In an effort to improve free data flow, the Cyberspace Administration of China (CAC) proposed a document that, if approved, would significantly reduce the restrictions on cross-border data transfers (CBDT). The Regulations on Regulating and Facilitating Cross-border Data Flow (Draft Regulations) were presented for public comment last September.
The Draft Regulations provide several important exceptions allowing the cross-border transfer of personal data without having to execute China’s Personal Data Export Standard Contract (the Standard Contract), including the need to file and obtain approval by the government.
China’s authorities showed intentions to ease regulations surrounding data transfer for foreign companies several times, in particular since they reopened its borders following the pandemic and have strived to attract more foreign investment to boost the local economy.
In August 2023, a set of measures for optimizing the foreign investment environment from the State Council, China’s cabinet, called for establishing “green channels” for qualified foreign companies to export data, and to pilot a list of “general data” that can be transferred freely across the border in Beijing, Tianjin, and Shanghai.
The new draft regulations contain 11 proposals to ease the data transfer compliance burden for companies and “further standardize and promote the orderly and free flow of data in accordance with the law”.
Exceptions for Personal Data Export
The proposed exceptions include:
Transfer of employee data necessary for the purpose of HR management
Transfer of personal data for the purpose of performing a contract, such as online shopping, hotel/flight booking, visa applications, etc.
Transfer of no more than 10,000 individuals’ personal data per year
If any of the above exceptions apply, there is no requirement to sign or file a Standard Contract, file a personal data privacy impact assessment, and pass government security assessment.
The cybersecurity regulator’s draft rules also state that data generated during international trade, academic cooperation, manufacturing, and marketing can be sent overseas without government oversight, as long as they don’t include personal information or “important data.”
If approved, these exceptions would facilitate the signing and filing of the Standard Contract for multinational companies operating in China.
Lower Threshold of Government Security Assessment
The Draft Regulations include the lowering of thresholds as well for undergoing a mandatory government security assessment:
Under the current rules, a mandatory assessment must be done in the event the export involves more than 100,000 individuals’ data per year or 10,000 individuals’ sensitive data per year. The Draft Regulations propose that a mandatory assessment be required only if more than 1 million individuals’ data is to be exported accumulatively.
The Draft Regulations further propose that the mandatory assessment applies only to the “export” of 1 million individuals’ data. Under the current rules, a mandatory assessment is required by a data exporter (Controller) that processes 1 million individuals’ data locally while exporting only a small amount of that data.
Under the Draft Regulations, that if a company expects to export the personal information (PI) of between 10,000 and one million people within a year, then they can choose to undergo PI protection certification or enter into a standard contract (they will not need to undergo a security assessment).
This raises the cap for this type of mechanism from just 100,000 people to one million. Finally, only when a company expects to export the data of over one million people in a year, will they be required to undergo a security assessment.
Other Specifications
The Draft Regulations also include specifications on issues of interest for multinational companies and businesses, such as:
Business/marketing data (other than personal data and Important Data) can be freely transferred.
The definition of “important data” will be provided by the government, either through public announcement or specific notice. Accordingly, businesses will not need to make a self-judgement of the meaning.
Implementation of a data “negative list” in free trade zones
The draft regulations propose for China’s free trade zones (FTZs) to formulate data “negative lists” of certain types of data for which a company must undergo one of the data transfer mechanisms and receive approval from the CAC to export.
Under this system, any data types that are not included in the negative list could be freely exported through the FTZs, without the company needing to undergo any requirements.
The public comment period ended on October 15, and it is expected that a final version of the Draft Regulations will soon be released. Until then, the current regulations, requiring implementation by December 1, 2023, for existing data transfers, are still valid. The changes that the Draft Regulations propose are a welcomed improvement and alleviate the compliance burden on international companies. But their full implementation may take some time, which means that businesses will have to wait and comply with the current regulations.
Last year, the Cyberspace Administration of China (CAC) published the Measures on Security Assessment of Cross-Border Data Transfer (the Security Assessment Measures), which establish the security framework for cross-border data transfers.
