In recent years, with the rapid development of global digital trade and data economy, cross-border data flow and international data cooperation have become issues of great concern to all parties. In the past few years, China has continuously explored the mode of data cross-border flow regulation and strengthened the regulation of data cross-border flow, and has successively issued the Measures for the Security Assessment of Outbound Data Transfer, Standard Contract for the Cross-border Transfer of Personal Information, and Implementation Rules on Personal Information Protection Certification on the basis of the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law, and has established a regulatory mechanism for data cross-border flow in the form of security assessment, standard contract for personal information exit, and personal information protection certification.
However, the introduction of the regulatory mechanism also raises the issues of inefficiency and higher compliance costs of corporate data outbound. In order to balance and accommodate the regulation and flexibility of cross-border data flow, the Opinions of the State Council on Further Optimizing the Foreign Investment Environment and Increasing Efforts to Attract Foreign Investment, issued by the State Council on 13 August 2023, explicitly supports Beijing, Tianjin, Shanghai, and Guangdong, Hong Kong and Macao Bay Area to explore the formation of a general list of data that can be freely flowed, build service platforms, and provide compliance services for cross-border flow of data in the process of implementing systems such as data exit security assessment, personal information protection certification, and filing of standard contracts for the exit of personal information. In addition, the Provisions to Regulate and Promote Cross-Border Data Flow (Draft for Public Comments) issued by the State Internet Information Office on 28 September 2023 also proposes that the Pilot Free Trade Zones may formulate on their own the list of data that need to be included in the scope of the management of data exit security assessment, personal information exit standard contract, personal information protection certification in the Pilot Free Trade Zone (the Negative List), and that the data outside the Negative List can be declared without data exit security assessment, the conclusion of a personal information exit standard contract, through the certification of personal information protection. In addition, on 7 December 2023, the State Council issued the Overall Program for Comprehensively Docking to International High-Standard Economic and Trade Rules and Promoting High-Level System-Based Openness in the China (Shanghai) Pilot Free Trade Zone (“Overall Program”), and the Overall Program further clarifies that, in accordance with the system of data categorization and grading and protection, it will support the Shanghai Pilot Free Trade Zone to take the lead in formulating an important data catalog. Then the Pilot Zone guides data processors to carry out self-assessment of data exit risks, explore the establishment of a lawful, safe and convenient mechanism for cross-border data flow, and enhance the convenience of cross-border data flow.
Based on the above regulations and the advantages of the International Data Port, Shanghai Lingang New Area issued the Measures for Classification and Grading Management of Cross-border data flow in Lingang New Area (for Trial Implementation) (“Management Measures”) on 19 January 2024. The main contents of the Management Measures include:
1) Data classification and grading management
In terms of classification management, combining the standard specifications for data classification in various industries and the development requirements of the relevant industries in the new Lingang area, cross-border data are classified and managed by taking the segments with the most urgent everyday needs as an entry point; in terms of grading management, by the requirements of the Data Security Law, cross-border data are classified into three levels, namely, core data, important data, and general data, from the highest to the lowest level in turn. Among them, core data are prohibited from crossing borders, important data form an important data catalog, and general data form a general data list.
2) Data cross-border flow processa. If an enterprise needs to transmit general data out of Chia, it needs to apply for filing through the Public Service Management Platform for Convenient Circulation of Data in Lingang New Area in accordance with the management requirements of the Management Committee of Lingang New Area, and after the filing is completed, the enterprise can transmit the data out of China.b. If an enterprise intends to transmit the important data listed in the Important Data Catalog outside of China, the enterprise needs to follow the requirements of the Measures for Security Assessment of Data Exit, and then declare the security assessment of data exit to the Shanghai Internet Information Office through the Data Cross-border Service Center of Lingang New Area after the initial inspection of the declaration materials.
In addition, Lingang New Area will first organize leading enterprises and experts to form a working group from specific scenarios in key areas such as intelligent networked cars, financial management, high-end shipping, international trade, biomedicine, culture to the sea, etc., to prepare and successively release a batch of general data lists and important data catalogs and will release the first batch of lists in March 2024.
At present, Lingang New Area has initially built the National (Shanghai) New Internet Exchange Center, International Data Port Core Data Center, Innovative Pilot Dedicated Data Room, and International Data Transmission Dedicated Channel. It is also exploring the creation of functional data facilities for international data cooperation in line with new international digital trade rules such as DEPA and international data hub cities such as Singapore and Hong Kong. At the same time, Lingang New Area has basically built five functional platforms, the functions cover data transmission, backup, registration, certification, security self-assessment, security compliance governance, data security prevention, data element circulation and configuration, data authenticity verification, scientific and technological innovation services, data standardization and international mutual recognition cooperation and other aspects. The hardware and software facilities in the new Lingang zone will improve the efficiency of cross-border data flow and provide a reference for the practice of cross-border data flow nationwide.