On March 22, 2024, the Cyberspace Administration of China (the “CAC”) issued the Provisions on Facilitation and Regulation of Cross-Border Data Flows (the “Provisions”), which were effective the same day. The CAC also held a press conference to introduce and explain the Provisions. The Provisions demonstrate that the regulation of cross-border transfers in China is focused on important data and critical information infrastructure operators (“CIIO”), and that the CAC aims to optimize business environment, stabilize foreign investment, and support the data flow between global companies with a Chinese presence.
The Provisions address the following key topics, which are each discussed in further detail below:
- clarifying when the transfer of important data triggers the requirement to undergo a security assessment, and adjusting the conditions and thresholds for triggering the application of security assessment, the execution of the standard contract of cross-border transfer of personal information (“SC”), and the certification of protection of personal information;
- providing exemptions from the application of security assessment, the execution of the SC, and the certification of protection of personal information;
- establishing authority to create a negative list in free trade zones; and
- extending the validity period of an approved security assessment from two years to three years, with the option to apply for a further extension of three years.
Important Data and the Security Assessment
According to the Provisions, unless a data handler has been notified by the CAC that the data it processes constitutes “important data,” or the CAC otherwise publicly classifies the data as “important data,” the data handler is not required to undergo a security assessment on the basis that it processes “important data.” The recently released “Data Security Technology-Provisions on Data Classification and Grading” provide general rules for data classification and grading, and guidance on identification of important data. Additional guidance specific to defining important data is expected to be issued for each industry.
Transfers Triggering Application for Security Assessment
According to the Provisions, if data is transferred outside of China in one of the following scenarios, the data handler is required to apply for security assessment:
- where a CIIO transfers any personal information or important data outside of China; or
- where a data handler (excluding a CIIO) transfers important data or personal information of over 1 million individuals (excluding sensitive personal information), or sensitive personal information of over 10,000 individuals.
The Provisions also increase the period of validity of an approved security assessment from two years to three years. In addition, the data handler may now apply, 60 business days before the expiration date, for an extension of a further three years if there is no event triggering re-assessment.
Transfers Triggering Execution of the SC or Certification of Protection of Personal Information
According to the Provisions, where a data handler (excluding a CIIO) transfers personal information (excluding sensitive personal information) of between 100,000 and 1 million individuals, it should execute the SC or pass the certification of protection of personal information.
Exempt Processing Activities
The Provisions define the following six processing activities as exempt from the application for security assessment, the execution of the SC, or passing the certification of protection of personal information:
- transfers arising from international trade, cross-border transportation, academic cooperation, transnational manufacturing, marketing and other activities, that do not involve personal information or “important data;”
- transfers necessary for concluding and performing a contract to which the individual is a party, such as cross-border shopping, cross-border shipping, flight and hotel reservations, cross-border remittance and visa processing;
- transit data (i.e., transfers of personal information not collected and generated within the territory of China but only processed in China) provided that no personal information or important data collected in China are added to the transit data during the processing in China;
- transfers of employee personal information necessary for HR management to comply with employee policies formulated in accordance with the law of China and with the collective contract executed in accordance with the law of China;
- transfers of personal information necessary for the protection of a natural person’s life, health or property safety in emergency situations; and
- where a data handler (excluding a CIIO) transfers personal information of less than 100,000 individuals (excluding sensitive personal information) outside of China during a year (beginning January 1).
In the press conference, the CAC clarified that when calculating the number of individuals, the number shall reset each January 1 meaning no transfers of personal information from the previous year shall be counted.
Flexibility for Transfers from Pilot Free Trade Zones
The Provisions grant pilot free trade zones (e.g., the Shanghai Free Trade Zone) the authority to each formulate a list of data which would be subject to the transfer rules (i.e., a “negative list”), in accordance with national policy regarding data classification and grading. Data falling outside the scope of the negative list applicable to a data handler therefore could be transferred by the data handler outside of China without the need to comply with the transfer rules, assuming the data handler is not otherwise subject to the rules.
General Compliance Obligations for Cross-Border Transfers
While pursuant to the Provisions and as detailed above, certain data handlers may no longer be required to undergo the security assessment, or be required to execute the SC or pass the certification of protection of personal information, they will remain subject to other compliance requirements with respect to transfers of data outside of China, including:
- obtaining separate consent from the individual for transfers where consent is the legal basis for the transfer;
- preparing a personal information security impact assessment in relation to the transfer and maintaining such assessment in internal files for a period of three years;
- taking technical and other necessary measures to safeguard the security of the transfer; and
- in the case of a data incident or potential data incident, taking remedial action and notifying the cybersecurity administration at provincial level or above and the relevant authority in charge.
Next Steps
Given the regime for cross-border transfers has been established for over a year, many data handlers have taken steps to comply with the regime. For example, some data handlers have been granted approval for a security assessment, while other applications are outstanding. However, as detailed above, certain data handlers will no longer be subject to the same level of obligations when seeking to transfer data outside of China. In the press conference, the CAC answered questions concerning the next steps for data handlers to comply with the Provisions. In this respect, the CAC confirmed that:
- If a data handler has obtained approval of a security assessment, it may continue to transfer data pursuant to the approval.
- If a data handler did not pass the security assessment or passed it with conditions, but would no longer be required to apply for a security assessment pursuant to the Provisions, the data handler may transfer personal information outside of China through the execution of a SC or certification of protection of personal information (subject to the Provisions).
- If the data handler has submitted a security assessment or filed the SC and the application is ongoing but they are no longer subject to such procedures pursuant to the Provisions, the data handler may continue the original application or withdraw the application or filing from the CAC.
As the Provisions are in effect, data handlers should review their transfers in accordance with the Provisions to determine whether any further steps are required to comply with the data transfer regime of China.