On March 22, 2024, the Cyberspace Administration of China (CAC) enacted the official Provisions on Promoting and Regulating Cross-border Data Flow (Provisions), the second editions of the Guidelines for Application for the Security Assessment of Data Cross-Border Transfer, and the Guidelines for Filing of the Standard Contract for Personal Information Cross-Border Transfer to ease cross-border data transfers.
The Provisions relax the enforcement of requirements for security assessment, protection certification or standard transfer contracts by providing certain exemptions and increasing triggering thresholds under the Security Assessment Measures for Outbound Data Transfers effective September 1, 2022, and the Measures for the Standard Contract for Outbound Transfer of Personal Information effective June 1, 2023.
Exemptions
According to the Provisions, data handlers will not be required to (i) apply for a cross-border transfer security assessment, or (ii) conclude a standard cross-border transfer contract, or (iii) pass a personal information protection certification for:
(1) Transferring data collected or generated in international trade, cross-border transportation, academic cooperation, transnational manufacturing, production and marketing (if not containing personal information or important data);
(2) transferring personal information collected or generated abroad and transmitted to China for processing (if no domestic personal information or important data is incorporated during processing);
(3) transferring personal information that is necessary for concluding and performing a contract to which an individual is a party, e.g., cross-border shopping, mailing, wiring, payment, booking, etc.;
(4) transferring personal information of employees that is necessary for the cross-border HR management in accordance with the labor rules and policies formulated or collective contracts signed according to law;
(5) transferring personal information that is necessary for protecting life, health or property in an emergency;
(6) transferring personal information by data handlers other than critical information infrastructure (CII) operators of less than 100,000 individuals cumulatively in a year from January 1 of the year (not including sensitive personal information) (and items (3), (4), (5) and (6) shall not contain important data); or
(7) transferring by data handlers in the free trade zones (FTZs) of data outside the negative lists formulated by the FTZs.
The implementation of the exemptions under the Provisions may need testing in practice and further clarification by CAC, e.g. as to the criteria of “necessity” in exemptions (3), (4) and (5), or the formulation of specific negative lists by the FTZs in exemption (7), and clarification as to whether “data handlers in the FTZs” means that they are registered and located and processing data physically in the FTZs.
Security Assessment, Protection Certification, Standard Transfer Contract
Unless any of the exemptions are applicable, non-CII data handlers shall (i) conclude a standard cross-border transfer contract with the overseas recipient or pass personal information protection certification for transferring cumulatively in a year from January 1 of the year: (a) personal information of 100,000 individuals or more and less than 1,000,000 individuals (not including sensitive personal information) or (b) sensitive personal information of less than 10,000 individuals; or (ii) apply for cross-border transfer security assessment for transferring (x) important data, or cumulatively in a year from January 1 of the year: (y) personal information of 1,000,000 individuals or more (not including sensitive personal information) or (z) sensitive personal information of 10,000 individuals or more.
Unless any of the exemptions are applicable, CII data handlers shall apply for cross-border transfer security assessment for transferring: (a) personal information or (b) important data.
The table below generally summarizes the exemption and application of the transfer mechanisms.
Click here to view the table.
General Implications
Non-CII data handlers concerned about compliance risks and cost should try to avoid transferring important data. Important data is defined as data that, once tampered with, destroyed, leaked, illegally obtained or used, may endanger national security, economic operations, social stability, or public health and security, and is subject to catalogue(s) to be formulated by relevant authorities. The Provision provides that data would not be deemed as “important data” if not specifically categorized and announced or notified by relevant departments or regions as important data.
It is advisable for non-CII data handlers to further refrain from transferring any sensitive personal information (unless any of exemptions (3), (4) or (5) may apply) or control the transferring of sensitive personal information under 10,000 individuals, and control the transferring of non-sensitive personal information under 100,000 individuals in a year. Given that the transfer of sensitive personal information may be hard to prevent in practice, businesses may consider registering and relocating data processing activities into the FTZs for purposes of data and personal information processing and cross-border transfer when relevant FTZs’ negative lists are out, and there is more clarity on the applicability of the FTZ negative lists exemption.