Key Takeaways:
On March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the Regulations on Promoting and Regulating Cross-border Data Transfers (the “New CBDT Regulations“). This is six months after the draft version (the “Draft Regulations“) was made available for public comments on September 28, 2023. The New CBDT Regulations follow a similar approach to the Draft Regulations, emphasizing orderly management and appropriate relaxation, while also incorporating other necessary adjustments based on the implementation of data export security management in practice.
1. The New CBDT Regulations have established specific scenarios where data export procedures are not required. These include data exports in international trade and cross-border transportation that do not involve personal information or important data. The regulations have also added exemptions for high-frequency data outbound activities, such as cross-border shopping, delivery, remittance and payment. Furthermore, the outbound transfer of employees’ personal information necessary for cross-border human resource management purposes is also exempt from data export procedures.
2. The standards for triggering the data export security assessment and the standard contract filing of personal information exports have been raised. (1) If the personal information of more than 1 million individuals or the sensitive personal information of more than 10,000 individuals is provided to overseas entities cumulatively within a year, a data export security assessment must be submitted. (2) If the personal information of more than 100,000 but less than 1 million individuals or the sensitive personal information from less than 10,000 individuals is provided to overseas entities cumulatively within a year, a standard contract for exporting personal information or personal information protection certification should be obtained.
Compared to the Draft Regulations, the New CBDT Regulations have made several changes. Firstly, a provision on the export of sensitive personal information is included as a separate standard to determine whether it triggers a government security assessment or filing, which follows the approach in existing security assessment regulations. Secondly, the threshold for the filing of a standard contract has been raised from the exportation of personal information of 10,000 individuals to 100,000 individuals. Thirdly, there has been a change in calculating whether the standard has been met. Previously, the calculation projected the number of exports of personal information for the upcoming year and now it is the number accumulated in the current year of application. Fourthly, the validity period for data export security assessment results has been extended from two years to three years and can be extended further upon application.
3. Data export security assessment of important data is contingent upon the condition that the data is made available to the public via a catalog or is officially notified by relevant departments or regions. If the data is not notified or publicly released as important data by relevant departments or regions, it is not necessary to report it as important data for data export security assessment.
4. Free trade zones have the authority to issue a negative data list. The list specifies the categories of data exports that are subject to government security assessment, standard contract filing or certification. However, the list only applies to the data processors in the relevant free trade zones.
For companies that have not yet submitted security assessments or standard contract filing, it is necessary to determine whether an assessment, filing, or certification is required, and to apply for this in a timely manner. According to the CAC press conference, if a business has already applied for a security assessment or submitted a standard contract filing before the implementation of the New CBDT Regulations, but it is not required to undergo the procedures according to the New CBDT Regulations, the data processor can continue the original procedures or withdraw the application and filing from the provincial-level cyberspace administration where it is located. If an enterprise has not previously passed or only partially passed the security assessment, for data export activities that are exempted from the requirement of security assessment according to the New CBDT Regulations, the data processor can provide personal information to overseas entities through the conclusion of a standard contract or certification.
It is notable that the CBDT Regulations still emphasize compliance requirements for data export activities. For instance, when exporting personal information, companies must fulfill certain requirements such as notification, obtaining separate consent, and conducting personal information protection impact assessments. For important data, data processors are required to identify and report important data in accordance with relevant regulations. The regulations also emphasize the need to strengthen supervision throughout the entire business chain before, during, and after data export activities. They also clarify the reporting requirements for data security incidents occurring overseas. From a business management and compliance perspective, the first step is to determine whether they are exempt or need to adjust the data export procedures. However, this does not mean stepping out of the existing compliance framework and requirements. Instead, companies should continue to improve compliance and implementing measures to ensure compliance in relation to the cross-border transfer of personal information and important data.
Please find below our detailed analysis.
I. Analysis and interpretation of the key aspects of the New CBDT Regulations
The New CBDT Regulations comprise a total of 14 articles, which encompass the following key aspects:
1. Data processors are not obligated to conduct a data export security assessment for the export of important data if the data being processed has not been officially notified or publicly announced as such by relevant departments or regions.
