Conventus Law

Conventus Law

by

The Cyberspace Administration of China (“CAC“)  promulgated the Provisions on Promoting and Regulating Cross-border Data Flows (“Provisions“) on 22 March 2024. The CAC officials have also answered questions from journalists regarding the Provisions.  The Provisions refine the conditions and operation of cross-border data flows under the existing legal framework and provide enterprises clear guidance for data export.  The Provisions have 14 articles, which became effective on the date of promulgation.  Key points are outlined as follows:- 

I. Circumstances where the data can be exported out of China directly 

A data processor is exempt from going through a security assessment for data export, concluding a standard contract for personal information (“PI”) to be provided abroad or passing an authentication for PI protection under any one of the following circumstances.  That is, it (regardless of whether it is or not a critical information infrastructure operator(“CIIO”) unless otherwise provided clearly) can export the relevant data out of China directly:-   

1. Where a data processor provides the data collected and generated in such activities as international trade, cross-border transportation, academic cooperation, transnational manufacturing and marketing, which do not contain PI or important data, to overseas parties. 

2. Where a data processor provides PI collected and generated abroad to overseas parties after being transferred to China for processing, and no domestic PI or important data is introduced in the process of processing. 

3. A data processor satisfies any of the following conditions when providing PI abroad:- 

(1) Where it is really necessary to provide PI abroad for the purpose of concluding or performing a contract to which an individual concerned is a party, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservation, visa processing and examination services; 

(2) Where it is really necessary to provide employees’ PI abroad for the purpose of conducting cross-border human resources management in accordance with the employment rules and regulations formulated legally and collective contracts concluded legally; 

(3) Where it is really necessary to provide PI abroad in an emergency to protect the life, health and property safety of a natural person; or 

(4) Where a non-CIIO data processor provides abroad the PI (excluding sensitive PI) of not more than 100,000 people accumulatively as of January 1 of the current year. 

Kindly note that aforementioned PI provided abroad shall not contain important data.  A data processor, regardless of a CIIO or not, shall go through security assessment for data export if the data to be exported is important data.  A data processor shall identify and declare important data in accordance with relevant provisions1.   If the data has not been identified or publicly announced as important data by relevant departments or regions, it will be treated as non-important data and be exported in accordance with the relevant rules. 

4. Where a data processor in a pilot free trade zone (“FT Zone”) provides overseas parties with any data not in the negative list.  The negative list is a list of data formulated by the FT Zone, under the framework of the national system for data classification and grading, that needs to be included in the scope of administration of security assessment for data export, the standard contract for providing PI abroad and authentication for PI protection.  The negative list shall be filed with the CAC and the national data administration for the record upon approval by the Cyber Security and Informatization Commission at the provincial level.  The data processors in the FT Zone shall comply with the State regulations on data export security administration before the negative list is released. 

II. Circumstances where security assessment is required for data export 

A data processor shall apply for security assessment for data export to the CAC through the Cyberspace Administration at the provincial level (“Provincial CA”) at its locality if it satisfies any of the following conditions:- 

(1) Where the data to be exported is important data. 

(2) Where a CIIO exports PI; or 

(3) Where a non-CIIO provides, as of January 1 of the current year, PI (excluding sensitive PI) of not less than 1 million people or sensitive PI of not less than 10,000 people in aggregate to overseas parties.  The data which can be exported directly under Section I (except for those under Item 3 (4)) shall not be counted in for calculation of PI under this circumstance. 

The security assessment result for data export shall remain valid for 3 years from the date of it issuance. Where it needs to continue with data export and nothing triggers re-submission for security assessment for the data export upon expiry of the assessment result, the data processor may, within 60 workdays prior to the expiry date, apply to the CAC through the local Provincial CA to extend the period of validity of the assessment result. Upon approval by the CAC, the period of validity of the assessment result can be extended by 3 years. 

III. Circumstances where a standard contract with the overseas recipient for the export of PI or PI protection authentication is required for data export 

Where a non-CIIO exports PI (excluding sensitive PI) of not less than 100,000 but not more than 1 million people, or the sensitive PI of not more than 10,000 people, accumulatively as of January 1 of the current year, it shall conclude a standard contract with overseas recipient for PI export or go through the authentication on protection of PI in accordance with the law.  Similarly, the data which can be exported directly under Section I (except for those under Item 3 (4)) shall not be counted in for calculation of PI under this circumstance. 

The CAC released the Guidelines for Data Export Security Assessment (Second Edition) and the Guidelines for Filing Standard Contracts for Personal Information Export (Second Edition) with the Provisions.  A data processor may apply for data export security assessment or file standard contracts for PI export online through the Data Export Declaration System (https://sjcj.cac.gov.cn).   If application or filing has been submitted on site, the data processor will not need to redo the submission online.  A data processor may log in the Personal Information Authentication Administration System (https://data.isccc.gov.cn) to apply for authentication on PI protection online.  CIIOs or others that are deemed unsuitable for online application still need to apply for data export security assessments offline to the CAC through their local Provincial CA. 

