; and
- Application for a personal information protection certification.
Uncertainty around the exact scope of “important data” has been puzzling companies operating in China for some time. The good news brought by the new rules is that unless certain data has either been clearly identified by competent governmental authorities as important data, or falls into any published catalogues of important data, a data processor may treat that data as being non-important.
Specified exemptions
There are no exemptions for important data. Each data processor in China must pass a security assessment and obtain clearance from both of the provincial and central offices of the CAC, as long as any important data needs to be exported.
In terms of export of personal information, an information processor in China would be exempted in any of the following scenarios.
Exemption for data-in-transit. The exported personal information is limited to personal information collected and generated outside China and transmitted into China for domestic processing, during which no personal information or important data collected or generated within China is incorporated into the exported personal information. In other words, the pure storage of overseas personal information in China, or the transit of overseas personal information through China, can be exempted.
Contracting exemption. The data processor exports personal information where it is necessary for concluding or performing a contract to which the individual is a party. These purposes include cross-border shopping, cross-border posting and delivery, cross-border fund remittance, cross-border payment, cross-border account opening, air ticket ad hotel booking, visa applications, examination services and the like.
HR management exemption. The data processor exports employees’ personal information where it is necessary for implementing cross-border human resources management in accordance with labour rules and policies formulated in accordance with laws, and for collective contracts concluded in accordance with the law.
Emergency exemption. The data processor exports personal information where it is necessary for protecting the life, health and property safety of individuals under emergency conditions.
Small-scale data exporter exemption. The data processor is not a critical information infrastructure operator (CIIO) and it has exported non-sensitive personal information of less than 100,000 individuals since 1 January of the current year.
CIIOs are subject to more stringent requirements, such as localisation of personal information and important data; a security assessment is required for CIIO activities. To avoid uncertainty, the CAC clarified that deemed CIIOs will be notified by competent governmental authorities of their status as a CIIO. That means if a data processor has not received a clear and formal notification on its status as a CIIO, it can assume that it is not a CIIO.
Free-trade zones
Under the new rules, authorities in various free-trade zones in China have been empowered to issue their own negative lists to further ease CBDT activities within the national framework of data classification and grading. Therefore, for data processors in free-trade zones, only those CBDT activities that fall into the negative lists would be subject to the applicable formality requirements.
Local authorities in free-trade zones must obtain clearance from competent authorities at both provincial and central levels before their negative lists can be released to the public for implementation. For the time being, authorities in free-trade zones in Lingang, Shanghai and Tianjin are reported to be in the process of generating their negative lists. These are expected to be made available to the public in the near future.
Substantially raised thresholds
The CAC has substantially raised the thresholds of security assessments and for China SCC filings and certification. The changes will result in the exemption for more data processors from the security assessment requirement, or possibly even from all formal requirements.
Meanwhile, the CAC has provided some guidance – which is far from crystal clear – about how to calculate the number of individuals for the purpose of determining the applicability of the formality requirements.
- The counting period commences from 1 January of the most current year, until the date of the submission of the security assessment application. If the security assessment is not triggered and applicable, the authors believe that the ending date could be the date of the submission of the contracting filing or the certification application.
- A single individual should not be counted twice; that is, data processors should de-duplicate the individuals whose personal information is exported more than once.
- Individuals whose personal information is exported under those exempted scenarios (except for the small-scale data exporter exemption where the number of individuals is the decisive factor) can be carved out.
Other highlights
Under the new rules, the validity of a security assessment has been extended from two to three years, commencing from the date when the data processor receives the CAC’s final assessment. On application, and if no other circumstances have triggered a new security assessment, the validity period can be extended for an additional three years.
Recommendations
Data processors who have not taken any action to assess and fulfil the formality requirements should:
- Check their CBDT activities to determine whether they should comply with any formality requirements under the new rules; and
- Review their compliance with the statutory requirements for data processing and CBDT activities, and prepare the relevant personal information protection impact assessment reports, even if they conclude that they match one or more of the exempted scenarios.
Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice.
You can contact Baker McKenzie by e-mailing Howard Wu (Shanghai) at howard.wu@bakermckenzie.com
