On 28 September 2023, the Cyberspace Administration of China (“CAC“) issued the Regulations for Standardising and Promoting Cross-Border Data Flows (Draft for Comments) (“Draft Regulations”) to solicit public comments. The Draft Regulations appear to overturn some of the CAC’s previous requirements in relation to cross-border data transfers.
Legal mechanisms under the PIPL
Under Article 38 of the Personal Information Protection Law (“PIPL“) issued in 2021, companies intending to export personal information to overseas recipients are required to go through one of the following legal mechanisms (“Legal Mechanisms“):
1. going through the security assessment organised by the CAC (“Security Assessment“);
2. signing the Standard Contract issued by the CAC with the overseas recipient (“Standard Contract”);
3. seeking personal information protection certification from a professional institute recognised by the CAC (“Certification“); or
4. meeting other conditions prescribed by law, administrative regulations, or the national cyberspace authority.
The CAC has issued several regulations detailing the requirements for implementing the Legal Mechanisms, including:
|Legal Mechanism||CAC Regulations|
|Security Assessment||Measures for the Security Assessment of Outbound Data Transfers|
|Standard Contract||Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information|
|Certification||Announcement on the Implementation of Personal Information Protection Certification|
It is also worth noting that Item 4 of Article 38 of the PIPL grants the CAC the power to create new or supplemental rules for cross-border transfers of personal information. However, before the Draft Regulations, the CAC had never issued any rules that deviated from the three Legal Mechanisms.
Implementation of the Legal Mechanisms
Onerous compliance obligations under the Legal Mechanisms
The CAC has gradually promulgated regulations to implement the Legal Mechanisms for the Security Assessment, Standard Contract and Certification since late 2022. Companies that fall within the scope of the Legal Mechanisms have been trying to comply with them ever since. However, the compliance obligations under the Legal Mechanisms are onerous and require a significant amount of time and effort to complete tasks such as:
- data mapping;
- improvements to data protection and information security policies;
- conducting assessments based on complicated parameters prescribed by the CAC and drafting long assessment reports;
- seeking separate consent from individuals whose information is transferred out of China; and
- assessing the local laws and policies of the countries to which the data will be exported.
It is also worth noting that the Security Assessment and Standard Contract both involve making filings with the CAC, and some companies’ data export practices have been challenged by the CAC during the filing process.
Concerns of companies and the CAC’s response
In light of the onerous compliance obligations associated with implementing the Legal Mechanisms, some multinational companies expressed their concerns to the CAC, and the CAC appears to be responsive to these concerns. For example:
- In July 2023, the State Council issued the Opinions on Further Optimising the Environment for Foreign Investment and Increasing Efforts to Attract Foreign Investment (“Opinions“), which calls for the government to “explore a streamlined security management mechanism for cross-border data flows”, “establish green channels for qualified foreign-invested enterprises, efficiently conduct security assessments for the outbound transfer of important data and personal information”, and “promote safe and orderly flows of data”. The Opinions also encourage regions such as Beijing, Tianjin, Shanghai, and the Guangdong-Hong Kong-Macau Greater Bay Area to create, on a pilot basis, “lists of some ordinary data that is allowed to flow freely”.
- In August 2023, the CAC is reported to have contacted and met with representatives from dozens of multinational companies to ease their concerns about the cross-border data transfer regime. For more information, see https://techmonitor.ai/technology/china-on-charm-offensive-with-western-businesses-over-new-data-laws.
The Draft Regulations
As a follow-up action to the government’s initiative to relax the requirements for cross-border data transfers, the CAC appears to be considering exercising its power under Article 38 of the PIPL to create some exceptions to the existing Legal Mechanisms to facilitate cross-border data transfers.
Essentially, the Draft Regulations propose exempting companies from complying with ALL three Legal Mechanisms under Article 38 of the PIPL if their data export scenarios fall under any of the following conditions:
- the personal information to be exported is not collected or generated within China;
- the export of personal information is necessary for the conclusion or performance of a contract to which the individual is a contracting party, such as personal information exports required for cross-border shopping, international remittances, flight and hotel reservations, visa processing, etc.;
- the export of employees’ personal information is necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded;
- the export of personal information is necessary to protect the life, health, and property safety of natural persons in the case of an emergency;
- a company intends to export the personal information of less than 10,000 individuals within a year.