Practically speaking, without official notification or the public release of the important data catalog by relevant departments or regions, data processors (i.e. data handlers) face challenges in determining whether they are processing important data. Consequently, it is difficult to submit a data export security assessment based on this uncertainty. This provision aims to reduce this ambiguity, thereby facilitating the smooth cross-border transfer of data for companies.
Given the significance of important data to national security and public interests, this provision reinforces the importance of data processors to identify and report such data in compliance with relevant regulations. For instance, the “Measures for the Security Management of Industrial and Information Systems Data (Trial)” require that data processors in the industrial and information sectors conduct regular data reviews, identify important data and core data based on applicable standards, and establish specific catalogs for their respective units. The national standard “Data Security Technology Data Classification and Grading Rules” (GB/T 43697-2024) was officially released on March 21, 2024. Appendix G of the standard provides guidelines for identifying important data and lists for identifying important data in key industries and sectors. Additionally, the “China (Tianjin) Free Trade Pilot Zone Enterprise Data Classification and Grading Standard Specification” issued by the Tianjin Free Trade Zone also includes a catalog for identifying important data. It requires companies to conduct internal data classification and grading work and submit the catalog of important data to the competent authority for network data security in the Tianjin Free Trade Pilot Zone. Further attention should be given to the catalogs of important data in various industries and regions to determine if they involve data generated or managed by the companies themselves.
2. Data export procedures do not apply to cross-border transfers that do not involve domestic personal information or important data.
The New CBDT Regulations explicitly exempt two types of cross-border transfers that do not involve domestic personal information or important data from the data export procedures:
(1) Common cross-border business activities such as international trade, cross-border transportation, transnational production and manufacturing, marketing, and academic cooperation are exempt from the data export procedures if the exported data does not include personal information or important data. Companies can freely engage in these activities abroad.
(2) If personal information collected and generated overseas is transferred to domestically for processing and then provided to overseas, (which is common for outbound companies that provide services to overseas users), and if no domestic personal information or important data is introduced in the processing process, and it does not impact the rights and interests of data subjects within China, there is no need to complete data export procedures.
3. The triggering thresholds and calculation periods have been adjusted for different types of data export procedures.
In contrast to the “Measures for Data Export Security Assessment,” which determines the triggering threshold for submitting a data export security assessment based on the quantity of existing data held by data processors, the New CBDT Regulations adopt the cumulative outbound quantity and data types of data processors in the current year as the triggering criteria for different data export procedures. This shift aims to prioritize the risk assessment of exported data, thereby effectively reducing compliance costs for businesses. Compared to the Draft Regulations, the New CBDT Regulations have made several changes. Firstly, a provision on the export of sensitive personal information is included as a separate standard to determine whether it triggers a government security assessment or filing. Secondly, the threshold for the filing of standard contract has been raised from exporting the personal information of 10,000 to 100,000 individuals. Thirdly, there has been a change in calculating whether the standard has been met. Previously, the calculation projected the number of exports of personal information for the upcoming year and now it is changed to the current year of application. Fourthly, the validity period for data export security assessments has been extended from two years to three years and can be extended further upon application.
Here is a summary of the types of data export procedures and the criteria that triggers them. These are relevant to critical information infrastructure operators (“CIIO”) and general data processors who provide important data and personal information to overseas entities. This summary aims to help enterprises comprehend their corresponding compliance obligations.
Note: When counting the number of individuals whose personal information is being transferred overseas, the number of individuals exempt from the data export procedures under the New CBDT Regulations should be excluded.
4. Certain personal information data export scenarios are exempt from the data export procedures.
In order to address the frequent data transfer needs in practice, as well as the need for multinational companies to transfer employees’ personal information for cross-border human resource management, the New CBDT Regulations also exempt the following:
(1) when personal information is required to be shared with overseas entities for the purpose of establishing and fulfilling contracts involving individuals, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, flight and hotel reservations, visa processing, and examination services;
(2) when it is necessary to provide employees’ personal information to overseas entities for the implementation of cross-border human resource management in accordance with labor regulations and collective contracts signed in accordance with the law;
(3) In emergency situations where it is necessary to provide personal information to overseas entities to protect the life, health, and property safety of individuals.
(4) For data processors, excluding critical information infrastructure operators, who have transmitted the personal information of fewer than 100,000 individuals (excluding sensitive personal information) to overseas entities since January 1 of the current year.
