On 22 March 2024, the Cyberspace Administration of China (“CAC”) promulgated the Provisions on Regulating and Facilitating Cross-border Data Flow (“Provisions”). The Provisions have come into effect immediately as of 22 March 2024.
It is a positive signal sent out by the Chinese government for smoothing and facilitating outbound data flow. According to the Provisions, some companies may be exempted from the obligation to pass security assessment, file the standard contract recordal or obtain personal information protection certification. However, this conclusion cannot be easily made and needs to be analyzed on a case-by-case basis.
1. Exemptional Circumstances Where the Administrative Requirement For Cross-Border Transfer of Data Can Be Waived
According to the Article 3, Article 4, Article 5 and Article 6 of the Provisions, if the cross-border transfer of data falls into the following circumstances, the administrative requirement of security assessment, or standard contract recordal or personal information protection certification can be waived:
a) If the outbound transferred data are collected and generated in international trade, cross-border transportation, academic cooperation, transnational manufacturing and marketing activities, and do not contain personal information or important data;
b) If the outbound transferred personal information is originally collected and generated outside the country, and does not introduce personal information or important data from the country during the processing process;
c) If the outbound transfer of personal information is necessary for the purposes of entering into and performing contracts to which an individual is a party, such as cross-border shopping, cross-border shipping, cross-border remittance, cross-border payment, cross-border account opening, booking of air ticket and hotel, visa application, examination services, etc.;
d) If the outbound transfer of employee’s personal information is necessary for implementing cross-border human resources management under an employment policy legally established or a collective contract legally concluded;
e) If the outbound transfer of personal information is necessary for protecting the life, health or property safety of the natural person in case of emergency;
f) If the data handler is not a critical information infrastructure operator (“CIIO”) and has cross-border transferred personal information (excluding sensitive personal information) of less than 100,000 individuals in aggregate since 1 January of the current year.
In addition, the Provisions provide that the pilot trade zones may formulate a list of data (“Negative List”), the cross-border transfer of data within which shall be subject to the security assessment, standard contract recordal and personal information protection certification. Such a Negative List shall be approved by the provincial cyberspace and information committee and recorded before the national cyberspace departments and national data management departments. After establishment of such a Negative List, companies within the pilot trade zones can freely transfer data outside the Negative List abroad without proceeding with the security assessment, or standard contract or personal information protection certification.
2. Confirmative Circumstances Where the Administrative Requirement For Cross-Border Transfer of Data Applies
With the effective of the Provisions, the statutory circumstances for triggering the administrative requirement have been adjusted. Therefore, the Provisions clarify the applicable circumstances for different administrative requirements as follows.
According to Article 7 of the Provisions, security assessment shall apply to the following circumstances:
· Cross-border transfer of personal information or important data by a CIIO;
· Cross-border transfer of important data by a normal data handler other than a CIIO, or such a data hander has cross-border transferred personal information (excluding sensitive personal information) of more than 1 million individuals or cross-border transferred sensitive personal information of more than 10,000 individuals in aggregate since 1 January of the current year.
According to Article 8 of the Provisions, standard contract recordal or personal information protection certification shall apply to the following circumstances:
· A normal data handler other than a CIIO has cross-border transferred personal information (excluding sensitive personal information) of more than 100,000 but less than 1 million individuals in aggregate since 1 January of the current year;
· A normal data handler other than a CIIO has cross-border transferred sensitive personal information of less than 10,000 individuals in aggregate since 1 January of the current year.
Nevertheless, it is specifically provided that if the aforesaid circumstances constitute the exemptional circumstances as stated above in Section 1, the administrative requirement can be waived.
3. What Should Companies Be Aware Of?
a) Cross-border transfer of sensitive personal information in principle triggers the administrative requirement
According to Article 8 of the Provisions, even if the cross-border transfer of sensitive personal information involves less than 10,000 individuals in aggregate since 1 January of the current year, it will be subject to the standard contract recordal or personal information protection certificate in principle.
Companies should further check whether the outbound transfer of sensitive personal information satisfies any exemptional circumstances where such an administrative requirement can be waived. The most relevant circumstance may be cross-border transfer of employee’s personal information for carrying out human resources management under an employment policy legally established or a collective contract legally concluded. Nevertheless, this may require an in-depth assessment of the types of sensitive personal information involved and review of the employment policy or contract. Therefore, it is not easy to conclude whether a company’s outbound data flow can be exempted from the corresponding administrative requirement.
b) Cross-border transfer of important data in principle triggers the security assessment requirement
According to Article 7 of the Provisions, cross-border transfer of important data, no matter whether it is handled by a CIIO, shall be subject to the security assessment requirement. Nevertheless, if such cross-border transfer of important data satisfies any exemptional circumstances as stipulated under Article 3, Article 4, Article 5 and Article 6 of the Provisions, companies may be exempted from the security assessment requirement.
Based on the above, it is important for company to determine whether its data constitute important data. According to Article 2 of the Provisions, if companies have not been notified or their data have not been publicly released as important data by relevant departments or regions, they will not be required to conduct the security assessment as important data. This provides clear guidance for companies to determine whether important data are involved. If companies involve cross-border transfer of important data, companies can further assess whether any exemptional circumstances may apply.
c) Other obligations related to cross-border transfer of data shall be fulfilled
(1) Notified consent and PIPIA are still required
According to Article 10 of the Provisions, for cross-border transfer of personal information, companies shall fulfill the obligations of notification and separate consent, as well as conducting a personal information protection impact assessment in accordance with the provisions of laws and administrative regulations. The requirement of separate consent can be waived under specific circumstances in accordance with the PRC Personal Information Protection Law, but it needs to be assessed on a case-by-case basis.
(2) Data security protection and incident reporting are still required
Further, according to Article 11 of the Provisions, for cross-border transfer of data, companies shall fulfill the obligation of data security protection, and take technical measures and other necessary measures to safeguard the security of data outbound. If a data security incident occurs or is likely to occur, companies shall take remedial measures and promptly report to the cyberspace department at or above the provincial level and to other competent authorities concerned.
4. Conclusion
In general, with the effectiveness of the Provisions, it is good news for normal companies to possibly get rid of the administrative requirement for cross-border transfer of data. However, since most companies may involve in cross-border transfer of sensitive personal information, it is necessary for companies to make in-depth assessment in order to determine whether the exemptional circumstances can apply. In addition, we recommend that companies should pay more attention to compliance with other data protection obligations under PRC data laws, since the competent authorities are likely to strengthen their supervision and inspection in this regard.
%20(3).jpg?v=3)
.jpg?v=1)
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.