Introduction
On 22 March 2024 at 2000 hours, the Cyberspace Administration of China (“CAC”) released the long-awaited Regulations for Promoting and Standardising Cross-Border Data Transfer (“CBDT Regs”), which took effect immediately. The CBDT Regs undo or further clarify some of the requirements under:
- Article 38 of the Personal Information Protection Law (“PIPL”);
- Measures for the Security Assessment of Outbound Data Transfers (“Security Assessment Measures”); and
- Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information (“Standard Contract Measures”).
This article explores the CBDT Regs in detail and discusses their practical implications for organisations with cross-border data transfers (“CBDT”) to and from China.
Important Data
For a number of years, Important Data was a nebulous concept in Chinese law. In the context of CBDT, the primary definition was found within the Security Assessment Measures, which provide:
“For the purposes of these Measures, the term “Important Data” means any data, the tampering, damage, leakage, or illegal acquisition or use of which, if it happens, may endanger national security, the operation of the economy, social stability, public health and security, etc.”
The above definition of Important Data is risk-based. The consequences of this were:
- Data had to be considered on an element-by-element basis and collectively;
- Important Data could, in theory, lose its important status (for example, the value of market data typically decreases with time);
- Ordinary data could, in theory, become Important Data if, among other things, it was combined with other data or if the data became strategically important to China;
- Important Data could vary from entity to entity, which meant the source of data could be a significant indicator of Important Data; and
- Identifying Important Data required an understanding and analysis of all data held by an organisation.
Due to the factors listed above, Data Processors could not be sure that their views on what constituted Important Data would align with those of regulators. This, in turn, made data compliance activities challenging.
Article 2 of the CBDT Regs simplifies the identification of Important Data by stating:
“Data Processors shall identify and declare Important Data in accordance with relevant regulations. Where a Data Processor has not been notified or relevant departments or regions have not publicly announced that data is Important Data, the Data Processor need not declare such data as Important Data for a Security Assessment.”
Moreover, during a Q&A Session on 22 March 2024 (“CBDT Q&A”), the CAC stated:
“According to the Provisions, Data Processors shall identify and declare Important Data in accordance with relevant provisions. Where data has not been notified by the relevant departments or regions or publicly released as Important Data, Data Processors do not need to apply for a security assessment for data export as Important Data.”
Based on the CBDT Regs and the CBDT Q&A, unless a public authority tells a Data Processor or announces that data is Important Data, the data in question is not Important Data. Accordingly, Article 2 gives Data Processors much-needed clarification to help them understand how to identify Important Data.
Exemptions from 3 CBDT Paths
The CBDT Regs introduce several data export scenarios which are exempt from the Security Assessment, concluding the Standard Contract or obtaining Certification (the Security Assessment, Standard Contract and Certification are each a “CBDT Path” and collectively the “3 CBDT Paths”). These exemptions will presumably be welcomed by businesses and include:
Exemption 1: Exporting data other than Important Data and Personal Information
Article 3 of the CBDT Regs provides:
“Where a Data Processor exports data (which does not contain Personal Information or Important Data) collected and generated in international trade, international transportation, academic cooperation, transnational manufacturing, and marketing activities, it is exempt from the requirement to apply for a Security Assessment, conclude the Standard Contract or obtain Certification.
This provision is actually not new. Data not classified as Important Data or Personal Information has never been required to follow the 3 CBDT Paths. We understand the CAC merely reiterates this point to clarify some misunderstandings of the outside world.
Exemption 2: Exporting imported overseas Personal Information
Article 4 of the CBDT Regs state:
“Where Personal Information collected and generated by a Data Processor overseas is transmitted to China for processing and then provided overseas, and no domestic Personal Information or Important Data is introduced in the processing, it is exempt from the requirement to apply for a Security Assessment, conclude the Standard Contract or obtain Certification.”
In other words, Personal Information not originating from China is exempt from the 3 CBDT Paths. A typical scenario that this exemption covers is when a foreign entity engages a Chinese entity to analyse the Personal Information of overseas individuals and then transfer the analysis results to the foreign entity. Other scenarios may also fall under this exemption but will need to be considered on a case-by-case basis.
