On 28 September 2023, the Cyberspace Administration of China (“CAC“) issued the Regulations for Standardising and Promoting Cross-Border Data Flows (Draft for Comments) (“Draft Regulations”) to solicit public comments. The Draft Regulations appear to overturn some of the CAC’s previous requirements in relation to cross-border data transfers.
Background
Legal mechanisms under the PIPL
Under Article 38 of the Personal Information Protection Law (“PIPL“) issued in 2021, companies intending to export personal information to overseas recipients are required to go through one of the following legal mechanisms (“Legal Mechanisms“):
1. going through the security assessment organised by the CAC (“Security Assessment“);
2. signing the Standard Contract issued by the CAC with the overseas recipient (“Standard Contract”);
3. seeking personal information protection certification from a professional institute recognised by the CAC (“Certification“); or
4. meeting other conditions prescribed by law, administrative regulations, or the national cyberspace authority.
CAC regulations
The CAC has issued several regulations detailing the requirements for implementing the Legal Mechanisms, including:
Legal Mechanism | CAC Regulations |
Security Assessment | Measures for the Security Assessment of Outbound Data Transfers |
Standard Contract | Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information |
Certification | Announcement on the Implementation of Personal Information Protection Certification |
It is also worth noting that Item 4 of Article 38 of the PIPL grants the CAC the power to create new or supplemental rules for cross-border transfers of personal information. However, before the Draft Regulations, the CAC had never issued any rules that deviated from the three Legal Mechanisms.
Implementation of the Legal Mechanisms
Onerous compliance obligations under the Legal Mechanisms
The CAC has gradually promulgated regulations to implement the Legal Mechanisms for the Security Assessment, Standard Contract and Certification since late 2022. Companies that fall within the scope of the Legal Mechanisms have been trying to comply with them ever since. However, the compliance obligations under the Legal Mechanisms are onerous and require a significant amount of time and effort to complete tasks such as:
- data mapping;
- improvements to data protection and information security policies;
- conducting assessments based on complicated parameters prescribed by the CAC and drafting long assessment reports;
- seeking separate consent from individuals whose information is transferred out of China; and
- assessing the local laws and policies of the countries to which the data will be exported.
It is also worth noting that the Security Assessment and Standard Contract both involve making filings with the CAC, and some companies’ data export practices have been challenged by the CAC during the filing process.
Concerns of companies and the CAC’s response
In light of the onerous compliance obligations associated with implementing the Legal Mechanisms, some multinational companies expressed their concerns to the CAC, and the CAC appears to be responsive to these concerns. For example:
- In July 2023, the State Council issued the Opinions on Further Optimising the Environment for Foreign Investment and Increasing Efforts to Attract Foreign Investment (“Opinions“), which calls for the government to “explore a streamlined security management mechanism for cross-border data flows”, “establish green channels for qualified foreign-invested enterprises, efficiently conduct security assessments for the outbound transfer of important data and personal information”, and “promote safe and orderly flows of data”. The Opinions also encourage regions such as Beijing, Tianjin, Shanghai, and the Guangdong-Hong Kong-Macau Greater Bay Area to create, on a pilot basis, “lists of some ordinary data that is allowed to flow freely”.
- In August 2023, the CAC is reported to have contacted and met with representatives from dozens of multinational companies to ease their concerns about the cross-border data transfer regime. For more information, see https://techmonitor.ai/technology/china-on-charm-offensive-with-western-businesses-over-new-data-laws.
The Draft Regulations
As a follow-up action to the government’s initiative to relax the requirements for cross-border data transfers, the CAC appears to be considering exercising its power under Article 38 of the PIPL to create some exceptions to the existing Legal Mechanisms to facilitate cross-border data transfers.
