On 22 March 2024, the Cyberspace Administration of China (the “CAC”) issued the Provisions on Regulating and Promoting Cross-border Data Transfers (the “Promoting Cross-Border Data Transfer Provisions” or “Promoting CBDT Provisions”), signalling a relaxation of China’s administration of cross-border data transfers. The Promoting CBDT Provisions relax cross-border data transfers in several aspects, including providing clear guidance for determining what constitutes “important data”, providing exemption of channel option requirements for certain cross-border personal information transfer activities, modifying the threshold number of transferred personal information that is subject to the security assessment by the CAC, and allowing free trade zones to formulate their own negative lists for cross-border transfer.
On the same day, the CAC also released updated versions of the Guidelines for Applying for Security Assessment for Data Outbound Transfer and the Guidelines for Filing Standard Contracts for Personal Information Outbound Transfer to align with the changes in the Promoting CBDT Provisions.
We will discuss in below the following aspects of the Promoting CBDT Provisions:
- Brief background on China’s cross-border data transfer regulations
- Key changes introduced by the Promoting CBDT Provisions
- Clarification on how to determine "important data"
- Exemptions for certain cross-border personal information transfer activities
- Modification of the threshold for Security Assessment
- Pilot programs in free trade zones
Brief background
Article 38 of the Personal Information Protection Law (the “PIPL”) stipulates that a data handler may transfer personal information outside of China if one of the following three conditions (each as a “Channel Option”) is met:
- apply for and pass the security assessment by the CAC (the “Security Assessment”);
- sign and file the standard contract with the provincial counterpart of the CAC (the “Standard Contract”); or
- Obtain the personal information protection certification for cross-border personal information transfer from an approved institution (the “PIP Certification”).
To further clarify how to implement the Security Assessment, Standard Contract, and PIP Certification, the CAC has successively issued several regulations, including the Measures for Security Assessment of Cross-border Data Transfer (the “Security Assessment Measures”) (effective 1 September 2022), the Implementation Rules on Personal Information Protection Certification (the “PIP Certification Rules”) (effective 4 November 2022), and the Measures on Standard Contract for Cross-border Personal Information Transfer (the “SCC Measures”) (effective 1 June 2023).
The Security Assessment Measures, the PIP Certification Rules, and the SCC Measures imposed stringent compliance requirements on cross-border personal information transfers. Given the burdensome compliance efforts and costs these strict rules placed on companies, as well as China's policies to attract foreign investment, Chinese regulators issued the draft of the Promoting CBDT Provisions on 28 September 2023, which were finalized and became effective immediately upon its issuance on 22 March 2024.
Key changes in the Promoting CBDT Provisions
A. Clarification on how to determine “important data”
Although Article 38 of the PIPL only restricts the exportation of personal information, the Data Security Law and the Cybersecurity Law provide general provisions on the exportation of important data—that is, it should be handled in accordance with the provisions of the CAC and relevant departments of the State Council. According to the Security Assessment Measures, to export important data, the data handler shall apply for and pass the Security Assessment.
The Security Assessment Measures define important data as data that may endanger national security, economic operation, social stability, public health and safety, if it is tampered with, destroyed, leaked, or illegally obtained or used. However, this definition of important data is broad. In practice, it is difficult to determine whether relevant data constitutes important data based on this broad definition, and thus confirm whether its exportation requires a Security Assessment, which has caused some confusion for many companies in practice.
The Promoting CBDT Provisions provide clear guidance for determining important data. Article 2 of the Promoting CBDT Provisions clearly states that if the relevant departments or regions have not informed or publicly released certain data as important data, data handlers do not need to apply for a Security Assessment for the exportation of such data. Therefore, if the data processed by a data handler has not been informed or publicly released as important data by the relevant departments or regions, there is no need to apply for a Security Assessment for its exportation.
B. Exemptions for certain cross-border personal information transfer activities
According to Article 5 of the Promoting CBDT Provisions, under the below circumstances NO Channel Option is required for the cross-border transfer of personal information:
- Contract Necessity: Where it is necessary to provide personal information outside of China for the purpose of concluding or performing a contract to which the individual is a party, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, flight ticket and hotel reservations, visa processing, and examination services;
- Global HR Management Necessity: Where it is necessary to provide employees' personal information outside of China for the implementation of cross-border human resource management in accordance with employment administration rules and regulations formulated in accordance with the relevant laws and regulations and collective contracts signed in accordance with the relevant laws and regulations;
- Safety Emergency Necessity: Where it is truly necessary to provide personal information outside of China in emergency situations to protect the life, health, and property safety of natural persons; or
- Small Scale Transfer: Where a data handler that is not a critical information infrastructure operator (a “CIIO”) cumulatively provides personal information (excluding sensitive personal information) of less than 100,000 individuals outside of China since January 1 of the current year.
C. Modification of the threshold for Security Assessment
According to the Security Assessment Measures, a Security Assessment was required in the following situations:
- Where a data handler exports important data;
- Where a CIIO, or a data handler that processes the personal information of more than 1 million individuals exports personal information (a “Large Scale Handler”); or
- Where a data handler that cumulatively exports personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals since January 1 of the previous year.
The Promoting CBDT Provisions do not relax the Security Assessment requirement for the exportation under item (1) and (2) above, which means the exportation of important data, and the exportation of personal information by a CIIO or a Large Scale Handler, are still subject to the Security Assessment requirements.
However, Article 7 of the Promoting CBDT Provisions modifies the number threshold set forth in the above item (3) by modifying the threshold numbers for applying for a Security Assessment to cumulatively exporting over 1 million individuals' personal information, or cumulatively exporting over 10,000 individuals' sensitive personal information. In addition, the calculating period is modified from the previous two years (i.e., the calculation for the cumulative number starts from 1 January of the preceding year) to one year (i.e., the calculation for the cumulative starts from 1 January of the current year).
D. Pilot programs in free trade zones
Article 6 of the Promoting CBDT Provisions stipulates that free trade zones may, within the framework of the national data classification and grading protection system, formulate their own negative lists of data that is subject to the Channel Option requirements within the zone (the “Negative List”), which shall be approved by the provincial CAC and filed with the national CAC and the national data management department. Data handlers in free trade zones that export data outside the Negative List may be exempt from the Channel Option requirements.
Conclusion
The Promoting CBDT Provisions demonstrate China's efforts to relax its cross-border data transfer rules. The clarification of important data, exemptions for certain transfer activities, modification of Security Assessment thresholds, and pilot programs in free trade zones are expected to ease the compliance burden on companies and facilitate smoother cross-border data flows. As China continues to refine its data protection framework, businesses should stay informed of the latest regulatory developments and adapt their compliance strategies accordingly.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.