On March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the Provisions on Promoting and Regulating Cross-border Flow of Data (“Provisions”). Previously, on September 28, 2023, the CAC had publicly solicited comments on the Draft of Provisions on Regulating and Promoting Cross-border Flow of Data (“Draft”). The Provisions adjusted the word “Promoting” before “Regulating” in the name of the Draft, reflecting the purpose of the Provisions to facilitate cross-border data flow and open up to the outside world. Specifically, compared with the Draft, the Provisions mainly contain the following amendments:
1. Further clarifying of data exit exemptions
From the viewpoint of China’s previous regulatory rules, the declaration of data exit security assessment, the adoption of personal information protection certification, and the filing of a standard contract for the exit of personal information are the leading measures for regulation of the cross-border data flow in China. Among them, the data exit security assessment and filing a standard contract to exit personal information have covered various data cross-border scenarios about different data processors, data volumes, and data categories.
The Provisions specify data cross-border scenarios that do not require the declaration of a data exit security assessment, the filing of a standard contract for the exit of personal information, and the certification of the protection of personal information, i.e., data exit exemption scenarios, which include: 1) Providing data collected and generated in international trade, cross-border transportation, academic cooperation, multinational manufacturing, and marketing that do not contain personal information and important data outside of China. Concerning important data, the Provisions, to consider practical feasibility, explicitly stipulate that “if it has not been notified or publicly released as important data by the relevant departments or regions, the data processor is not required to declare the data as important data for data exit security assessment.”2) Where personal information collected and generated by a data processor outside of China is transferred to China for processing and then provided outside of China, and no personal information or important data related to China is introduced during the processing. The Provisions maximize the cross-border data needs of multinational enterprises and others in conducting data analysis without introducing personal information or important data from within the territory.3) To conclude and fulfill a contract to which an individual is a party, it is necessary to provide personal information outside of China, such as cross-border shopping, cross-border shipping, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel booking, visa application, and examination services. Previously, the Draft only mentioned four scenarios: “cross-border shopping, cross-border remittance, air ticket and hotel booking, and visa application”. The Provisions add four new scenarios of “cross-border shipping, cross-border payment, cross-border account opening and examination services,” further expanding the cross-border data exemption scenarios based on the Draft to facilitate economic activities under the relevant scenarios.4) Implementing cross-border human resources management by labor rules and regulations formulated in accordance with the law and collective contracts signed in accordance with the law requires the provision of employees’ personal information outside of China. (Consistent with the Draft)5) In an emergency, providing personal information outside of China is necessary to protect a natural person’s life, health, and property. (Consistent with the Draft)6) Data processors other than operators of critical information infrastructures have cumulatively provided personal information of less than 100,000 persons, excluding sensitive personal information, outside of China since January 1 of the current year. The Provisions add this exemption scenario based on the Draft, expanding the scope of the exemption for outbound data and facilitating cross-border data flow.7) Under the framework of the national data classification and protection system, the Pilot Free Trade Zone (“FTZ”) can formulate its cross-border negative list of data within the zone. After the approval of the local cyberspace administration department and reporting to the national cyberspace administration department for the record, the data processors in the FTZ can provide the negative list of data outside the FTZ. Data outside the list are exempted. As data cross-border becomes increasingly important in international trade, exploring innovative new models of data cross-border through FTZs will help China realize double-cycle development and promote China’s accession to DEPA.
2. Further refinement of the scope of the data exit security assessment
For operators of critical information infrastructures, the Provisions require that when they provide personal information or important data abroad, they should declare the data exit security assessment to the national cyberspace administration department through the cyberspace administration department where they are located.