Essentially, the Draft Regulations propose exempting companies from complying with ALL three Legal Mechanisms under Article 38 of the PIPL if their data export scenarios fall under any of the following conditions:
- the personal information to be exported is not collected or generated within China;
- the export of personal information is necessary for the conclusion or performance of a contract to which the individual is a contracting party, such as personal information exports required for cross-border shopping, international remittances, flight and hotel reservations, visa processing, etc.;
- the export of employees’ personal information is necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded;
- the export of personal information is necessary to protect the life, health, and property safety of natural persons in the case of an emergency;
- a company intends to export the personal information of less than 10,000 individuals within a year.
The Draft Regulations also propose raising the data transfer volume thresholds for triggering a Security Assessment (a more onerous Legal Mechanism) and allowing data exporters making lower volume transfers of data to rely on the Standard Contract or Certification (two relatively less onerous Legal Mechanisms):
Data transfer volume thresholds | Security Assessment required? | Is a Standard Contract or Certification required? |
Exporting the personal information of over 10,000 but less than 1,000,000 individuals within a year. | No | Yes |
Exporting the personal information of over 1,000,000 individuals | Yes | No |
Implications
The Draft Regulations appear more friendly to multinational companies than previous regulations. They would, once formalised, significantly reduce their compliance obligations. However, the sudden release of the Draft Regulations has raised a number of questions, which we attempt to answer below.
When will the Draft Regulations take effect?
It is unclear when the Draft Regulations will take effect. However, the CAC may want to formalise them soon because:
- The CAC only provided 18 days (28 September – 15 October, most of which was a national public holiday) to solicit public comment, indicating its determination to formalise the Draft Regulations promptly.
- The statutory deadline for filing the Standard Contract will end on 30 November 2023. If the Draft Regulations are not formalised soon, companies may devote time and resources towards meeting this deadline to file signed Standard Contracts with the CAC, and the CAC would then face the burden of processing these filings. Therefore, the CAC may want to formalise the Draft Regulations sooner rather than later and, in any event, before 30 November 2023.
Can companies rely on the Draft Regulations to stop work in relation to the Legal Mechanisms now?
No, because:
- Until a formal version of the Draft Regulations is released, they should not be treated as an effective regulation to be relied on.
- There is a possibility that the Draft Regulations may not be formalised by 30 November 2023. In that case, companies that need to adopt the Standard Contract would still be bound by the CAC’s existing regulations, which require them to file the signed Standard Contract with their local CAC by 30 November 2023.
- The exemptions under the Draft Regulations are broad, and how they would interact with conflicting triggers under the CAC’s previous regulations is unclear. We expect more clarification in the final version of the Draft Regulations.
- The radical changes proposed by the Draft Regulations are unusual. It is possible the CAC may want to take a step back in the formal version. For example, instead of exempting qualified companies from all Legal Mechanisms, the CAC may still want these companies to take some less onerous compliance measures (e.g., signing the Standard Contract but not filing with the CAC) to ensure data security.
- The Draft Regulations do not propose changing the fundamental data compliance requirements of the PIPL. Therefore, even if companies may not need to go through any of the Legal Mechanisms, they would still be obliged to take actions to comply with the PIPL, including:
- Setting up a data protection compliance framework (Article 51 of the PIPL);
- developing an internal management system and operating procedures;
- managing personal information based on classification;
- taking appropriate technical security measures such as encryption and de-identification;
- reasonably determining authorisations to operate the processing of personal information and conducting security education and training for employees regularly;
- developing and organising the implementation of emergency plans for personal information security incidents; and
- taking any other measure required by law or administrative regulations.
- Notifying the data subjects of the details of the transfers and obtaining their separate consent where required (Article 39 of the PIPL);
- Conducting Personal Information Protection Assessments (PIPIA) for cross-border data transfers (Article 55 of the PIPL);
- Signing data processing agreements with entrusted processors (Article 21 of the PIPL).
The compliance work needed for these Legal Mechanisms significantly overlaps with the above PIPL requirements. As such, the compliance work that companies have started with a view to implementing the Legal Mechanisms will not be wasted.