Exemption 3: Contract Exemption
Article 5, Paragraph 1, Item 1 of the CBDT Regs exempts Data Processors from having to follow a CBDT Path in relation to “necessary” exports of Personal Information for the following purposes:
“(1)… for the conclusion or performance of a contract to which an individual is a contracting party, such as cross-border shopping, cross-border delivery, international remittances, cross-border payment, cross-border account opening, flight and hotel reservations, visa processing, examination services, etc. (“Contract Exemption”)
The wording of the Contract Exemption mirrors the first part of Article 13, Paragraph 1, Item 2 of the PIPL. However, it also provides illustrative examples that appear to be part of an open list. Based on the plain wording of the Contract Exemption, two key requirements must be met to rely on it: (1) there is a genuine necessity to export Personal Information to conclude or perform a contract, and (2) the concerned individual must be a party to such a contract.
Exemption 4: Employee Exemption
Article 5, Paragraph 1, Item 2 of the CBDT Regs exempts Data Processors from having to follow a CBDT Path in relation to “necessary” exports for the following purposes:
(2)… the export of employees’ Personal Information… for carrying out cross-border human resources management under an employment policy legally established or a collective contract legally concluded. (“Employee Exemption”)
The wording of the Employee Exemption matches the second part of Article 13, Paragraph 1, Item 2 of the PIPL. Two key requirements must be met to rely on the Employee Exemption: (1) there is a genuine necessity to export Personal Information for human resources management, and (2) an employment policy has been legally established or a collective contract has been legally concluded which specifies the Personal Information export.
Currently, no guidance exists on the meaning of necessity for human resources management. However, in our experience of the Security Assessment and Standard Contract, the CAC has generally accepted filings where the issue of necessity was addressed from the perspective of achieving centralised and unified personnel management within a global organisation.
As for the requirement of a legally established employment policy, a Data Processor will need to follow some specific provisions in relevant employment laws and regulations to meet this requirement. Such provisions relate to the specific content of relevant employment policies and the procedures for drafting and issuing them, including consultations with employees and work unions.
Exemption 5: Emergency Exemption
Article 5, Paragraph 1, Item 3 of the CBDT Regs exempts Data Processors from having to follow a CBDT Path in relation to “necessary” exports of Personal Information for the following purposes:
(3)… to protect the life, health, and property safety of natural persons in the case of an emergency. (“Emergency Exemption”)”
The wording of the Emergency Exemption matches part of Article 13, Paragraph 1, Item 4 of the PIPL. This is not a situation that every company will come across every day. However, it would be impractical for any company to follow any of the 3 CBDT Paths if a real emergency arose. Two key requirements must be met to rely on the Emergency Exemption: (1) there is a genuine necessity to export Personal Information for saving life, health or property, and (2) an emergency threatening life, health or property has occurred or will likely occur.
Exemption 6: De Minimis Exemption
An exemption from the 3 CBDT Paths exists in Article 5, Paragraph 1, Item 4 of the CBDT Regs, which provides:
“(4) Where a Data Processor (which is not a critical information infrastructure operator) has exported the Personal Information of less than 100,000 individuals (excluding sensitive Personal Information) since 1 January of the current year. (“De Minimis Exemption”)”
The De Minimis Exemption can be understood by reference to volumes of ordinary Personal Information exported within a calendar year. The wording of the De Minimis Exemption also excludes exports containing sensitive Personal Information from its scope. In other words, a single item of sensitive Personal Information among 99,999 or fewer individuals’ Personal Information is enough to void the exemption.
Regarding Article 7 of the CBDT Regs, which also requires a consideration of data quantities, Question 11 of the CBDT Q&A states that if “it falls under the circumstances specified in Article 3, Article 4, Article 5, Paragraph 1, Items 1 to 3, or Article 6 of the Regulations, it shall not be included in the cumulative quantity.” This suggests that Data Processors may first deduct the scenarios covered by exemptions under other provisions of the CBDT Regs when calculating the quantity of individuals for the purpose of the De Minimis Exemption. In other words, it seems that exemptions may be stacked together. However, this point remains untested for the De Minimis Exemption.
Exemption 7: Data not on FTZ Negative Lists
Article 6 of the CBDT Regs provides:
“Within the national framework for the classified and graded data protection system, a Free Trade Zone (“FTZ”) may establish its own list of data (“Negative List”) that shall be managed through the Security Assessment, the Standard Contract or Certification mechanisms. A Negative List shall be approved by the [relevant] provincial-level cyberspace authority and filed with the national cyberspace and data management authorities.
Where a Data Processor within a Free Trade Zone exports data not on the [applicable] Negative List, it is exempt from the requirement to apply for a Security Assessment, conclude the Standard Contract, or obtain Certification.”
Data processors in an FTZ who provide data not included on a Negative List are exempt from the 3 CBDT Paths.
