On 28 September 2023, the Cyberspace Administration of China (“CAC”) released for public comment Provisions on Regulating and Facilitating Cross border Flow of Data (Draft for Public Consultation) (the “Provisions”). Although the Provisions contain only eleven articles, they would if adopted significantly relax the regulation and restriction of cross-border data transfers. Enterprises, especially small and medium-sized enterprises (“SMEs”) may be able to lower their cross-border data transfer compliance costs if the Provisions are adopted.
Pursuant to the Data Security Law, the Personal Information Protection Law and other relevant laws, there are primarily three procedures that a data processor in Mainland China may need to comply with to provide data (including Personal Information (“PI”)) overseas:-
- passing a security assessment organized by the CAC;
- obtaining a PI protection certification from a specialized institution recognised by the CAC;
- entering into a standard contract prepared by the CAC with the overseas recipient and completing the filing formalities.
Strictly speaking, a data processor in Mainland China is required to finish any one of the foregoing three procedures before it may transfer data overseas, regardless of the importance or amount of the data. Procedures 1 and 3 are applicable under specific circumstances1. The existing rules place a significant burden on Mainland data processors, especially SMEs, in their legitimate business operation. The workload of the cyberspace administrations at all levels is heavy. The Provisions lower the compliance thresholds for cross-border data transfers in certain circumstances. Data processors that satisfy the relevant conditions set out in the Provisions may export their data without going through any of the ex ante regulation procedures with the CAC or the institutions recognized by it. The conditions for security assessments are also relaxed. We summarise the requirements applicable to data export under the Provisions with our comments set out below for your reference.
Content of the Provisions | Our Comments |
Data processors are not required to apply for data export security assessment, enter into a standard contract for outbound transfer of PI, or obtain a PI protection certification under the following circumstances:- | |
1. where the data to be exported is generated from international trade, academic cooperation, multinational manufacturing and marketing activities and does not containing PI or important data | The data generated from the operation of the foreign invested enterprises and the enterprises engaged in internal trade or from academic cooperation, such as the statistical data of the manufacturing or sales of common products, may be shared with the overseas parent entities or business partners freely provided it does not contain PI or important data, which should make things much easier for those enterprises. |
2. where the PI to be provided overseas was not collected or generated within the territory of Mainland China | The burden of data compliance for enterprises involved in “data transit” business (e.g., international data storage and processing) may be eased. |
3. where any one of the following conditions is satisfied:- | |
(a) where PI must be provided overseas for the purpose of entering into and performing contracts to which the PI subject is a party, such as cross-border shopping, cross-border remittance, air ticket and hotel booking, and visa applications; | Enterprises engaged in cross-border e-commence or outbound tours may provide the PI of their clients overseas as needed for their business without unnecessary compliance costs. |
(b) Where PI of employees must be provided overseas in order to implement human resources (“HR”) management based on the labour regulations formulated in accordance with the law and collective contracts signed in accordance with the law; | Judging from the status of the applications for filing of standard contracts for outbound transfer of PI, many applicants are foreign invested companies which need to provide the PI of their Mainland employees overseas for use of the global HR system of their group. This provision may greatly lower the cost for data compliance for such enterprises. |
(c) where PI must be provided overseas in order to protect the life, health and property safety of individuals, etc., in an emergency situation. | It restates the provisions under Article 13 (4) of the Personal Information Protection Law. |
4. if it is expected that less than 10,000 individuals’ PI will be provided overseas within one year | The compliance burden on the non-data processing SMEs would be effectively reduced. |
Data processors may not need to apply for data export security assessment, enter into a standard contract for outbound transfer of PI, or obtain a PI protection certification under the following circumstance. | |
Data to be exported is not in the Negative List developed by the pilot free trade zones (i.e., a list of data that falls within the scope of security assessment on cross border data transfer, a standard contract for the cross border transfer of PI, or a PI protection certification, which shall be submitted for the approval by the cyberspace affairs commission at the provincial level and subsequently filed with the CAC for record). | The Negative List may further expand the scope of data processors which need not complete the ex ante regulation procedures before transferring data overseas. If the Negative List approach is effective, it may be implemented nationwide later. |
Data processors are not required to apply for security assessment on cross-border transfer of important data | |
if the data processor has not been notified or there is no public release from the relevant government authorities that its data shall be deemed to be important data | After the Data Security Law came into effect, the definition of “important data” under the laws and regulations remains obscure. It is difficult for the data processors to determine whether the data being processed is “important data” or not. There are high compliance risk and uncertainty for them. This provision can help to improve this situation. |
Data processors may not need to apply for data export security assessment | |
if it is expected that PI of more than 10,000 but less than 1 million individuals will be provided overseas within one year and the data processor has entered into the standard contract for export and file the same with the cyberspace administration at the provincial level or has obtained a PI protection certification | The quantity standard of outbound transfer PI is improved and the rule does not distinguish sensitive PI from PI. It actually would raise the threshold of security assessment for data export2. |
Data processors shall apply for data export security assessment | |
if PI of more than 1 million individuals is provided overseas | It is consistent with the provisions of the Measures for the Security Assessment of Outbound Data Transfer. |
Data processors shall follow the relevant laws, regulations and rules | |
1. where State agencies and critical information infrastructure operators transfer PI and important data outside Mainland China; | The existing rules shall be followed for export of data which are important data and PI critical to national security. |
2. where sensitive information or sensitive personal information relating to the Communist Party of China, the government, the military and a classified agency is to be transferred outside Mainland China. |
According to Article 11 of the Provisions, should there be any inconsistency between the Provisions and the Measures for the Security Assessment of Outbound Data Transfer or the Measures for the Standard Contract for the Outbound Transfer of Personal Information, the Provisions shall prevail. Consequently, the Provisions should relax the ex ante regulation of data export to a significant extent. The government authority appear to be trying to find some balance between maintaining the data security and free flow of data. On one hand, the data processors, especially the SMEs may transfer data overseas at a lower cost. On the other hand, the supervising authorities may focus on the ex ante regulation for the export of important data and data in large scale. This may lessen the heavy workload of the supervising authorities in reviewing cross-border data transfers.
Although the compliance cost of the data processors may be lower, compliance requirements are still applicable to such transfers. The data processors still need to take appropriate actions to ensure data security in accordance with the existing laws and regulations. For instance, they shall obtain stand-alone consents from the PI subjects for the outbound transfer of their PI, assess the impact on PI protection and write and retain the reports in this regard. The requirements to develop internal management rules and operational regulations remain. The Provisions require the local cyberspace administrations to monitor compliance with the regulations before, during and after data export activities. If they find any problem, they will require the data processors to make rectification and even order them to stop transferring data overseas.
Comments on the Provisions should be provided to the CAC by 15 October 2023. It is expected that the final Provisions will be released and implemented officially by or before the middle of November this year. The data processors described in the Provisions should continue preparing for compliance of the data export requirements. At the same time, they should keep a close eye on the development and formal issuance of the Provisions so that they can take appropriate action to ensure their data can be transferred overseas smoothly in accordance with the laws and regulations.
1 Article 4 of the Measures for the Security Assessment of Outbound Data Transfer reads
as follows:
To provide data abroad under any of the following circumstances, a data
processor shall apply to the national cyberspace administration for the
security assessment of the outbound data transfer through the local provincial
cyberspace administration:
(1) The data processor provides important data abroad.
(2) The critical information infrastructure operator or the data
processor that has processed the PI of over one million people provides PI
abroad.
(3) The data processor that has provided the PI of over 100,000 people or
the sensitive PI of over 10,000 people cumulatively since January 1 of the
previous year provides PI abroad.
(4) Any other circumstance where an application for the security
assessment of outbound data transfer is required by the national cyberspace
administration.
Article 4 of the Measures
for the Standard Contract for the Outbound Transfer of PI reads:
To provide PI to an overseas recipient through the conclusion of the
standard contract, a PI processor shall meet all of the following circumstances:
(1) It is not a critical information infrastructure operator;
(2) It has processed the PI of less than one million individuals;
(3) It has cumulatively provided the PI of less than 100,000 individuals
to overseas recipients since January 1 of the previous year; and
(4) It has cumulatively provided the sensitive PI of less than 10,000
individuals since January 1 of the previous year.
2 Measures for
the Security Assessment of Outbound Data Transfer
Article 4 To provide data abroad under any of the following
circumstances, a data processor shall apply to the national cyberspace
administration for the security assessment of the outbound data transfer
through the local provincial cyberspace administration:-
…
(3) The data processor that has provided the personal information of over
100,000 people or the sensitive personal information of over 10,000 people
cumulatively since January 1 of the previous year provides personal information
abroad.
…