On September 28, 2023, the Cyberspace Administration of China (“CAC”) published the draft Provisions on Regulating and Promoting Cross-Border Data Flows (“Draft Provisions”) for public consultation.
The Draft Provisions significantly ease the triggering conditions for security assessments, standard contractual clauses (“SCCs”), and security certifications by proposing a series of exemptions for transfers that would otherwise be subject to China’s data transfer restrictions. In recent years, these restrictions have been challenging for multinational companies operating in China who have assumed that data generated and transferred out of China by those operations (including data from sales and customer relations, enterprise resource management/manufacturing, and human resource management) could be freely transferred between the U.S. and China. As a result, many companies have unknowingly run afoul of existing Chinese data transfer restrictions.
Cross-Border Data Transfer Mechanisms under China’s Existing Regime
Under existing PRC law, a company is required to implement one of the following three cross-border data transfer mechanisms (“CBDT Mechanisms”) before any personal information, sensitive personal information, or important data is transferred out of mainland China:
- Passing a security assessment by the CAC;
- Entering into a standard contract with a foreign data recipient in accordance with SCCs published by the CAC; or
- Obtaining a security certification by a third-party certification institution designated by the CAC.
Currently, a CAC security assessment is generally triggered in the following circumstances:
- The data exporter is a critical information infrastructure operator (“CIIO”), which is broadly defined as an operator of critical network facilities or information systems in important industries (such as finance, energy, or transportation), where destruction, loss of function, or data leakage may seriously endanger China’s national security, peoples’ livelihood, or the public interest;
- The data exporter has processed personal information of more than one million individuals (“Mass Processor”);
- The data transferred is important data; OR
- Since January 1 of the previous year, the data exporter has made aggregated transfers of personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals.
A company may choose to use SCCs or security certification to qualify other data transfers that do not trigger the CAC security assessment.
Exemptions from Implementing CBDT Mechanisms
Under the Draft Provisions, a company is exempted from adopting any of the CBDT Mechanisms in the following circumstances:
- No transfer of personal information or important data: The CAC clarified that, if no personal information or important data is transferred during the course of international trade, academic cooperation, cross-border manufacturing and production, or marketing activities, then none of the CBDT Mechanisms are triggered. Notably, according to the Draft Provisions, unless a company is informed by any sectoral or local regulators that the data to be transferred out of China is important data or the data falls within any of the important data lists published by the Chinese regulators, generally the company is not required to proactively apply for the CAC security assessment due to transfer of important data. This addresses a key concern for multinational companies. Under the existing regulations, the data processor is responsible for determining whether its information qualifies as important data, yet very limited guidance exists on how to make these determinations.
- Transfer of personal information collected or generated outside of China: If the data transferred outside of China are not originally collected or generated in China, their transfer will not be subject to any of the CBDT Mechanisms.
- Necessary for entering into or performing a contract: A company is exempted from the CBDT Mechanisms if the proposed transfer of personal information is necessary for entering into or performing a contract to which it is a party. Examples provided under the Draft Provisions include without limitation: cross-border e-commerce, cross-border payments, flight and hotel bookings, and visa applications. This carve-out will be welcomed by companies such as e-commence retailers, online travel agencies, booking service providers, and financial institutions who regularly need to move data globally in order to fulfill their contractual obligations.
- Necessary for human resource management:Transfer of employee personal information necessary for the implementation of HR management, where such transfer is in accordance with the companies’ employment policies or a collective employment contract, is exempted from the CBDT Mechanisms. However, the scope of this exemption still depends on how broadly the CAC interprets what transfers are “necessary.” According to Article 8 of the Draft Provisions, transfer of sensitive personal information is still subject to the requirements of relevant laws, regulations, or departmental rules, which seems to indicate that transfers of employees’ sensitive personal information (e.g., bank account, health information) may not qualify for this exemption.
- Necessary for protecting vital interests: Transfer of personal information necessary for protecting the health and “property safety” of a natural person in an emergency is exempted from any of the CBDT Mechanisms.
New CAC Security Assessment Threshold
The Draft Provisions significantly increased the threshold for the CAC security assessment – from 100,000 to one million individuals. The Draft Provisions also changed the previous approach, from focusing on “cumulative” volume of personal information that has been transferred out of China since January 1 of the previous year, focusing on “expected” volume of personal information that will be transferred out of China within the calendar year. However, the Draft Provisions remain silent on what will happen if a company exceeds the expected amount in a given year or how original estimates should be made.
Under these new calculations, if a company transfers personal information of more than one million individuals, a CAC security assessment will be triggered. Another layer down, if the volume of data a company expects to transfer out of China within a year is between 10,000 and one million individuals, it needs to enter into SCCs or undergo a security certification, but not undergo a CAC security assessment. And at the far end of the spectrum, the company is not required to complete any of the CBDT Mechanisms if it expects to transfer personal information of less than 10,000 individuals within a year.
“Negative List” for Companies in Pilot Free Trade Zones
The Draft Provisions authorize pilot free trade zones (“Pilot FTZs”) to develop a “negative list” for categories of data. When transferring data out of a Pilot FTZ to overseas, a company is required to use a CBDT Mechanism only if the data falls on the Pilot FTZ’s “negative list.” Currently, there are more than 20 Pilot FTZs in different cities across mainland China, such as Shanghai, Beijing, Shenzhen, Guangzhou and Xiamen, though none of yet drafted their negative lists.
This framework echoes the recent Opinions of the State Council on Further Optimizing Foreign Investment Environment and Further Optimizing the Foreign Investment Environment and Increasing the Efforts to Attract Foreign Investment, which call for issuance of a “list of general data” that could be freely transferred out of China without adopting any of the CBDT Mechanisms.
Crowell & Moring Observations
The Draft Provisions demonstrate that China is trying to strike a balance between enhancing data security and promoting data-driven economic growth by eliminating many restrictions on cross-border data transfers. If adopted in their current form, the Draft Provisions would significantly reduce the burden for companies that would otherwise be subject to a CBDT Mechanism. It also helps pave the way for influxes of new foreign investment, at a time when the United States is tightening controls on its investment in the PRC.
However, the Draft Provisions do not exempt companies from other obligations under existing PRC data protection law, such as obtaining separate consent from relevant data subjects if the legal ground of the processing is consent.
The timing for the CAC to finalize the Draft Provisions is not clear. We anticipate that the Draft Provisions will be finalized quickly, given that the CAC provides only an 18-day comment period for the public, despite usual timelines lasting one month. We would recommend that companies considering the security assessment, SCCs, or security certification revisit their previous analysis based on the changes introduced in the Draft Provisions.
For further information, please contact:
Evan Y. Chuck, Partner, Crowell & Moring
echuck@crowell.com