The Draft Regulations also propose raising the data transfer volume thresholds for triggering a Security Assessment (a more onerous Legal Mechanism) and allowing data exporters making lower volume transfers of data to rely on the Standard Contract or Certification (two relatively less onerous Legal Mechanisms):
|Data transfer volume thresholds||Security Assessment required?||Is a Standard Contract or Certification required?|
|Exporting the personal information of over 10,000 but less than 1,000,000 individuals within a year.||No||Yes|
|Exporting the personal information of over 1,000,000 individuals||Yes||No|
The Draft Regulations appear more friendly to multinational companies than previous regulations. They would, once formalised, significantly reduce their compliance obligations. However, the sudden release of the Draft Regulations has raised a number of questions, which we attempt to answer below.
When will the Draft Regulations take effect?
It is unclear when the Draft Regulations will take effect. However, the CAC may want to formalise them soon because:
- The CAC only provided 18 days (28 September – 15 October, most of which was a national public holiday) to solicit public comment, indicating its determination to formalise the Draft Regulations promptly.
- The statutory deadline for filing the Standard Contract will end on 30 November 2023. If the Draft Regulations are not formalised soon, companies may devote time and resources towards meeting this deadline to file signed Standard Contracts with the CAC, and the CAC would then face the burden of processing these filings. Therefore, the CAC may want to formalise the Draft Regulations sooner rather than later and, in any event, before 30 November 2023.
Can companies rely on the Draft Regulations to stop work in relation to the Legal Mechanisms now?
- Until a formal version of the Draft Regulations is released, they should not be treated as an effective regulation to be relied on.
- There is a possibility that the Draft Regulations may not be formalised by 30 November 2023. In that case, companies that need to adopt the Standard Contract would still be bound by the CAC’s existing regulations, which require them to file the signed Standard Contract with their local CAC by 30 November 2023.
- The exemptions under the Draft Regulations are broad, and how they would interact with conflicting triggers under the CAC’s previous regulations is unclear. We expect more clarification in the final version of the Draft Regulations.
- The radical changes proposed by the Draft Regulations are unusual. It is possible the CAC may want to take a step back in the formal version. For example, instead of exempting qualified companies from all Legal Mechanisms, the CAC may still want these companies to take some less onerous compliance measures (e.g., signing the Standard Contract but not filing with the CAC) to ensure data security.
- The Draft Regulations do not propose changing the fundamental data compliance requirements of the PIPL. Therefore, even if companies may not need to go through any of the Legal Mechanisms, they would still be obliged to take actions to comply with the PIPL, including:
- Setting up a data protection compliance framework (Article 51 of the PIPL);
- developing an internal management system and operating procedures;
- managing personal information based on classification;
- taking appropriate technical security measures such as encryption and de-identification;
- reasonably determining authorisations to operate the processing of personal information and conducting security education and training for employees regularly;
- developing and organising the implementation of emergency plans for personal information security incidents; and
- taking any other measure required by law or administrative regulations.
- Notifying the data subjects of the details of the transfers and obtaining their separate consent where required (Article 39 of the PIPL);
- Conducting Personal Information Protection Assessments (PIPIA) for cross-border data transfers (Article 55 of the PIPL);
- Signing data processing agreements with entrusted processors (Article 21 of the PIPL).
- Setting up a data protection compliance framework (Article 51 of the PIPL);
The compliance work needed for these Legal Mechanisms significantly overlaps with the above PIPL requirements. As such, the compliance work that companies have started with a view to implementing the Legal Mechanisms will not be wasted.