Please note that according to the CBDT Q&A, until an FTZ issues a Negative List, data export activities in an FTZ should be carried out in accordance with national laws and regulations, including the CBDT Regs.
CBDT Path Quantity Thresholds
Articles 7 and 8 of the CBDT Regs, as well as Article 5, Paragraph 1, Item 4 that we introduced above, have changed the previous Personal Information quantity thresholds for the 3 CBDT Paths. We summarise these new thresholds below:
Articles 7 and 8 provide that where a conflict exists with Articles 3, 4, 5 and 6, Articles 3, 4, 5 and 6 prevail. Furthermore, as discussed, the CAC has stated for Article 7 that if “it falls under the circumstances specified in Article 3, Article 4, Article 5, Paragraph 1, Items 1 to 3, or Article 6 of the Regulations, it shall not be included in the cumulative quantity.” We understand that this means exemptions and export scenarios should be considered when calculating export quantities for the purpose of Article 7. Moreover, and for internal consistency, it seems that this approach should also apply elsewhere in the CBDT Regs, though this view is presently untested.
Security Assessment Results Extension
Article 9 of the CBDT Regs states that the results of a Security Assessment are valid for 3 years from the date they were issued. It then states that if a Data Processor needs to continue making exports and has not triggered a reassessment, it may seek an extension of the validity period via its local provincial-level CAC “within 60 working days before the expiration of the validity period.”
Compliance Obligations
Article 10 of the CBDT Regs contains generic compliance requirements for Data Processors conducting data export activities, regardless of whether any of the 3 CBDT Paths would apply or not. However, it explicitly provides the following illustrative examples:
“… giving notifications, obtaining separate consent and conducting Personal Information protection impact assessments.”
Based on our experience, the above examples tend to be focal points of CAC review during Security Assessment and Standard Contract filings, as well as other types of examination. Therefore, we suggest that Data Processors conducting data export activities should pay close attention to such matters and improve their compliance work in these areas in particular.
Investigations and Penalties
Article 12 of the CBDT Regs provide:
“Local cyberspace authorities shall strengthen their guidance and regulation of data exports by Data Processors, improve the Security Assessment mechanism, optimise the assessment process, and enhance their supervision in all aspects before, during and after the data exports. If a cyberspace authority discovers significant risks in a data export or a data security incident occurs, it shall require the Data Processor to rectify and eliminate any risks. If the Data Processor refuses to rectify matters or serious consequences are caused, it shall be held liable in accordance with the law.”
Based on our experience, the CAC may become aware of risks to exported data through a number of channels. If the CAC discovers a significant risk in a data export or a data security incident occurs, it may require a Data Processor to take remediation measures to rectify and eliminate any risks. If the Data Processor refuses to take remediation measures or serious consequences are caused, further action may be taken against the Data Processor.
Based on our experience assisting clients with CAC inspections, the CAC is willing to discuss reasonable remediation measures with Data Processors. However, Data Processors need to maintain open communication channels with the CAC and demonstrate a willingness to cooperate with enquiries if they hope to enter meaningful discussions.
Conflicts with CAC’s Previous Regulations
Where any other regulations of the CAC conflict with the CBDT Regs, the CBDT Regs prevail.
Ongoing and Completed CAC Filings
Completed Security Assessments
The CBDT Q&A explicitly states that “Data Processors may continue to carry out data export activities” if they passed the Security Assessment before the CBDT Regs took effect.
Where a Data Processor failed or partially passed the Security Assessment before the CBDT Regs took effect, it may rely on any applicable reporting exemptions under the CBDT Regs or, if applicable under the CBDT Regs, the Standard Contract or Certification.
Ongoing filings
Where a Security Assessment or Standard Contract filing was initiated before the CBDT Regs were issued, and any alternative CBDT Path or exemptions are now available under the CBDT Regs, a Data Processor may:
- choose to continue their ongoing filing procedure;
- withdraw their filing and make use of any applicable alternative CBDT Path; or
- withdraw their filing if the Data Processor is exempt from the 3 CBDT Paths.
Conclusions
The CBDT Regs fine-tune and, to some extent, relax some restrictions on data exports from China. Based on the CBDT Regs, Data Processors in China may be able to mitigate their overall CBDT compliance obligations if they can adjust their processing activities to take full advantage of the exemptions offered by the CAC. This may involve revisiting legal bases, restructuring commercial arrangements, updating their internal policies, and optimising their overall data compliance framework.