How companies should react to the Draft Regulations
At this stage, companies are advised to:
- carry on their compliance work for the Legal Mechanisms as planned;
- analyse whether certain data export scenarios may fall under the proposed exemptions in the Draft Regulations;
- monitor the development of the Draft Regulations closely; and
- seek guidance from their local CAC or wait until the Draft Regulations are formalised to identify whether any further actions are required for filings that have already been submitted.
规范和促进数据跨境流动规定(征求意见稿)
Regulations for Standardising and Promoting Cross-Border Data Flow (Draft for Comments)
为保障国家数据安全,保护个人信息权益,进一步规范和促进数据依法有序自由流动,依据有关法律,对《数据出境安全评估办法》、《个人信息出境标准合同办法》等数据出境规定的施行,作出以下规定。
In order to safeguard national data security, protect the rights and interests of personal information, and further regulate and promote the lawful and orderly free flow of data, the following provisions are made in accordance with relevant laws regarding the implementation of data export regulations such as the Measures for the Security Assessment of Outbound Data Transfers and the Measures for the Standard Contract for Outbound Transfer of Personal Information:
- 国际贸易、学术合作、跨国生产制造和市场营销等活动中产生的数据出境,不包含个人信息或者重要数据的,不需要申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证。
Where a Data Processor exports data (which does not contain personal information or important data) in international trade, academic cooperation, transnational manufacturing, and marketing activities, it is not required to apply for a Security Assessment of Outbound Data Transfers (“Security Assessment“), conclude the Standard Contract for Outbound Transfer of Personal Information (“Standard Contract“), or obtain a personal information protection certification (“Certification“).
- 未被相关部门、地区告知或者公开发布为重要数据的,数据处理者不需要作为重要数据申报数据出境安全评估。
For data that is not notified to the Data Processor or publicly released by relevant departments or regions as important data, the Data Processor does not need to declare such data as important data for a Security Assessment.
- 不是在境内收集产生的个人信息向境外提供,不需要申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证。
Where the outbound personal information is not collected or generated within China, there is no need to apply for a Security Assessment, conclude the Standard Contract, or obtain a Certification.
- 符合以下情形之一的,不需要申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证:
In the following cases, there is no need to apply for a Security Assessment, conclude the Standard Contract, or obtain a Certification:
- 为订立、履行个人作为一方当事人的合同所必需,如跨境购物、跨境汇款、机票酒店预订、签证办理等,必须向境外提供个人信息的;
Where the export of personal information is necessary for the conclusion or performance of a contract to which the individual is a contracting party, such as cross-border shopping, international remittances, flight and hotel reservations, visa processing, etc.
- 按照依法制定的劳动规章制度和依法签订的集体合同实施人力资源管理,必须向境外提供内部员工个人信息的;
Where the export of internal employees’ personal information is necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded.
- 紧急情况下为保护自然人的生命健康和财产安全等,必须向境外提供个人信息的。
Where the export of personal information is necessary to protect the life, health, and property safety of natural persons in the case of an emergency.
- 预计一年内向境外提供不满1万人个人信息的,不需要申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证。但是,基于个人同意向境外提供个人信息的,应当取得个人信息主体同意。
Where a Data Processor intends to export the personal information of less than 10,000 individuals within a year, it is not required to apply for a Security Assessment, conclude the Standard Contract, or obtain a Certification. However, where a Data Processor exports personal information based on the consent of individuals, it is required to obtain the personal information subjects’ consent.
- 预计一年内向境外提供1万人以上、不满100万人个人信息,与境外接收方订立个人信息出境标准合同并向省级网信部门备案或者通过个人信息保护认证的,可以不申报数据出境安全评估;向境外提供100万人以上个人信息的,应当申报数据出境安全评估。但是,基于个人同意向境外提供个人信息的,应当取得个人信息主体同意。
For a Data Processor intending to export the personal information of over 10,000 but less than 1,000,000 individuals within a year, if it has concluded the Standard Contract and filed with the provincial-level cyberspace authority, or has obtained a Certification, it is not required to apply for a Security Assessment; For a Data Processor intending to export the personal information of over 1,000,000 individuals, it is required to apply for a Security Assessment. However, where a Data Processor exports personal information based on the consent of individuals, it is required to obtain the personal information subjects’ consent.
