China Regulator Issues Administrative Measures and New Negative List for Cross-border Transfers in China (Beijing) Pilot Free Trade Zone
Friday, September 6, 2024
China Regulator Issues Administrative Measures
Print Mail Download info_icon_img/>i

On August 30, 2024, the Beijing Municipal Internet Information Office, Beijing Municipal Commerce Bureau and Beijing Municipal Government Services and Data Administration Bureau (“Regulator”) jointly issued the Data Export Management List (Negative List) of China (Beijing) Pilot Free Trade Zone (Version 2024) (“Negative List”) and the Administrative Measures for the Negative List (“Administrative Measures”).

The Administrative Measures propose rules referencing 13 categories and 41 subcategories of data and for uniform identification of important data. The Negative List lists five industries – automotive, pharmaceutical, retail, civil aviation and artificial intelligence – which are more important in practice for cross-border data transfers and outlines 23 business scenarios and 198 data elements for these industries. In certain of these scenarios, the Negative List relaxes the thresholds triggering the need for the security assessment, filing of the standard contract for cross-border transfers (“SC”) and certification of protection of personal information. The Regulator will update the Negative List over time as needed.

Applicable Entities

The Administrative Measures and Negative List apply to data handlers registered in the Beijing Municipal Pilot Free Trade Zone.

Important Data

If a data handler registered in the Beijing Pilot Free Trade Zone holds the following data, such data would be treated as “important data” and subject to stricter regulation:

  • personal information of more than 10 million individuals (excluding sensitive personal information);
  • sensitive personal information of more than one million individuals;
  • certain sensitive personal information of more than 100,000 individuals (g., relating to personal bank accounts, personal insurance accounts, personal registration accounts, personal diagnostic and treatment data);
  • personal information of more than 100,000 individuals held by operators recognized by the State as critical information infrastructure (“CII”);
  • high-value sensitive data related to industry competitiveness and industry production safety collected and generated during the R&D and design process, production and manufacturing process, and operation and management process;
  • data related to the supply chain involving national security;
  • parameters of automatic control systems and control, operation and maintenance, and test data; and
  • other important data in certain industries and fields.

Procedure for Cross-border Transfer by Application to the Negative List

If the data handler intends to rely on the Negative List for its data export activities, it must submit specified documentation through the Facilitated Service Platform of Beijing Municipal Data Cross-border Transfer (“Platform”) to the competent department of the Pilot Free Trade Zone in the district where it is registered (“Department”). The Department must publish the conclusion of its review on the Platform within 5 five business days after submission of the application documents. After passing the review, the data handlers must submit a filing for the data export activities. The Department must inform the data handler of the preliminary review opinion on whether its data export activities fall into the Negative List within 5 five working days after receipt of the filing documents. Upon completion of review of the filing, the Department must issue the filing notice. If the Department determines that the data export activities fall outside of the Negative List, the data handler may carry out the data export freely pursuant to the Administrative Measures. If the data export activities fall within the Negative List, the data handler must conduct the security assessment, file the SC or certify protection of personal information.

Negative List for the Retail and Modern Service Industry

The Negative List, in addition to identifying covered personal information and sensitive personal information, relaxes the thresholds triggering the need for the security assessment, filing of the SC or certification of protection of personal information only for the membership management scenario. In particular, the Negative List clarifies the scope of membership personal information, which includes but is not limited to name, nickname, contact information, gender/designation, region, address (including zip code, only if consumers choose international logistics or door-to-door after-sales service), user ID, member account number (other network identification information can be used) or number, nationality, age, date of birth, order number, serial number of the product identification code, members’' preferences (limited to the type of product, the number of digits, the preference language, the points redemption), title, and employer, transaction and consumption records that do not directly reflect personal property information (including the name of the product, time of purchase, purchase records, total price, type of transaction, member payment points, balance of member points, currency type), etc.

Also, the Negative List provides that the following personal information is sensitive personal information:

  • personal Internet browsing records (activity booking records, software lists, etc.), commonly used device information (MAC address and device serial number only), and member login verification information.

Scenario 1: Membership management

The data handler must conduct the security assessment for:

- cross-border transfer of more than five million (previously one million) individual customers’ membership personal information (excluding sensitive personal information) from January 1 of this year; or

- cross-border transfer of more than one million (previously 10,000) individual customers’ membership sensitive personal information from January 1 of this year.

The data handler must conduct the filing of the SC or certification of protection of personal information for:

- cross-border transfer of between 500,000 and 5 million (previously between 100,000 and 1 million) individual customers’ membership personal information (excluding sensitive personal information) from January 1 of this year; or

- cross-border transfer of between 100,000 and 1 million (previously less than 10,000) individual customers’ membership sensitive personal information from January 1 of this year.