In addition to this, the CAC also issued an interpretation guideline (the “Interpretation Guideline”). These documents lay out the ground rules for a security assessment filing for cross-border data transfers that was stipulated in the Cybersecurity Law (CSL), the Data Security law (DSL) and the Personal Information Protection Law (PIPL).
Under China’s PIPL, companies must meet certain requirements and undergo a security assessment to transfer or process the personal information (PI) of consumers and users in China. However, many of these requirements had not been specified in the law itself, leaving companies uncertain of their obligations under the law and how to comply with it.
The documents act as a guide for entities and certification agencies that help companies in transferring the personal information of Chinese citizens overseas, putting forward the basic principles for processing and protection of personal information, requirements for all relevant parties in cross-border processing activities, and protection of the rights and interests of personal data.
The specifications define rules for contracts, the obligations of persons in charge, and requirements for conducting data protection impact assessments (DPIA). They serve to clarify conditions in Article 38 of the PIPL, which states that companies transferring data outside of China due to business needs, must meet certain requirements and undergo a security review.
Current Conditions for Data Transfer
Undergo a security review organized by the CAC, except when exempted in relevant laws and regulations.
Undergo PI protection certification by a professional institution in accordance with the regulations of the CAC.
Sign a contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC.
Meet other conditions set by the CAC or relevant laws and regulations.
According to Article 38, companies must adopt necessary measures to guarantee that the overseas recipient of the data complies with the requirements and regulations for processing and protecting personal information stipulated in the law.
Personal information refers to any data that can be used to identify an individual, such as names, phone numbers, and IP addresses. The PIPL also includes “sensitive” personal information, such as biometric data (fingerprints, iris recognition, facial recognition, and DNA), medical history and financial accounts, among others.
The “processing” of personal information is defined as “the collection, storage, use, processing, transmission, provision, publication, and erasure of personal information”.
Not all companies are required to undergo a security assessment before transferring data overseas. The measures reiterate the requirements outlined in previous legislation, which stipulated that companies such as ‘critical information infrastructure’ operators (CIIOs) and state agencies that gather data from Chinese users must undergo a security assessment before being allowed to transfer data overseas.
Entities not considered CIIOs or that handle smaller volumes of data may be able to get clearance to transfer data or PI overseas by simply signing a ‘standard contract’ with the overseas recipient. This procedure is simpler than the CAC security review as it does not require an external audit.
Security Assessment by the CAC
Until the new draft regulations are approved, companies must undergo a security assessment in any of the following circumstances:
Data processors providing “important” data overseas.
CIIOs and data processors that process PI of more than 1 million people providing PI overseas.
Data processors that have transferred the PI of over 100,000 people or the “sensitive” PI of over 10,000 people overseas since January 1 of the previous year.
Other situations required to declare data export security assessment as stipulated by the CAC
The security assessment measures define the scope of ‘important’ data as “data that may endanger national security, economic operation, social stability, or public health and safety once tampered with, destroyed, leaked, or illegally obtained or used”.
It is also viewed as cross-border processing when overseas employees remotely access and process the personal information of Chinese users stored in China and is subject to the same requirements as if the company was transferring the information to overseas facilities.
The Guidelines are applicable to two types of cross-border transfers: (1) internal cross-border transfers within one multinational company or one economic/business entity; and (2) cross-border transfers by foreign entities that analyze and assess the behavior of the individuals located in China subject to the extra-territorial jurisdiction of the PIPL.
Woodburn Accountants & Advisors is one of China’s most trusted business setup advisory firms. Woodburn Accountants & Advisors is specialized in inbound investment to China and Hong Kong. We focus on eliminating the complexities of corporate services and compliance administration. We help clients with services ranging from trademark registration and company incorporation to the full outsourcing solution for accounting, tax, and human resource services. Our advisory services can be tailor-made based on the companies’ objectives, goals and needs which vary depending on the stage they are at on their journey.
Can Woodburn help you? We are offering a free 30mins call where we discuss the obstacles you are encountering on your China business journey and how we can help accelerate your success.
DISCLAIMER: All information in this article is verified to the best of our ability and is assumed to be correct at time of release; however, Woodburn Accountants & Advisors does not accept responsibility for any losses arising from reliance on the information provided within. The information provided is for general guidance and does not replace specialized advice.