How companies should react to the Draft Regulations
At this stage, companies are advised to:
- carry on their compliance work for the Legal Mechanisms as planned;
- analyse whether certain data export scenarios may fall under the proposed exemptions in the Draft Regulations;
- monitor the development of the Draft Regulations closely; and
- seek guidance from their local CAC or wait until the Draft Regulations are formalised to identify whether any further actions are required for filings that have already been submitted.
Regulations for Standardising and Promoting Cross-Border Data Flow (Draft for Comments)
In order to safeguard national data security, protect the rights and interests of personal information, and further regulate and promote the lawful and orderly free flow of data, the following provisions are made in accordance with relevant laws regarding the implementation of data export regulations such as the Measures for the Security Assessment of Outbound Data Transfers and the Measures for the Standard Contract for Outbound Transfer of Personal Information:
Where a Data Processor exports data (which does not contain personal information or important data) in international trade, academic cooperation, transnational manufacturing, and marketing activities, it is not required to apply for a Security Assessment of Outbound Data Transfers (“Security Assessment“), conclude the Standard Contract for Outbound Transfer of Personal Information (“Standard Contract“), or obtain a personal information protection certification (“Certification“).
For data that is not notified to the Data Processor or publicly released by relevant departments or regions as important data, the Data Processor does not need to declare such data as important data for a Security Assessment.
Where the outbound personal information is not collected or generated within China, there is no need to apply for a Security Assessment, conclude the Standard Contract, or obtain a Certification.
In the following cases, there is no need to apply for a Security Assessment, conclude the Standard Contract, or obtain a Certification:
Where the export of personal information is necessary for the conclusion or performance of a contract to which the individual is a contracting party, such as cross-border shopping, international remittances, flight and hotel reservations, visa processing, etc.
Where the export of internal employees’ personal information is necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded.
Where the export of personal information is necessary to protect the life, health, and property safety of natural persons in the case of an emergency.
Where a Data Processor intends to export the personal information of less than 10,000 individuals within a year, it is not required to apply for a Security Assessment, conclude the Standard Contract, or obtain a Certification. However, where a Data Processor exports personal information based on the consent of individuals, it is required to obtain the personal information subjects’ consent.
For a Data Processor intending to export the personal information of over 10,000 but less than 1,000,000 individuals within a year, if it has concluded the Standard Contract and filed with the provincial-level cyberspace authority, or has obtained a Certification, it is not required to apply for a Security Assessment; For a Data Processor intending to export the personal information of over 1,000,000 individuals, it is required to apply for a Security Assessment. However, where a Data Processor exports personal information based on the consent of individuals, it is required to obtain the personal information subjects’ consent.
Free Trade Zones may establish their own lists of data (“Negative Lists“) that shall be managed through the mechanisms of the Security Assessment, the Standard Contract, or the Certification. The Negative Lists shall be approved by the provincial-level cyberspace authority and filed with the national cyberspace authority.
It is not required to apply for the Security Assessment, conclude the Standard Contract, or obtain the Certification to export data that is not on the Negative Lists.
The export of personal information and important data by government agencies and critical information infrastructure operators shall be subject to relevant laws, administrative regulations, and departmental rules.
The export of sensitive data and sensitive personal information that involves the Party, the government, the army, and confidential units shall be subject to relevant laws, administrative regulations, and departmental rules.
Data Processors who export important data and personal information shall comply with the laws and administrative regulations, fulfil data security protection obligations, and ensure the security of data exports. In the event of a data export security incident or an increased risk in data exports, they shall take remedial measures and promptly report to the cyberspace authority.
Local cyberspace authorities shall strengthen their guidance and regulation of data exports by Data Processors, and enhance their supervision before, during and after the data exports. If they discover significant risks in the data export or if a security incident occurs, they shall require the Data Processor to rectify and eliminate the risks. If the Data Processor refuses to rectify or if serious consequences are caused, the Data Processor shall be ordered to stop data exports in accordance with laws in order to ensure data security.
Where the Measures for the Security Assessment of Outbound Data Transfers, Measures for the Standard Contract for Outbound Transfer of Personal Information, or other relevant provisions are inconsistent with these regulations, these regulations shall prevail.