The thresholds in all other scenarios in the retail and modern service industry remain unchanged.

Negative List for the Automobile Industry

Important data

In the automobile industry, the Negative List does not relax the thresholds triggering the need for the security assessment, filing of the SC or certification of protection of personal information but provides that the following data is important data in the automobile industry:

- geographic information, staff flow, vehicle flow and other data involving military administration zones, national defense science and industry units, and important and sensitive areas such as party and governmental offices at or above the county level; and the inappropriate disclosed information generated in the process of providing car networking information services to governmental organs, military industrial enterprises and other sensitive and important institutions;

- data of vehicle traffic, logistics, etc. reflecting economic performance;

- data that can reflect the operation of the network of charging facilities for vehicles in a certain region;

- out-of-vehicle video and image containing face information, plate information, street sign information, etc.;

- key Telematics data including vehicle remote control, vehicle operating conditions, etc.;

- contains online upgrading data such as vehicle control; contains aftermarket data such as electronic control units;

- data related to cyber-attacks that may be exploited to implement disruptions to the supply chain of critical equipment and system components of the Internet of Vehicles in order to launch high and persistent threats; data that may reflect to a certain extent the cybersecurity protection of critical information infrastructures (CII) in the transportation, traffic, and other industries and that may be exploited to implement cyber-attacks against the CII of the Internet of Vehicles; data related to the CII involved in the Internet of Vehicles' information services.

The Negative List is applicable to automobile manufacturers, parts and software suppliers, dealers, maintenance enterprises, and mobility service enterprises, etc. but not to autonomous driving enterprises. Sensitive personal information in the automobile industry includes vehicle tracking, audio, video, image and biometric information

Negative List for the Medical Industry

Important data

In the medical industry, the Negative List specifies that the following data are important data:

- diagnosis and treatment, health and physiological conditions, medical rescue and protection data, and experimental data on specific medicines for groups at or above a certain size;

Examples: Diagnosis and treatment data in the medical field involving more than 100,000 individuals, such as medical records, images, pathology, blood tests, genetic tests, etc., which are related to the life, health and safety of the people, the database of electronic medical records of more than 100,000 individuals and the database of health records of more than 100,000 individuals, as well as the results of mining and analysis of the above data, etc.; the data on the production, supply and protection of major medical supplies, such as important vaccines and strategically important basic medicines, etc.; and pharmaceutical experimental data, and experimental data related to the pharmaceutical manufacturing process and manufacturing facilities, which are related to national security.

- biometric data and medical resource data above a certain size in specific fields, groups and regions (note that biometric data includes physical, physiological or behavioral data, and medical resource data includes the number of medical and healthcare institutions, the number of beds, the number of medical and healthcare personnel, etc.);

- data subject to export control or technology export administration; and

- certain genetic data, including genetic data up to the scale or accuracy provided by the relevant State departments (note transfer of this type of data also requires for approval/filing by the National Health Commission other than the security assessment by Cyberspace Administration of China (the “CAC”). Clinical data, image, protein data and metabolic data are not considered to be genetic data.).

Cross-border Transfer of Personal Information

Scenario 1: Clinical trial and pharmaceutical development

In cases of cross-border transfer of an individual's basic personal information, medical treatment and health and physiological information, cumulative transfer of more than 50,000 (previously 10,000) individuals from January 1 of this year triggers the need for the security assessment and cumulative transfer of between 10,000 and 50,000 (previous less than 10,000) individuals from January 1 of this year triggers the need to file the SC.

Scenario 2: Pharmacovigilance, product complaints and medical inquiry

In cases of cross-border transfer of an individual’s basic personal information, medical treatment and health and physiological information, cumulative transfer of more than 100,000 (previously 10,000) individuals from January 1 of this year triggers the need for the security assessment and cumulative transfer of between 10,000 and 100,000 (previous less than 10,000) individuals from January 1 of this year triggers the need to file the SC.

Please note the above relaxed thresholds are not applicable to the following data:

- the patient's real name and contact information; the patient’s diagnosis and treatment and health and physiological information including medical history, allergy history, living habits, information or description of adverse reaction events, diagnosis and treatment records, medication records, test and examination reports, hospitalization records.

Scenario 3: Clinical trial, pharmaceutical development, healthcare professionals administration, pharmacovigilance, product complaints and medical inquiry

In cases of cross-border transfer of personal information of medical healthcare professionals, clinical trial researchers, and non-patient reporters of adverse reactions, product complainants, and medical inquirers, cumulative transfer of more than 200,000 individuals’ personal information (including sensitive personal information) from January 1 of this year, the data handler is subject to the security assessment.