Regarding the exemption of personal information export in the aforementioned scenarios, the second item is a common concern in practice, i.e. how to meet the requirements for exempting the transfer of employees’ personal information to overseas entities. In comparison with the Draft Regulations, the New CBDT Regulations still lack a clear definition of the scope and criteria for what is considered “necessary” and “cross-border human resource management.” Based on previous project experience, the CAC still maintains specific criteria and requirements for determining the “necessary” need for going abroad. It remains to be seen whether these standards and requirements will continue or be relaxed in exemption cases or in the security assessment and filing of projects. This also means that further observation is needed. Thus, if a company has transferred sensitive personal information of less than 10,000 employees cumulatively, and unless the transfer of such sensitive personal information meets the exemption requirements, the company may still be required to enter into a standard contract for personal information export with the overseas recipient or obtain personal information protection certification, as stipulated in Article 8 of the New CBDT Regulations. Therefore, it is worth paying further attention to this matter.
5. Data processors located in free trade zones are also eligible for exemption from the data export procedures when providing data that is not included in the “negative list”.
Under the national data classification and grading protection system, free trade zones have the authority to independently create a data list, known as the “negative list,” which determines the scope of data export security assessment, standard contracts for export of personal information, and personal information protection certification. This list must be approved by the provincial-level cybersecurity and information committee and filed with the national cyberspace administration and the national data management department.
Data processors located in free trade zones are eligible for exemption from the data export procedures when providing data that falls outside the negative list. However, it’s important to note that this exemption only applies to data processors within free trade zones.
Recently, regulations have been introduced by different free trade pilot zones to promote data circulation. For example, the Beijing Municipal Bureau of Commerce issued the “Regulations on the Beijing Foreign Investment (Draft for Comments),” which stipulates the “efficient conduct of data export security assessments for important data and personal information, the formulation of a general data list that can flow freely, and the promotion of secure and orderly data circulation.”1 The Guangzhou Municipal Administration of Government Services Data Management released the “Guangzhou Data Regulations (Draft for Comments),” which proposes the establishment of a “white list” system for cross-border data transfers2. The Shanghai Municipal Government issued the “Implementation Plan for the Overall Plan for Fully Connecting with International High-standard Economic and Trade Rules and Promoting the High-level Institutional Opening of China (Shanghai) Pilot Free Trade Zone,” which explores the establishment of a legal, secure, and convenient mechanism for cross-border data transfers to enhance the convenience of cross-border data flow. By strengthening the classification guidance for outbound data in relevant industries, releasing sample scenarios, and establishing a cross-border data service center in the Lingang New Area, it facilitates data processors to conduct self-assessment and other security compliance work3.
6. The legal requirements for cross-border data transfers and the obligations for handling data security incidents are restated.
Article 10 of the New CBDT Regulations highlights the importance of data processors to fulfill certain obligations when providing personal information to overseas parties. These obligations include notification, obtaining individuals’ separate consent to the cross-border data transfer, and conducting personal information protection impact assessments in accordance with laws and administrative regulations. This requirement aligns with the emphasis on an individual’s separate consent in the Draft Regulations. The provision clarifies that the relaxation mainly pertains to the scope of the assessments and filings and does not change the management requirements for cross-border transfer of personal information. Even for those companies who are exempt from assessments or filings, they must still implement the basic obligations for cross-border transfers in their business processes and comply with the legal requirements.
Article 11 of the New CBDT Regulations emphasizes the protection of data export security. It states that in the event of or potential occurrence of a data security incident, remedial measures should be taken and timely reports should be made to the provincial-level and above cyberspace administration departments and other relevant competent authorities.
Since the implementation of the Cybersecurity Law over six years ago, various supporting rules and law enforcement activities related to cybersecurity have gradually become more comprehensive. In 2023, the CAC also issued the “Management Measures for Reporting Cybersecurity Incidents (Draft for Comments)”, which requires network operators to promptly initiate emergency plans to handle cybersecurity incidents. For relatively severe, severe, and extremely severe serious cybersecurity incidents, reports should be made within one hour. The specific reporting process and requirements for cross-border data transfer in the event of a data security incident still need further clarification through practice. These requirements are in line with current operational practices, and it is recommended companies establish response plans and internal management requirements.
