China Relaxes Cross-Border Data Transfer Regime

On 22 March 2024, the Cyberspace Administration of China (CAC) issued the Provisions to Promote and Regulate Cross-Border Data Flows (Provisions) (original text in Chinese is available here), which took effect on the same day and introduced exemptions and relaxations to certain compliance requirements under China¹’s cross-border data transfer regime.

Prior to the implementation of the Provisions, a personal information processor (ie equivalent to a “data controller” under the EU General Data Protection Regulation) transferring personal information out of China (Data Exporter), would have to adopt one of the three transfer mechanisms, depending on the nature of the Data Exporter and the amount of the data subjects involved:

• passing a security assessment conducted by the CAC (Security Assessment);
• concluding and filing a standard contract formulated by the CAC (Standard Contract); or
• obtaining a certification for personal information protection issued by a professional agency designated by the CAC (Certification).

(Each a “Safeguard”, together the “Safeguards”)

With the implementation of the Provisions, activities / Data Exporters that fall within the exemptions are not required to adopt the Safeguards before transferring personal information out of China. Since the Provisions’ consultation draft published in last September, it has attracted tremendous attention and expectation from the market players, widely seen as a business-friendly initiative from the Chinese regulators. Compared with the consultation draft, the final form of the Provisions has amended the criteria for several exemptions, which could be good news for some Data Exporters but disappointing for others.

Exempted transfers

The exemptions can be grouped into the following four categories.

Small-scale transfer: pre-conditions for this exemption include that: (i) the Data Exporter is not a Critical Information Infrastructure Operator (CIIO) as identified by the competent regulators; and (ii) counting from 1 January of the current year, the Data Exporter has transferred personal information of less than 100,000 individuals and no sensitive personal information outside of China (Article 5(4) of the Provisions).

This exemption is particularly relevant to small and medium enterprises as well as larger companies conducting business-to-business activities, where the data transfer usually involves a relatively small number of data subjects.

In the consultation draft, the threshold for the number of data subjects used to be 10,000, and regardless of whether the transfer involves sensitive personal information or not. Although the volume threshold is uplifted to 100,000 in the final form Provisions, this “small-scale transfer” exemption will not apply to those transfers involving any sensitive personal information.

If, counting from 1 January of the current year, a non-CIIO Data Exporter has transferred (i) general personal information of 1,000,000 individuals or more, or (ii) sensitive personal information of 10,000 individuals or more, it must undergo a Security Assessment. Where the transfer involves general personal information of more than 100,000 and less than 1,000,000 individuals and sensitive personal information of less than 10,000 individuals, the non-CIIO Data Exporter may choose between the two less onerous Safeguards of Standard Contract filing or Certification (Article 7(2) and Article 8 of the Provisions).

What remains unclear is, whether the transfers with an “on-going” nature (eg storing data overseas) shall be counted into all the years as long as the data remains overseas, or only the year the data first crosses the border. For example, where a non-CIIO company has been continuously storing the contact details of in total more than 1,000,000 clients on an overseas server but only 1,000 of them are uploaded after 1 January 2024, depending on how the calculation goes, it could be subject to the Security Assessment or totally exempted from taking any Safeguard.

Specific exempted scenarios:

• contract necessity – where the transfer of personal information is truly necessary to perform a contract to which the individual is a party. Typical examples mentioned under the Provisions include cross-border e-commerce / postal and delivery service / payment and remittance / account opening, overseas travel booking, visa application and examination services, etc (Article 5(1) of the Provisions). This exemption may provide particular relief for organisations that conduct cross-border retail and travel businesses;
• human resource management – where the transfer of personal information is truly necessary to conduct cross-border human resource management in accordance with employment rules and collective employment agreements established according to law (Article 5(2) of the Provisions). Multinational organisations that adopt collective employment agreements in China, for example in manufacturing and retail sectors, will no doubt benefit from this exemption. It is unclear yet whether this exemption can be broadly interpreted to cover multinational companies using one-on-one employment contracts and performing “cross-border human resource management” based on internal HR policies; and
• emergency – where the transfer of personal information is truly necessary under emergency situations for protecting the life, health and property of a natural person (Article 5(3) of the Provisions).

The key question pending further clarification is what constitutes “necessity” in these scenarios. If the same service / solution can be provided by a local vendor, then transferring personal information to an overseas vendor (eg HR system provider) is arguably not necessary?

Negative lists in free trade zones: the Provisions also grant power to free trade zones (FTZs) to publish their own “negative lists” (subject to approval by provincial cybersecurity authority and filing with the CAC and national data management authority). Where a Data Exporter incorporated within a FTZ transfers personal information not on the FTZ’s negative list, the transfer will be exempted from the Safeguards (Article 6 of the Provisions).

Currently the Shanghai FTZ has published plans to issue such negative lists, especially for the financial and asset management sectors, while the Guangdong FTZ focuses on facilitating convenient data flows within the Guangdong-Hong Kong-Macau Great Bay Area (“GBA”, for more details about the specific data transfer mechanism in the GBA, please read our previous commentary).

Personal information “passing through” China: pre-conditions for this exemption include: (i) the personal information concerned was originally collected or generated outside China; and (ii) when processed within China, no personal information of China-based individuals or important data has been attached to the personal information concerned (Article 4 of the Provisions). This exemption may be particularly helpful for those organisations that operate regional headquarters / data centres or offshore data processing services in China.

