ECFO

China Moves To Ease Cross Border Data Transfer Regulations

ECFO Logo

ECFO • 8 minutes read
November 22, 2023 

On September 28, 2023, the Cybersecurity Administration of China (CAC) released the Draft Provisions on Regulating and Facilitating Cross Border Data Flow (the “Provisions”) for public consultation. The consultation closed on October 15, 2023; if passed, the Provisions will ease China’s current requirements on cross border data transfer (CBDT) for foreign companies and multinationals. It will also provide more clarity on China’s compliance requirements and review standards for CBDT activities.

Current CBDT regulations complicate compliance for foreign companies

China’s current CBDT rules are composed of a series of regulatory documents and laws, most notably the Personal Information Protection Law (PIPL). Under the PIPL, organizations that wish to transfer data subjects’ personal information outside of China must comply with one of the following CBDT mechanisms, depending on their industry sector, the type of data being transferred, and the volume of data being transferred:

  1. Undergo a security assessment by the CAC, except where exempted by relevant laws and regulations
  2. Obtain a personal information (PI) protection certification from a professional institution in accordance with CAC regulations
  3. Enter into a Standard Contractual Clause (SCC) with the overseas data recipient, stipulating the rights and obligations of both parties in accordance to CAC regulations.

These compliance mechanisms come with their own separate measures, which has posed significant challenges for the China operations of many multinational organizations. First, the current regulations provide ambiguous definitions on important data and sensitive personal information, leading to a lack of clarity. Second, organizations must conduct further internal assessment and consultations with their local CAC to determine the appropriate mechanism to follow. Lastly, those unable to comply with the current CBDT rules may have to adjust their China operations to achieve compliance by reducing their data exports and relocating their data centers.

The Provisions will waive CBDT mechanisms for select entities and data transfers

Should the Provisions be passed, organizations that expect to export the personal information of less than 10,000 individuals within one year will be exempt from the CBDT mechanisms.

The Provisions will also exempt organizations from the CBDT mechanisms if their data export belongs under the following cases:

  • the data exported is for international trade, academic cooperation, cross border manufacturing and marketing activities, and does not count as “important data” or personal information;
  • the personal information necessary to enter and perform a contract, e.g. cross border purchases, cross border remittances, flights and hotel reservations, visa applications, and so on;
  • the personal information of internal employees necessary for human resources management in accordance with labor rules, regulations, and collective contracts;
  • personal information necessary to protect the safety of life, health and property of natural persons in an emergency.

     

 

The Provisions will exempt certain organizations from undergoing security assessment

 

CAC’s Security Assessment Measures require companies that fall under the following criteria to undergo security assessment before exporting data, in lieu of the other compliance conditions set by the PIPL:

  • Companies that process and export “important data” overseas;
  • Companies that are critical information infrastructure operators (CIIO);
  • Companies processing the personal information of over 1 million individuals;
  • Companies that have exported the personal information of more than 100,000 individuals since January 1 of the previous year;
  • Companies that have exported “sensitive” personal information of more than 10,000 individuals since January 1 of the previous year.


Should the Provisions take effect, an organization will be exempt from security assessment if:

  • The data export has not been declared or officially specified as “important data” by any relevant government department;
  • The personal information for export is expected to be from more than 10,000 individuals but less than 1 million individuals within one year;

Organizations that do not fall under PIPL’s criteria for security assessment must still obtain a personal information (PI) protection certification or enter into an SCC with the overseas data recipient.

“Important data” is defined as “data that may endanger national security, economic operation, social stability, or public health and safety if tampered with, destroyed, illegally obtained, or illegally used”. This is from the Draft Measures for Data Security Management issued in May 2019; the broad definition is subject to further interpretation by industry-specific authorities. “Sensitive” personal information is defined as information that, if leaked, misused, or illegally provided, may endanger the safety and property of an individual; damage personal reputation, physical, or mental health; or lead to discriminatory treatment. It includes but is not limited to: biometric data, data pertaining to religious beliefs or specific identities, medical history, financial accounts, location, and any personal information of minors aged 14 and below. [1]

CIIOs (Critical Information Infrastructure Operators), meanwhile, are defined as companies in important industries such as energy, water, transport, finance, public communication and information services, public services, e-government services, national defense, and any other important network facilities and systems that may harm the national security, economy, and public interest in the event of damage, incapacitation, or data leaks. [2]

The Provisions revise volume thresholds triggering other CBDT mechanisms

For organizations that do not reach the personal data volume thresholds requiring a security assessment, the current CBDT regulations require a PI protection certification or a Standard Contractual Clause (SCC). These are organizations with the following data exports:

  • cumulative export of the personal information of 100,000 individuals or less since January 1 of the previous year;
  • cumulative export of the sensitive personal information of 10,000 individuals or less since January 1 of the previous year.

If passed, the new Provisions will only require a PI protection certification or a Standard Contractual Clause (SCC) from any organization expecting to export the personal information of more than 10,000 individuals but less than 1 million individuals within one year. The Provisions’ change in wording from “cumulative” to “expected” data export may also mean that organizations will soon be able to estimate the amount of data exports they will process in a year, rather than basing their compliance on past data exports.

Free trade zones may establish data “negative list” on data export

The Provisions will give China’s free trade zones (FTZs) the authority to formulate a “negative list”, or a list of data which will still be subject to one of the CBDT mechanisms. Data that is not on the negative list can be freely exported through the FTZs.

The Provisions demonstrate CAC’s intention to simplify cross-border data transfer and foster a more business-friendly environment for foreign companies. Should the Provisions be implemented in its current form, many organizations may no longer need to undergo a security assessment. Organizations processing smaller amounts of personal information will also be exempt from complying with CBDT mechanisms.

One aspect that the Provisions does not address is the definition of “important data”, which remains broad and subject to the interpretation of the CAC. While generic definitions exist in various Chinese laws, regulations and standards, it would be beneficial for organizations if there was a unified and specific definition of important data to ensure compliance with regulations.

Furthermore, while the Provisions are a promising development from China, cross-border data transfers remain a multi-faceted operation for organizations with numerous compliance obligations to meet. The CAC has the final authority to decide what to investigate, and the regulatory environment for data and information protection security may become stricter. Therefore, companies in China must always be prepared for an assessment of their data obligations at all times, while keeping an eye on further developments in China’s data regulations.

[1] The definition of “sensitive personal information” was introduced in The PRC Personal Information Protection Law (PIPL) – effective Nov 1st 2021.

[2] The definition of Critical Information Infrastructure Operators (CIIOs) was introduced in the Regulation on Protection of Security of Critical Information Infrastructure (CII Security Regulation) 17 August 2021.

Follow ECFO On LinkedIn For More...