On 22 March 2024, the Cyberspace Administration of China (CAC) officially enacted the long-awaited Provisions on Facilitating and Regulating Cross-border Data Flows (Provisions), which became effective on the same date. The Provisions relax the data export requirements by introducing modifications and exemptions to the three mechanisms for cross-border data transfer, namely (i) CAC security assessment; (ii) China’s standard contract for outbound cross-border transfer of personal information (Standard Contract) and (iii) personal information protection certification (Certification) (collectively Cross-border Data Transfer Mechanisms). A draft of the Provisions was released on 28 September 2023 for public consultation. Please refer to our previous article China relaxes measures on cross-border data transfers from China | Data notes (hsfnotes.com)).
1. Exemptions from cross-border data transfer mechanisms
A data transferor in mainland China is no longer required to adopt any of the Cross-border Data Transfer Mechanisms in the following scenarios:
- Data generated in activities such as international trade, cross-border transportation, academic cooperation, cross-border manufacturing and marketing where the data does not contain personal information or important data.
- Personal information which is not collected within mainland China and remains separate from personal information or important data originated from mainland China. This refers to export of personal information which has been imported into mainland China for processing.
- Personal information (including sensitive personal information) which is required to be provided outside of mainland China in any of the following circumstances (Exempted Circumstances):
- for the purpose of entering into and performing a contract to which the individual is a party, such as for cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservation, visa processing, examination services, etc.;
- to implement cross-border human resources management in accordance with labour rules and regulations and any collective contract signed in accordance with the law; or
- to protect the life, health and property safety of natural persons in emergency situations.
- Personal information (excluding sensitive personal information) of fewer than 100,000 individuals which has cumulatively been transferred outside of mainland China since 1st January of that year by a data transferor which is not a critical information infrastructure operator (CIIO).
2. Changes to the thresholds for cross-border data transfer mechanisms
Compared with the existing thresholds for the three Cross-border Data Transfer Mechanisms, the main changes are in:
- the amount thresholds of personal information for non-CIIO data transferors; and
the Exempted Circumstances applicable to personal information and to all types of data transferors including CIIOs. - A CAC security assessment is still required for export of important data, and unless any of the Exempted Circumstances is applicable, a CAC security assessment is still required for cross-border transfers of personal information by CIIOs.
The Exempted Circumstances are not applicable to important data but only personal information (including sensitive personal information). The personal information and sensitive personal information transferred under the Exempted Circumstances could be excluded from the calculation of the amount thresholds of personal information for non-CIIO data transferors.
The Provisions further clarify that:
- where a non-CIIO data transferor cumulatively provides outside of mainland China the personal information (excluding sensitive personal information) of 100,000 or more individuals but fewer than 1,000,000 individuals since 1st January of that year, either the Standard Contract or the Certification can be adopted; and
- where a non-CIIO data transferor cumulatively provides outside of mainland China the personal information (excluding sensitive personal information) of 1,000,000 or more individuals since 1st January of that year, the CAC security assessment must be adopted.
The Provisions emphasise the protection of sensitive personal information:
- where a non-CIIO data transferor cumulatively provides outside of mainland China the sensitive personal information of fewer than 10,000 individuals since 1st January of that year, either the Standard Contract or the Certification can be adopted; and
- where a non-CIIO data transferor cumulatively provides outside of mainland China the sensitive personal information of 10,000 or more individuals since 1st January of that year, the CAC security assessment must be adopted.
3. Applicable cross-border data transfer mechanisms
We have summarised the applicable Cross-border Data Transfer Mechanism(s) and the relevant circumstances in the table below.
Applicable Cross-border Data Transfer Mechanism(s) | Circumstances |
CAC security assessment |
|
Standard Contract or Certification |
|
None of the Cross-border Data Transfer Mechanisms is required |
|
4. Extension of validity period of CAC security assessment
Under the Provisions, the validity period of the results of a CAC security assessment has been extended to three years (originally two years provided for under the Measures for the Security Assessment of Outbound Data Transfers), calculated from the date of issuance of the assessment results.
If the validity period expires and there is no change in any of the circumstances requiring a new application to the CAC for a new assessment, the data transferor can submit an application to extend the validity period of the assessment results for 3 years within 60 working days before the expiry of the validity period.
5. Other data protection requirements
Data transferors that export personal information outside of mainland China must still fulfil other data protection obligations including obtaining separate consent from the data subjects and conducting the personal information protection impact assessment.
As a general requirement, data processors are required to implement technical and other measures to ensure data security. In the event of a data security incident, data processors are required to take measures to mitigate the consequences and notify competent authorities of the incident.
6. Updated guidelines for cross-border data transfer mechanisms
The CAC has also issued the updated Guide to Applications for Security Assessment of Outbound Data Transfers (Second Edition) and Guidelines for Filing the Standard Contract for Outbound Cross-Border Transfer of Personal Information (Second Edition). Among other things, the template of the personal information protection impact assessment report has been substantially simplified.
An online data export declaration portal has been created for online submission of applications for the CAC security assessment and Standard Contract filing. The website is at https://sjcj.cac.gov.cn. A data transferor which has already submitted an application to the CAC in paper form is not required to resubmit its application through the online portal. The offline paper form channel will continue to be available to CIIOs or other scenarios whereby the online portal is not applicable.
7. Determination of important data and CIIOs
The Q&A session of the Provisions has further clarified how to identify important data and CIIOs. Such clarification has substantial impact on compliance.
Data which has not been identified or publicly released as important data by the relevant regulator within a sector or region is not important data and thus subject to the CAC security assessment.
The relevant regulators of important sectors and fields are responsible for formulating guidelines on how to identify critical information infrastructure in their respective sectors and fields and notifying the CIIOs of the same.
8. Treatment of pending applications
For data transfers which have not passed or have partially passed the CAC security assessment before the implementation of the Provisions and which are now exempted from the CAC security assessment according to new rules, the data transferor can legally transfer personal information outside of mainland China by adopting other Cross-border Data Transfer Mechanisms, ie the Standard Contract or Certification.
As for applications to the CAC for security assessment or Standard Contract filing which have been submitted before the implementation of the Provisions and which are now exempted from adopting any of the Cross-border Data Transfer Mechanisms pursuant to the new rules, the data transferor has the option of either proceeding with or withdrawing its application.
Key contacts
Disclaimer
Herbert Smith Freehills LLP has a Formal Law Alliance (FLA) with Singapore law firm Prolegis LLC, which provides clients with access to Singapore law advice from Prolegis. The FLA in the name of Herbert Smith Freehills Prolegis allows the two firms to deliver a complementary and seamless legal service.