The Regulations on Promoting and Standardising Cross-Border Data Flows (the regulations) was released on 22 March 2024. Since then, the development process of China’s cross-border data export regulation has gradually become clearer. However, there are still many challenges on the practical level. This article will provide a brief review and comprehensive analysis.
Development process
Relevant laws arrive on the scene. The Cybersecurity Law initially targeted only critical information infrastructure operators (CIIOs), with no supporting measures in place, resulting in minimal regulation on data exports. After four years, the Data Security Law and the Personal Information Protection Law came into effect, signalling the comprehensive introduction of disclosure, separate consent and personal information protection impact assessment, known as the “compliance trio”, and pre-procedures (applying one out of four options is sufficient) for the cross-border transfer of personal information.
Important data exports by non-CIIOs are now under supervision, although still in a phase characterised by significant anticipation but limited practical implementation.
Challenges in implementing the three regimes. Starting from July 2022, a series of supporting documents for the three regimes, from the Measures for Security Assessment for Cross-Border Data Transfers to the Implementation Rules for Personal Information Protection Certification and the Provisions on the Standard Contract for Export of Personal Information, were successively introduced. All stakeholders face the big test of data exports, with important data exporters, CIIOs and high-volume individual data exporters undergoing security assessments. Low-volume individual data exporters, meanwhile, must undergo a standard contractual clauses (SCC) filing. Additionally, in specific cross-border scenarios, exporters have the option to choose personal information protection certification. After more than a year of struggle, implementing the three regimes has proved to be extremely challenging.
Partner
Dacheng Law Offices
Tel: +86 21 5878 8300
E-mail:
calvin.peng@dentons.cn
An exploration of the data export regulations in the Greater Bay Area. In December 2023, the Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macau Greater Bay Area (Mainland, Hong Kong) were issued. With the failures in data export pilot zones in free-trade areas and the unsuccessful formulation of a low-risk data catalogue under the Regulations of Shanghai Municipality on Data, the Greater Bay Area (GBA) established a green channel for SCC filing for mainland China-Hong Kong data transfers. Although regional trials are timely, they fail to fully address the widespread concerns, highlighting the experimental nature of these endeavours.
New regulations finally land. The regulations’ draft version was published on 28 September. After nearly six months, the regulations finally came out on 22 March 2024.
On reviewing the regulations, several notable points emerge, including: the adoption of the “no complaint, no acceptance” principle for disputes involving important data; exemptions from pre-procedures for data exports in six specific scenarios, with the threshold of security assessment and the conclusion of a standard contract (SCC) being redrawn; with the number of people (at 100,000 and 1 million involving personal information outbound, and at 10,000 involving sensitive personal information outbound) serving as the dividing line for evaluation in the assessed year; and the possibility of a negative list (i.e. special administrative measure) for free-trade zones.
The regulations represent more than just a patch; they herald a new era for cross-border data flows. The regulations specify the exempting circumstances of conducting security assessments for important data exports and personal information exports by CIIOs, redefine the criteria for high-volume personal information processors and exempt pre-procedures in some scenarios. The separate consent of personal information outbound may have a tendency to be loosened, but its specific implementation still needs to be observed later.
Outstanding issues
As the regulations are promulgated, practical scrutiny reveals numerous unresolved issues in cross-border data regulation. The following outlines some of these.
Boundaries of personal information. The Personal Information Protection Law defines the scope of personal information, but there is still a need to refine the criteria when determining whether specific information qualifies as personal information. The combination of identification and association criteria, along with the challenge of achieving effective anonymisation, has led to a significant expansion of the scope of personal information.
Definition of data collected domestically. The interpretation of “personal information collected and generated overseas”, “domestic personal information” in article 4 of the regulations requires further clarification. Disputes persist over whether “overseas direct collecting and server located overseas” fall under this definition.
Scope of exemption scenarios. Article 5 of the regulations stipulates four types of exemption scenarios, three involving determining whether it is “truly necessary to provide to overseas parties”. For “contracts to which an individual is a party”, does the personal information subject have to be the “contracting party” of the contract?
Relationship between SCC conclusion and filing. Article 8 of the regulations specifies the circumstances that require the conclusion of an SCC. The “Scope of Application” section of the Guidelines for the Filing of Standard Contract for Cross-border Transfer of Personal Information (second version) specifies the scenarios where filing is required after establishing SCCs. Does this imply the existence of scenarios where SCCs are established but filing is not necessary?
Method of data statistics. In the context of overseas access to domestic personal information, clarification is needed on how to tally the number of individuals in an assessed year. Should it be based on the number of individuals corresponding to the access permissions granted to overseas recipients, or should it be based on the actual number of individuals accessed? If the standard is based on “the number of individuals corresponding to access permissions”, should the count include only new additions or all individuals with access permissions from “1 January” of each assessed year?
Although challenges persist and concerns remain, a new era of cross-border data flows has formally arrived.
Calvin Peng is a partner at Dacheng Law Offices. He can be contacted by phone at +86 21 5878 8300 and by email at calvin.peng@dentons.cn