Our Comments 

The Provisions have modified certain rules on data export under the Security Assessment Measures for Data Export and Measures for the Standard Contract for the Outbound Transfer of Personal Information, and relaxed the conditions for data export and provide clearer compliance guidelines.  As a result, data processors, especially small and medium-sized enterprises, may have lowered  compliance costs and improved certainty and efficiency in data exchange with overseas parties. 

The Provisions emphasize that data processors shall take appropriate measures to protect data security; fulfill obligations such as notification, obtaining separate consent, and conducting PI protection impact assessments in accordance with relevant regulations when providing PI abroad. 

Data processors with the need for data export shall refer to the Provisions to determine the appropriate procedure and take actions accordingly.  According to  CAC officials, a data processor that did not pass through the data export security assessment completely or only partially before the implementation of the Provisions under which it is exempt from security assessment, may provide PI abroad through entering into standard contracts for PI export or passing authentication on the protection of the PI.  Data processors that have already submitted application for data export security assessment or filed of standard contracts for PI export before the Provisions under which it is exempt from the aforementioned procedures may continue proceeding with the original procedures or withdraw their application from the local Provincial CA.  We would suggest these data processors  communicate with the CAC or the Provincial CA which deals with their submission and seek their advice before determining whether to complete the original procedures or proceed in accordance with the Provisions. 

We will continue to monitor the implementation of the Provisions and will advise on important developments. 

1 The National Information Security Standardization Technical Committee released the national standard GB/T 43697-2024 “Data Security Technology — Rules for Data Classification and Grading” on March 15, 2024.  This standard outlines the principles, framework, methods, and procedures for data classification and grading, along with guidelines for identifying important data. Data processors may refer to this standard to assess whether their data may be classified as important data. This standard will be implemented from 1 October, 2024. 

WRITTEN BY

Deacons
For further information, please contact:

Edwarde Webre – Consultant – Corporate Commercial, Deacons
edwarde.webre@deacons.com

Edwarde specializes in cross-border transactional and operational matters in Greater China.  He has over twenty years experience handling Hong Kong transactions and assisting foreign investors in China. He has assisted both foreign and domestic parties with inbound and outbound transactions involving the PRC.  He advises both operational and financial investors, including venture capital and private equity funds on portfolio investments.  He handles public and private mergers and acquisitions, reorganisations and direct investment transactions.

He has acted across a range of industries sectors and has handled major projects in manufacturing, electronics, pharmaceuticals, chemicals, medical devices, hotel/hospitality, technology, financial services, tobacco, energy and advertising industry sectors.   Transactions handled have included major green field projects and the acquisitions on non-circulating state owned shares, block share acquisitions of listed shares, negotiated acquisitions of registered capital and the conversion of non-circulating shares into listed shares.

He also advises on clean energy projects and has handled biogas, natured gas, hydro power and wind energy projects.  He has advised on PRC regulatory requirements and ERPA issues with respect to the acquisition of CERs under the Kyoto Protocol and other arrangements.

At an operational level, Edwarde advises on technology licensing and transfers, operational and distribution arrangements, anti-corruption investigations, treasury functions, general commercial agreements and labour matters.

Edwarde was resident in Beijing for three years.  He frequently spends time in the Deacons China offices.

Highlights

  • Assisting a French multinational with the establishment of major reconstituted tobacco joint venture production facility in Yunnan in a project that involved multiple PRC investors, including major state-owned enterprises, and required specialized industry sector approvals.
  • Assisting the Bankruptcy estate of a major European auto manufacturer with the sale of its European production assets to a Chinese lead consortium, including multi-national investors with significant security arrangements.
  • Assisting a major Japanese multinational in the acquisition of a controlling interest in a service business as an integral part of a strategic alliance with a major Hong Kong listed company which relationship included cross-holding of equity interests in each others subsidiaries in Hong Kong and China.  The transaction was a notifiable transaction under the rules of the Hong Kong Stock Exchange.
  • Assisting a major Brazilian mining conglomerate with PRC anti-monopoly clearance for a minority investment by a major Japanese multi-national in the development and exploitation of an integrated iron ore mining project in the State of Minas Gervias in Brazil.  This project did not involve any PRC entities.
  • Assisting a major Japanese multinational on litigation and settlement arrangements related to the discontinuation of a major product line and the termination of the related processing contracts and distribution arrangements.  Disputes were handled both in the PRC and Hong Kong. 
  • Assisting a European private equity fund with the reorganization of its Hong Kong and PRC operations as a part of global reorganization and assisting with the review of portfolio investments.
  • Assisting a French energy multinational with the review of seventeen 49.5 MW wind firm projects in Northern China and combined cycle power plants in Central and Southern China in connection with a green house gas emission reduction projects.

More about Edwarde Webre

Accolades

Appointments/Memberships

Education

Recent Activities

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES