As foreshadowed in our previous client alert highlighting various hurdles to cope with its data export requirements (the “September Update“), China’s cybersecurity regulator, the Cybersecurity Administration of China (“CAC“), has recently released a set of draft regulations that are aimed to ease relevant compliance pressure and costs.
Highlights of proposed changes
First, the draft Regulations on Standardizing and Promoting Cross-Border Data Flows (“Draft Regulations“) makes it clear that “important data”, while broadly defined as before to include data which may endanger national security, economic operation, social stability, public health and safety when leaked, will only be so qualified and thus trigger mandatory security assessment if and when the relevant data is explicitly categorized as such by regulators or local authorities. This will remove the potential ambiguities and uncertainties that have been troubling Chinese data exporters.
Second, Chinese business operators can rely on the new and explicit exemptions prescribed in the Draft Regulations to avoid going through the statutory gateways (namely, the security assessment, certification and standard contract filing, as outlined in our September Update) for sending data abroad. These exemptions cover the following data export activities:
- outbound transfers of data generated in activities such as international trade, academic cooperation, cross-border manufacturing and marketing that do not contain personal information or important data;
- non-PRC origin personal information;
- outbound transfer of personal information necessary for entering into and performing a contract to which an individual is a party, such as cross-border e-commerce, cross-border payments, air ticket and hotel bookings, visa applications, etc.;
- employee data transfer for HR management;
- outbound transfer of personal information necessary for protecting the life, health and property safety of a natural person in an emergency;
- outbound transfer by a data processor, which is expected to involve less than 10,000 individuals’ personal information within one year; and
- cross-border data transfer falling outside the negative list to be formulated by Free Trade Zones.
Most importantly, the Draft Regulations explicitly confirm that they will prevail to the extent of any inconsistencies with the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer.
Observations
Overall, the Draft Provisions, if implemented, would streamline many multinational’s data exports and significantly reduce the burden companies have faced in the past months to comply with the implementing regulations of the Personal Information Protection Law in relation to the security assessment and standard contract filing.
However, the exemptions outlined in the Draft Regulations do not affect other general data protection obligations under the relevant PRC data protection laws, such as obtaining appropriate consent from data subjects and ensuring compliance with self-assessment pertaining to personal information.
What’s next
The Draft Regulations are open for public consultation until 15 October 2023. The timing for the finalized regulations to be issued is unclear. But given the imminent 30 November deadline for standard contract filing, we anticipate that the regulator will aim to finalize the Draft Regulations before the end of November.
Some companies to which exemptions would apply, might halt their standard contract filing or security assessment procedure with CAC in anticipation of saving time and costs.
Given the evolving nature of data laws in China, companies with a presence or business interest in the country must remain vigilant and responsive to future developments. The proposed exemptions for cross-border transfers outlined in the Draft Regulations present an opportunity for companies to benefit from more favorable data transfer mechanisms potentially. However, it is essential for these companies to monitor the progression of the regulations closely and to assess whether the exemptions will apply to their specific circumstances.