- 自由贸易试验区可自行制定本自贸区需要纳入数据出境安全评估、个人信息出境标准合同、个人信息保护认证管理范围的数据清单(以下简称负面清单),报经省级网络安全和信息化委员会批准后,报国家网信部门备案。
负面清单外数据出境,可以不申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证。
Free Trade Zones may establish their own lists of data (“Negative Lists“) that shall be managed through the mechanisms of the Security Assessment, the Standard Contract, or the Certification. The Negative Lists shall be approved by the provincial-level cyberspace authority and filed with the national cyberspace authority.
It is not required to apply for the Security Assessment, conclude the Standard Contract, or obtain the Certification to export data that is not on the Negative Lists.
- 国家机关和关键信息基础设施运营者向境外提供个人信息和重要数据的,依照有关法律、行政法规、部门规章规定执行。
向境外提供涉及党政军和涉密单位敏感信息、敏感个人信息的,依照有关法律、行政法规、部门规章规定执行。
The export of personal information and important data by government agencies and critical information infrastructure operators shall be subject to relevant laws, administrative regulations, and departmental rules.
The export of sensitive data and sensitive personal information that involves the Party, the government, the army, and confidential units shall be subject to relevant laws, administrative regulations, and departmental rules.
- 数据处理者向境外提供重要数据和个人信息,应当遵守法律、行政法规的规定,履行数据安全保护义务,保障数据出境安全;发生数据出境安全事件或者发现数据出境安全风险增大的,应当采取补救措施,及时向网信部门报告。
Data Processors who export important data and personal information shall comply with the laws and administrative regulations, fulfil data security protection obligations, and ensure the security of data exports. In the event of a data export security incident or an increased risk in data exports, they shall take remedial measures and promptly report to the cyberspace authority.
- 各地方网信部门应当加强对数据处理者数据出境活动的指导监督,强化事前事中事后监管,发现数据出境活动存在较大风险或者发生安全事件的,要求数据处理者进行整改消除隐患;对拒不改正或者导致严重后果的,依法责令其停止数据出境活动,保障数据安全。
Local cyberspace authorities shall strengthen their guidance and regulation of data exports by Data Processors, and enhance their supervision before, during and after the data exports. If they discover significant risks in the data export or if a security incident occurs, they shall require the Data Processor to rectify and eliminate the risks. If the Data Processor refuses to rectify or if serious consequences are caused, the Data Processor shall be ordered to stop data exports in accordance with laws in order to ensure data security.
- 《数据出境安全评估办法》、《个人信息出境标准合同办法》等相关规定与本规定不一致的,按照本规定执行。
Where the Measures for the Security Assessment of Outbound Data Transfers, Measures for the Standard Contract for Outbound Transfer of Personal Information, or other relevant provisions are inconsistent with these regulations, these regulations shall prevail.
Our Technology, Data Protection and Cybersecurity Practice
We are one of the leading Chinese law firms for Technology, Data Protection and Cybersecurity matters.
With rich experience advising MNCs and local Chinese companies on e-commerce, telecommunications, IT, data privacy and cybersecurity issues, we are well-positioned to assist clients in managing this increasingly important risk area. We adopt a systematic approach when handling complex issues in this area and provide practical step-by-step guidance to our clients so that they can protect themselves against the risks of breaches and the consequences of failing to satisfy legal compliance requirements.
All leading international and Chinese legal directories have recognised our abilities, including such as:
We provide full services in areas that include but are not limited to:
- Data and privacy compliance program
- Privacy policy
- Cross-border data transfers
- Data protection clauses
- Employee data processing
- Telecom/IT/Internet
- Hardware, software and technology
- Connected cars and autonomous vehicles
- Big data and cloud services
- Important data processing
- Security incident response
- Business secret protection
- Network product certification
- Encryption
- Dispute resolution
- Cyber crimes
This document has been prepared solely for information purposes and is not intended as legal advice.