Scenario 4: Clinical trial, pharmaceutical development, healthcare professionals administration, pharmacovigilance, product complaints and medical inquiry

In cases of cross-border transfer of sensitive personal information of medical healthcare professionals, clinical trial researchers, and non-patient reporters of adverse reactions, product complainants, and medical inquirers, cumulative transfer of more than 100,000 (previously 10,000) individuals from January 1 of this year triggers the need for the security assessment and cumulative transfer of between 10,000 and 100,000 (previous less than 10,000) individuals from January 1 of this year triggers the need to file the SC.

Negative List for the Civil Aviation Industry

Important data

In the civil aviation industry, important data include flight data recorder data, voice recorder data and aircraft health condition monitoring data in the civil aircraft incident and the data subject to export control or technology export administration.

Cross-border transfer of personal data

Scenario 1: customer service

The data handler shall conduct the security assessment for the following cross-border transfer activities:

- cross-border transfer of more than five million (previously one million) individuals’ personal information (excluding sensitive personal information) from January 1 of this year; and

- cross-border transfer of more than 100,000 (previously 10,000) individuals’ sensitive personal information from January 1 of this year.

The data handler shall conduct the filing of the SC or certification of protection of personal information for the following cross-border transfer activities:

- cross-border transfer of between 50,000 and five million (previous between 100,000 and one million) individuals’ personal information (excluding sensitive personal information) from January 1 of this year; and

- cross-border transfer of between 100,000 and one million (previous less than 10,000) individuals’ sensitive personal information from Jan one of this year.

Thresholds in all the other scenarios in the civil aviation industry remain unchanged.

Negative List for the AI Industry

Important data

In the AI industry, important data includes:

- high-value sensitive data related to industry competitiveness collected and generated during the R&D design process;

- content involving audio, image and text that may endanger national security, economic operation, social stability and public health and security once tampered with, damaged, leaked, illegally obtained and illegally used; and

- data subject to export control or technology export administration.

Cross-border transfer of personal information

Scenario 1: model training, algorithm development and product testing

The data handler shall conduct security assessment for the following cross-border transfer activities:

- cross-border transfer of more than 50,000 (previously 10,000) individuals’ sensitive personal information that is voice data from January 1 of this year;

- cross-border transfer of more than 50,000 (previously 10,000) individuals’ sensitive personal information that is image data from January 1 of this year; and

- cross-border transfer of more than 100,000 (previously 10,000) individuals’ sensitive personal information that is text data from January 1 of this year.

The data handler shall conduct filing of the SC or certification of protection of personal information for the following cross-border transfer activities:

- cross-border transfer of between 10,000 and 50,000 (previous less than 10,000) individuals’ personal information that is voice data from January 1 of this year;

- cross-border transfer of between 100,000 and one million (previous less than 10,000) individuals’ sensitive personal information that is image data from January 1 of this year;

- cross-border transfer of between 10,000 and 100,000 (previously less than 10,000) individuals’ sensitive personal information that is text data from January 1 of this year.

Thresholds for all the other scenarios in the AI industry remain unchanged.

Copyright © 2024, Hunton Andrews Kurth LLP. All Rights Reserved.

Current Public Notices

Current Legal Analysis

More from Hunton Andrews Kurth

Corporate Diversity, Equity and Inclusion Programs One Year After Students for Fair Admissions
by: Alexander Abramenko , Scott H. Kimpel
Dutch Regulator Fines Clearview AI 30.5 Million Euros
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
EEOC Wants the Ninth Circuit to Provide Guidance in Applying SCOTUS’ New Standard for Discrimination Cases
by: Christopher M. Pardo , Veronica A. Torrejón
EPA Proposes to Delay Start of Reporting Period and Submission Deadline for Expansive PFAS Reporting Rule Under the Toxic Substances Control Act
by: Javaneh S. Tarter , Nancy B. Beck, PhD, DABT
Update: California Legislature Approves Targeted Changes to Climate Disclosure Laws Without Delaying Reporting Deadlines
by: Clare Ellis , Rachel Saltzman
FCC and Canada OPC Sign MOU on Privacy Enforcement
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
Exclusive Use Provisions in Commercial Leases – What to Consider and What to Avoid
by: Brad Kuntz
EPA Targets Five Widely Used Chemicals: TSCA “High Priority” Designation Signals Potential Future Use Restrictions on the Chemicals and Products Containing Them
by: Javaneh S. Tarter , Nancy B. Beck, PhD, DABT

Upcoming Legal Education Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins