China Lightens its Guidelines for Cross-Border Data Transfer
Published 10 October 2023
Xia Yu
On 28 September 2023, the Cyberspace Administration of China (“CAC”) published draft Guidelines to Regulate and Facilitate Cross-border Data Transfer (“Draft Guidelines”) to solicit public comments. Following the provisions of Outbound Data Transfer Security Assessment Measures and the Measures for the Standard Contract for the Outbound Transfer of Personal Information (“Two Measures”) issued by the CAC on 7 July 2022 and 22 February 2023 respectively, a cross-border data transfer shall bear obligations such as application for a security assessment (“security assessment”), conclusion of the standard contract for the outbound transfer of personal information (“standard contract”) and/or passing personal information protection certification (“certification”) (“Obligations”). The Draft Guidelines, with 11 articles in total, provide further explanations and exemptions regarding the Obligations for cross-border data transfer.
Articles 1 to 3 of the Draft Guidelines list exemptions for cross-border data transfer under the following three situations: 1. The export of data generated in activities such as international trade, academic cooperation, transnational manufacturing and marketing that does not contain personal information or important data;2. The exported data has not been notified by government authority or has been publicly released as important data; 3. The exported data is not the personal information collected or created within China.
Articles 4 and 5 of the Draft Guidelines stipulate that the four scenarios that most enterprises’ daily repetitive data/personal data exports are exempted from the Obligations. It helps many multinational companies reduce the pressure and cost of cross-border data transmission compliance and is better to balance their business development goals and data security management needs. The four scenarios are as follows: 1. It is necessary to provide personal information to enter into and perform a contract to which an individual is a party, such as cross-border shopping, cross-border remittances, air ticket and hotel reservations, visa processing, etc.2. It must provide personal information of internal employees overseas to implement human resources management according to labour regulations and signed collective contracts.3. In emergencies, personal information must be provided overseas to protect a natural person's life, health and property safety.4. the personal information of less than 10,000 people is expected to be provided overseas within one year.
According to Article 7 of the Draft Guidelines, the free trade pilot zone can independently formulate a list of the data which exporting shall bear the Obligations. After approval by the provincial network security and information technology committee, the lists shall be reported to the CAC. The export of the data not included in the list can be exempted from the Obligations. This is conducive to a facilitated security management mechanism for cross-border data circulation and will provide a more favourable environment for the internationalization of the digital economy and technological innovation.
In addition to the above exemptions, Articles 6, 8 and 9 of the Draft Guidelines also clarify and refine the cross-border data flow security management system stipulated in the Two Measures as follows: 1. It is necessary to enter into the standard contract and file it with the provincial cybersecurity and informatization department or pass the certification if it is expected that the personal information of more than 10,000 people and less than 1 million people will be provided overseas within one year. If the expected number is over 1 million, it shall apply for the security assessment. 2. State agencies and critical information infrastructure operators that export personal information and important data, including sensitive information or sensitive personal information involving the Communist Party, government, military and secret-related units, must apply for the security assessment.
To ensure national data security and protect personal information, the Draft Guidelines further regulate and promote the orderly and free flow of data per the law. It is helpful for enterprises to implement the Obligations. The deadline for feedback on the Draft Guidelines is 15 October 2023.
Articles 1 to 3 of the Draft Guidelines list exemptions for cross-border data transfer under the following three situations: 1. The export of data generated in activities such as international trade, academic cooperation, transnational manufacturing and marketing that does not contain personal information or important data;2. The exported data has not been notified by government authority or has been publicly released as important data; 3. The exported data is not the personal information collected or created within China.
Articles 4 and 5 of the Draft Guidelines stipulate that the four scenarios that most enterprises’ daily repetitive data/personal data exports are exempted from the Obligations. It helps many multinational companies reduce the pressure and cost of cross-border data transmission compliance and is better to balance their business development goals and data security management needs. The four scenarios are as follows: 1. It is necessary to provide personal information to enter into and perform a contract to which an individual is a party, such as cross-border shopping, cross-border remittances, air ticket and hotel reservations, visa processing, etc.2. It must provide personal information of internal employees overseas to implement human resources management according to labour regulations and signed collective contracts.3. In emergencies, personal information must be provided overseas to protect a natural person's life, health and property safety.4. the personal information of less than 10,000 people is expected to be provided overseas within one year.
According to Article 7 of the Draft Guidelines, the free trade pilot zone can independently formulate a list of the data which exporting shall bear the Obligations. After approval by the provincial network security and information technology committee, the lists shall be reported to the CAC. The export of the data not included in the list can be exempted from the Obligations. This is conducive to a facilitated security management mechanism for cross-border data circulation and will provide a more favourable environment for the internationalization of the digital economy and technological innovation.
In addition to the above exemptions, Articles 6, 8 and 9 of the Draft Guidelines also clarify and refine the cross-border data flow security management system stipulated in the Two Measures as follows: 1. It is necessary to enter into the standard contract and file it with the provincial cybersecurity and informatization department or pass the certification if it is expected that the personal information of more than 10,000 people and less than 1 million people will be provided overseas within one year. If the expected number is over 1 million, it shall apply for the security assessment. 2. State agencies and critical information infrastructure operators that export personal information and important data, including sensitive information or sensitive personal information involving the Communist Party, government, military and secret-related units, must apply for the security assessment.
To ensure national data security and protect personal information, the Draft Guidelines further regulate and promote the orderly and free flow of data per the law. It is helpful for enterprises to implement the Obligations. The deadline for feedback on the Draft Guidelines is 15 October 2023.