The Provisions do not specify how to determine whether the personal information was “originally collected or generated outside China” – for example, if personal information of Chinese residents was collected via a website hosted outside of China, would it be deemed as onshore or offshore collection? One way to interpretate this exemption is based on the legislative and regulatory purposes. As China’s Personal Information Protection Law (PIPL) aims to protect the personal information of individuals in China and the country has published multiple policy documents to promote offshore data processing business, our view is that this exemption relates to the personal information of non-China residents that is processed within China then transferred abroad again.

Prolonged valid period for Security Assessment approvals

In addition to the exemptions, the Provisions also extend the valid period for Security Assessment approvals from two years to three years. This is a welcomed change, especially considering that in practice most Security Assessment applications takes months to complete. Further, according to the Provisions, once the three-year initial period expires, the Data Exporter can apply for an extension of another three years (Article 9 of the Provisions).

What remains unchanged

Personal information: the Provisions do not exempt Data Exporters from other compliance requirements for cross-border data transfer under the PIPL. In particular, Data Exporters should obtain separate consent from the data subjects involved where applicable and conduct personal information protection impact assessments (Article 10 of the Provisions).

Important data: Security Assessment is still required for transferring any “important data” out of China. “Important data” is defined as such data that once tampered with, damaged, leaked or illegally obtained or used may harm the national security, economy, social stability, public health or security. Pursuant to China’s Data Security Law, specific catalogues of important data will be formulated by regional and sectoral regulators.

While this obligation remains unchanged, the Provisions clarify that, if the data to be transferred abroad has not been publicly announced by competent regulators, or specifically notified to the data exporter as important data, there is no need to undergo the Security Assessment. This will provide more certainty for those market players in heavily regulated sectors such as finance and life science, given the sensitivity of the data in their possession.

Compared with cross-border transfer of personal information, Chinese regulators are less likely to relax the restrictions on transferring important data out of China. That said, a positive trend revealed by recent draft standards is that Chinese regulators may narrow down the scope of important data to such data that concerns specific areas, groups of people, regions or reaches certain precision and may cause direct harms to national security, economy, social stability, public health and security.

Underlying logic of the change of rules

Since the implementation of three Safeguards in late 2022, cross-border data transfer compliance has been a challenging issue for many businesses in China. The long review process and low pass rate of Security Assessment and Standard Contract filing have casted a shadow on the operation of many multinational companies.

The publication of the consultation draft in September 2023 has been widely welcomed by market players. It demonstrates the Chinese government’s effort to lessen burdens from businesses and reassure foreign investors of the friendly policy environment and steady adherence to the “opening-up” policy. Between late July and August of 2023, top officials of China’s central government have indicated an urge to open up the local market to attract foreign investment, including Premier Li Qiang’s statements on several occasions that it is necessary to explore a “new model” for cross-border data management.

It is worth noting that data protection not only concerns the privacy rights of individuals, but is also a key factor of economic growth and national security in nowadays digital world. China’s data regulatory regime is likely to be continuously evolving, trying to strike a balance among the interests of individuals, business organisations and the sovereign state.

What’s next?

With the Provisions finally settling down, many companies are now facing practical implementation questions. For example, the clear definition and scoping of the exemption conditions, how to deal with legacy decisions received for previous applications (especially the rejections) and pending applications if the transfer is now exempted.

Along with the Provisions, the CAC also published the updated guidelines for Security Assessment and Standard Contract filing respectively, as well as its responses to media queries, which provide answers to some of these questions. The key takeaways to be noted include:

• overseas processing of the personal information of China-based individuals will be deemed as a form of cross-border transfer;
• if a Security Assessment application was previously rejected in whole or in part, and the relevant transfer activity can now be exempted from the Security Assessment in accordance with the Provisions, the Data Exporter may transfer the personal information out of China through other means permitted by the Provisions;
• for any submitted and pending applications of Security Assessment and Standard Contract filing, which are now exempted by the Provisions, the relevant applicants may either continue the application process or withdraw their applications;
• non-CIIO Data Exporters may submit applications for Security Assessment and Standard Contract filing through the new online portals;
• applicants of Security Assessment are required to explain the purposes and necessity for transferring each type of personal information out of China and provide consent samples (if applicable); and
• applicants of Security Assessment and Standard Contract filing are no longer required to conduct assessments on the data protection laws and policies of the destination jurisdiction.

Market players should also closely monitor the data transfer negative lists for FTZs. In particular, financial institutions and asset managers shall pay attention to the Shanghai FTZ, which pledges to accelerate and promote cross-border flows of financial data; while companies with strong business presence or regional headquarters in the GBA should watch the Guangdong FTZ. Companies may also consider lobbying efforts in relation to policy making in the FTZs.

Another area to watch out for is the sectoral rules in relation to data protection, including the catalogues of important data. Several sectoral regulators have already been quite active in data and privacy protection, including, among others, the People’s Bank of China, the State Administration of Financial Regulation, the State Administration of Market Regulation, and the Ministry of Industry and Information Technology.

¹ For the purposes of this article, “China” refers to the mainland of the People’s Republic of China, excluding Hong Kong and Macau Special Administrative Regions and Taiwan region.