Six months after the Cyberspace Administration of China (the CAC) sought public consultation on the draft Provisions on Regulating and Facilitating Cross-Border Data Flow (the Draft Provisions, Chinese version only), the Provisions on Facilitating and Regulating Cross-border Data Flow (the Provisions, Chinese version only) was officially promulgated on 22 March 2024 with immediate effect.
Prior to the release of the Provisions, multinational corporations (MNCs) with the need to transfer data, especially personal data, out of China, were required to go through one of the three data export mechanisms: (i) the security assessment conducted by the CAC (the CAC Assessment) (please refer to our CAC Assessment series: Part 1, Part 2, and Part 3); (ii) the protection certification by a licensed organization (the Licensed Certification) (as detailed in our client alert on the licensed certification1); and (iii) the China standard contract (the China SCC) (see our client alert on the China SCC) (collectively known as the Three Mechanisms).
The introduction of the Provisions marks a significant shift by adding a fourth pathway that substantially simplifies the process of exporting data out of China. This new route (the Safe Harbor Rules) offers an exemption from the Three Mechanisms, thereby streamlining compliance and facilitating cross-border data transfers.
The Provisions make it clear that in the case of any conflicts between the Safe Harbor Rules and the existing regulations of the Three Mechanisms that were promulgated before the Safe Harbor Rules, the Safe Harbor Rules will prevail.
KEY UPDATES AND INSIGHTS INTO THE SAFE HARBOR RULES
The core concepts of the Safe Harbor Rules, as they were first proposed in the Draft Provisions, remain largely intact in the Provisions.2 However, several critical modifications and clarifications have been made as follows:
Further Relaxing the Necessary Data Export
Three types of necessary data export activities (the Necessary Data Export) are exempt from the Three Mechanisms regardless of whether (i) the volume of data to be exported meets the volume threshold of the Three Mechanisms, and (ii) the data exporter is a critical information infrastructure operator (CIIO).
While the three types of Necessary Data Export in the Provisions remain the same as under the Draft Provisions, the key changes are as follows:
- The nonexclusive examples of Necessary Data Export for the purpose of conclusion or performance of a contract to which an individual data subject is a party for cross-border businesses are expanded to include cross-border mailings, payments, account openings, and examination services for ease of understanding (Article 5-1).
- The scope of individual data subjects whose personal data can be exported for cross-border human resource management purpose is expanded from “internal employees” to “employees”, which can be broadly interpreted to include “external employees” such as temporary workers or dispatched employees (Article 5-2).
- The qualifier changes from “unavoidable/must” to “imperative/necessary” for personal data export in the situations of conclusion or performance of a contract to which an individual is a party, cross-border human resource management, and emergencies to give more flexibility to a data exporter’s discretion (Article 5).
Substantially Raising the Volume Threshold
A notable revision is the adjustments in the volume thresholds for personal data exports by a data controller who is not a CIIO. The table below sets out the key changes of such requirements. For example, the threshold for applying an exemption from the Three Mechanisms has increased, moving from fewer than 10,000 individuals’ general data to fewer than 100,000 individuals’ general data (excluding sensitive personal data), markedly lowering the barriers for applying the Safe Harbor Rules.
Mechanisms | Draft Provisions | Provisions |
---|---|---|
Exempt from all Three Mechanisms | Exports of less than 10,000 individuals’ personal data anticipated per year (Article 5) | Exports of personal data of less than 100,000 individuals (excluding sensitive personal data) cumulative starting from 1 January that year (Article 5-4) |
China SCC or Licensed Certification | Exports of 10,000 to 1 million individuals’ personal data anticipated per year (Article 6) | Exports of 100,000 to 1 million individuals’ personal data (excluding sensitive personal data) OR less than 10,000 individuals’ sensitive personal data cumulative starting from 1 January that year (Article 8) |
CAC Assessment | Exports of more than 1 million individuals’ personal data anticipated per year (Article 6) | Exports of more than 1 million individuals’ personal data (excluding sensitive personal data) OR more than 10,000 individuals’ sensitive personal data cumulative starting from 1 January that year (Article 7-2) |
Besides the volume threshold, the criteria for determining the volume of personal data have been made more transparent and quantifiable, transitioning from a predictive model (i.e. anticipated per year) to one based on actual data accumulation (i.e. actual data transfer volume for a period of one year).
Further, the Provisions delineate volume threshold specifically for the export of sensitive personal data,3 imposing stricter limitations compared to those in the Draft Provisions. Previously, no clear distinction was made between the export of general personal data and that of sensitive personal data, allowing the possibility of exports involving sensitive personal data to bypass the Three Mechanisms. However, under the Provisions, an export involving even a single individual’s sensitive personal data, unless falling under the Necessary Data Export exemption, is now mandatorily subject to either Licensed Certification or China SCC. This reflects China’s efforts in striking a balance between protecting sensitive personal data and relaxing the burden of compliance for personal data export.4
Further Clarifying Relationship Between Necessary Data Export and Data Volumes Requirements
The Draft Provisions created some ambiguity regarding whether exporting certain amounts of personal data in Necessary Data Export scenarios needed to go through any of the Three Mechanisms. For example, if the overseas hotel-booking business involved more than 1 million individuals located in China per year, it is not clear whether it could be exempt from the Three Mechanisms per Article 4 of the Draft Provisions since overseas hotel booking is:
- A Necessary Data Export activity;
- But it also meets the volume threshold of the CAC Assessment per Article 6 of the Draft Provisions.
The Provisions have resolved any potential conflicts by specifying that Necessary Data Export is effectively exempt from any volume threshold calculations regarding either general personal data or sensitive personal data. The prevalence of Necessary Data Export over data volumes requirements has therefore been preserved (Article 7 and Article 8).
U-Turn Export Exempt
The Provisions specify that the export of personal data collected and generated outside of China and transferred to China for processing (the U-Turn Export) is exempt from the Three Mechanisms if it does not incorporate domestic personal data or important data during its processing in China. This U-Turn Export safe harbor facilitates MNCs to leverage China’s cost-effective resources by allowing data collected overseas to be processed in China and then transferred back abroad (Article 4).
Our Observations
- Compared to the Draft Provisions, the Provisions make the criteria for Safe Harbor Rules more relaxed and transparent while keeping prudent on the exports of important data and sensitive personal data. Interestingly, the Provisions change the order of “Regulating and Facilitating” in the name of the Draft Provisions by putting “Facilitating” before “Regulating”. This implies the switch of the policy focus in this context.
- MNCs must still exercise specific caution when transferring sensitive personal data outside the scope of three types of Necessary Data Export as the volume threshold for such exemption is more stringent compared to the Draft Provisions.
We will discuss the relationship between Safe Harbor Rules and existing regulations of the Three Mechanisms in Part II of our alert.
Footnotes
1 Our client alert on the licensed certification was drafted before the revised licensed certification guidance came out on 16 December 2022.
2 Please refer to our alert on the Draft Provisions for details.
3 Under the Personal Information Protection Law of the PRC, “sensitive personal data” refers to personal data that, if leaked or illegally used, can easily lead to harm to an individual’s dignity or endanger personal and property safety. This includes with limitation information on biometrics, religious beliefs, specific identities, medical and health, financial accounts, whereabouts, and the personal information of minors under the age of 14.
4 Similarly, the Provisions also reflect China’s efforts in striking a balance between protecting important data and relaxing the compliance burden of data export.