For data processors other than operators of critical information infrastructures, the Provisions refine the requirements according to the type of data and the number of people involved, with the fundamental principle that the higher the degree of information security and the greater the number of people involved, the more stringent the requirements for the exit of data are, as follows: 1) If important data is provided overseas, or if more than 1 million personal information (excluding sensitive personal information) or more than 10,000 sensitive personal information has been provided overseas cumulatively since January 1 of the current year, it shall declare its data exit safety assessment to the national internet information department through the local cyberspace administration department where it is located.2) If a total of more than 100,000 people or less than 1 million people of personal information (excluding sensitive personal information) or less than 10,000 people of sensitive personal information have been provided overseas since January 1 of the current year, they shall enter into a standard contract with the overseas recipients by the law for the export of personal information or pass the certification for the protection of personal information.
Compared to the Draft, the Provisions added a new scenario in which a data processor other than a critical information infrastructure operator transmits more than 10,000 people’s sensitive personal information overseas, which also requires a data security assessment.
3. Extension of the validity period of the data security assessment
The Draft does not mention the validity period of the data security assessment, while the Provisions state that the validity period can be up to a maximum of “3+3” for six years. Based on the Draft, the Provisions add a new Article 9, which clearly states: “The validity period of the data exit security assessment results shall be three years from the date of issuance of the assessment results. Upon expiration of the validity period, if it is necessary to continue to carry out data exit activities and there is no need to re-declare the situation of data exit security assessment, the data processor can apply for an extension of the validity period of the assessment results through the local cyberspace administration department to the national cyberspace administration department within 60 working days before the expiration of the validity period. Upon approval by the national cyberspace administration department, the validity period of the assessment results may be extended for three years.”
Previously, on July 7, 2022, the CAC issued the Measures for Data Outbound Security Assessment (“Assessment Measures”). Article 14 of the Assessment Measures states, “The validity period of the results of passing the data outbound security assessment is two years, calculated from the date of the issuance of the assessment results. Compared with the Assessment Measures issued in 2022, the Provision has extended the validity period of the data security assessment from 2 years to 3 years and clarified the criteria that can be extended for another three years, effectively facilitating cross-border data flow.
[Summary]
In general, the publication and implementation of the Provisions reflect the guiding principle of optimizing the business environment and facilitating the business activities of data (personal information) processors, providing a convenient and quick path for the exit of non-important data and specific personal information, and provides more precise protection for important data and sensitive personal information. It is conducive to realizing a balance between development and security, better safeguarding data security, protecting the rights and interests of personal information, and promoting orderly and free data flow by the law.
1. Further clarifying of data exit exemptions
From the viewpoint of China’s previous regulatory rules, the declaration of data exit security assessment, the adoption of personal information protection certification, and the filing of a standard contract for the exit of personal information are the leading measures for regulation of the cross-border data flow in China. Among them, the data exit security assessment and filing a standard contract to exit personal information have covered various data cross-border scenarios about different data processors, data volumes, and data categories.
The Provisions specify data cross-border scenarios that do not require the declaration of a data exit security assessment, the filing of a standard contract for the exit of personal information, and the certification of the protection of personal information, i.e., data exit exemption scenarios, which include: 1) Providing data collected and generated in international trade, cross-border transportation, academic cooperation, multinational manufacturing, and marketing that do not contain personal information and important data outside of China. Concerning important data, the Provisions, to consider practical feasibility, explicitly stipulate that “if it has not been notified or publicly released as important data by the relevant departments or regions, the data processor is not required to declare the data as important data for data exit security assessment.”2) Where personal information collected and generated by a data processor outside of China is transferred to China for processing and then provided outside of China, and no personal information or important data related to China is introduced during the processing. The Provisions maximize the cross-border data needs of multinational enterprises and others in conducting data analysis without introducing personal information or important data from within the territory.3) To conclude and fulfill a contract to which an individual is a party, it is necessary to provide personal information outside of China, such as cross-border shopping, cross-border shipping, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel booking, visa application, and examination services. Previously, the Draft only mentioned four scenarios: “cross-border shopping, cross-border remittance, air ticket and hotel booking, and visa application”. The Provisions add four new scenarios of “cross-border shipping, cross-border payment, cross-border account opening and examination services,” further expanding the cross-border data exemption scenarios based on the Draft to facilitate economic activities under the relevant scenarios.4) Implementing cross-border human resources management by labor rules and regulations formulated in accordance with the law and collective contracts signed in accordance with the law requires the provision of employees’ personal information outside of China. (Consistent with the Draft)5) In an emergency, providing personal information outside of China is necessary to protect a natural person’s life, health, and property. (Consistent with the Draft)6) Data processors other than operators of critical information infrastructures have cumulatively provided personal information of less than 100,000 persons, excluding sensitive personal information, outside of China since January 1 of the current year. The Provisions add this exemption scenario based on the Draft, expanding the scope of the exemption for outbound data and facilitating cross-border data flow.7) Under the framework of the national data classification and protection system, the Pilot Free Trade Zone (“FTZ”) can formulate its cross-border negative list of data within the zone. After the approval of the local cyberspace administration department and reporting to the national cyberspace administration department for the record, the data processors in the FTZ can provide the negative list of data outside the FTZ. Data outside the list are exempted. As data cross-border becomes increasingly important in international trade, exploring innovative new models of data cross-border through FTZs will help China realize double-cycle development and promote China’s accession to DEPA.
2. Further refinement of the scope of the data exit security assessment
For operators of critical information infrastructures, the Provisions require that when they provide personal information or important data abroad, they should declare the data exit security assessment to the national cyberspace administration department through the cyberspace administration department where they are located.
For data processors other than operators of critical information infrastructures, the Provisions refine the requirements according to the type of data and the number of people involved, with the fundamental principle that the higher the degree of information security and the greater the number of people involved, the more stringent the requirements for the exit of data are, as follows: 1) If important data is provided overseas, or if more than 1 million personal information (excluding sensitive personal information) or more than 10,000 sensitive personal information has been provided overseas cumulatively since January 1 of the current year, it shall declare its data exit safety assessment to the national internet information department through the local cyberspace administration department where it is located.2) If a total of more than 100,000 people or less than 1 million people of personal information (excluding sensitive personal information) or less than 10,000 people of sensitive personal information have been provided overseas since January 1 of the current year, they shall enter into a standard contract with the overseas recipients by the law for the export of personal information or pass the certification for the protection of personal information.
Compared to the Draft, the Provisions added a new scenario in which a data processor other than a critical information infrastructure operator transmits more than 10,000 people’s sensitive personal information overseas, which also requires a data security assessment.
3. Extension of the validity period of the data security assessment
The Draft does not mention the validity period of the data security assessment, while the Provisions state that the validity period can be up to a maximum of “3+3” for six years. Based on the Draft, the Provisions add a new Article 9, which clearly states: “The validity period of the data exit security assessment results shall be three years from the date of issuance of the assessment results. Upon expiration of the validity period, if it is necessary to continue to carry out data exit activities and there is no need to re-declare the situation of data exit security assessment, the data processor can apply for an extension of the validity period of the assessment results through the local cyberspace administration department to the national cyberspace administration department within 60 working days before the expiration of the validity period. Upon approval by the national cyberspace administration department, the validity period of the assessment results may be extended for three years.”
Previously, on July 7, 2022, the CAC issued the Measures for Data Outbound Security Assessment (“Assessment Measures”). Article 14 of the Assessment Measures states, “The validity period of the results of passing the data outbound security assessment is two years, calculated from the date of the issuance of the assessment results. Compared with the Assessment Measures issued in 2022, the Provision has extended the validity period of the data security assessment from 2 years to 3 years and clarified the criteria that can be extended for another three years, effectively facilitating cross-border data flow.
[Summary]
In general, the publication and implementation of the Provisions reflect the guiding principle of optimizing the business environment and facilitating the business activities of data (personal information) processors, providing a convenient and quick path for the exit of non-important data and specific personal information, and provides more precise protection for important data and sensitive personal information. It is conducive to realizing a balance between development and security, better safeguarding data security, protecting the rights and interests of personal information, and promoting orderly and free data flow by the law.