II. Our observations and recommendations
In general, the New CBDT Regulations adjust and optimize the mechanism for data export procedures, facilitate cross-border data flows and reduce the compliance costs for companies while ensuring national data security. Under the guidance of the New CBDT Regulations, companies can refer to the following key points to evaluate and improve their compliance in cross-border data transfer scenarios.
1. Evaluate and assess the applicability of the New CBDT Regulations for businesses and determine applicable compliance strategies.
(1) For companies which have not yet submitted a security assessment or standard contract filing, it is necessary to determine as soon as possible whether a data export security assessment, standard contract filing, or personal information protection certification is required, and apply for this as soon as possible. If after reviewing the data export situation, the data processor still needs to complete a data export security assessment or conclude standard contracts for personal information export, they need to update and improve the application materials and submit them as soon as possible, according to the “Guidelines for Data Export Security Assessment (Second Edition)” and the “Guidelines for Standard Contract for Personal Information Export (Second Edition)” issued by the CAC on the same date as the New CBDT Regulation. Based on the CAC press conference4, general applications can be submitted through the data export filing system.
(2) Assess whether to proceed with or withdraw the submitted application for security assessment or standard contract filing. According to the CAC press conference, if an enterprise has already applied for a data export security assessment, or submitted a filing for a standard contract for personal information export before March 22, 2024, but is not required to carry out the above procedures according to the New CBDT Regulations, the data processor can proceed with the original procedures or withdraw the application and filing from the provincial cyberspace administration department. Although the specific process for withdrawal is not yet clear, it can be confirmed by contacting the relevant responsible officials later.
(3) Assess the possibility of utilizing alternative methods for data export if the security assessment is unsuccessful or only partially successful. According to the CAC press conference, if an enterprise fails to pass or only partially passes the data export security assessment by March 22, 2024, it can provide personal information to overseas entities through other means, such as entering into a standard contract for exporting personal information or obtaining personal information protection certification, if exempt from the data export security assessment under the New CBDT Regulations. However, practical implementation is still needed to confirm whether the data export scenarios or specific data fields that did not pass or were only partially passed during the security assessment would satisfy the relevant requirements of other data export channels.
(4) The validity period of the security assessment passing result has been extended to three years, and renewal can be applied for upon expiration. If data processors have already conducted data export security assessments before March 22, 2024, they can continue based on their application. According to the New CBDT Regulations, the validity period of these assessment results is three years from the date of issuance. When the validity period expires and there is a need to continue exporting data without re-applying the security assessment, data processors can apply for a three-year extension within 60 working days before the expiration of the validity period.
2. Improve internal compliance measures to meet the basic requirements for the cross-border transfer of personal information. While the New CBDT Regulations provide exemptions under certain circumstances, it is important to note that these exemptions do not relieve the compliance obligations for cross-border data transfers. In particular, Article 10 of the New CBDT Regulations emphasizes the general compliance obligations for the outbound transfer of personal information, including fulfilling the notification obligation, obtaining individual consent, and conducting a personal information protection impact assessment. This is also the basic compliance requirement for the outbound transfer of personal information under the “Personal Information Protection Law”. When reviewing the process for the outbound transfer of personal information, regardless of whether an assessment, standard contract filing, or certification is required, companies still need to assess whether there are compliance gaps and make necessary improvements, while keeping relevant records. This is also a basic requirement for companies to meet future personal information protection compliance audits.
3. Monitor updates in the catalog of important data and ensure the identification and reporting of important data in compliance with the law. According to the New CBDT Regulations, data processors should identify and report important data in accordance with relevant regulations. Even if the data being processed has not been officially notified or publicly announced as such by relevant departments or regions, there is no need to apply for a security assessment for exporting important data. Because different regions and departments will establish a data classification and protection system, and determine the specific catalog of important data for their local area, department, industry, and field, the practice will develop accordingly. However, companies should still pay attention to the identification and reporting requirements for important data based on their own industry, data processing, and business activities.
We will continue to monitor the implementation of the New CBDT Regulations and keep across any new developments.
1. https://sw.beijing.gov.cn/zmhd/dczjj/202309/t20230920_3262661.html
2. http://zsj.gz.gov.cn/hdjlpt/yjzj/answer/29851
3. https://www.shanghai.gov.cn/nw12344/20240205/2af907af61cf4977866b7d377baf5d1d.html
