China Issues New Regulation Easing Cross-Border Data Transfers

On 22 March 2024, the Cyberspace Administration of China (“CAC”) issued the long-awaited Provisions on Facilitating and Regulating Cross-Border Data Transfer (“Regulation”), effective as of the same date. The CAC simultaneously updated the Guidelines to Applications for Security Assessment of Outbound Data Transfers and the Guidelines for Filing the Standard Contract for Outbound Cross-Border Transfer of Personal Information to harmonize the current rules for cross-border data transfers. The Regulation benefits many multinational companies as they transfer personal information (“PI”) and other data out of China. The substance of the Regulation consists in exceptions to the requirements, such as “security assessments” and “standard contracts”, set out by pre-existing laws and regulations for outbound cross-border data transfers (“Data Export”).

Pre-Existing Requirements for Data Export

Starting in 2022, Data Export has been subject to several relatively onerous requirements (collectively, “Data Export Requirements”), including carrying out a “security assessment” if certain thresholds are met or, in other circumstances, executing and filing a “standard contract” with the relevant overseas recipient of the PI or passing “PI protection certification” from a specialized institution.[1]

New Exceptions to Data Export Requirements

By virtue of the Regulation, now, Data Export in the following circumstances are exempt from the Data Export Requirements (“Exceptions”):

• PI exporting that is necessary for the conclusion or performance of a contract to which the PI subject is a party, such as cross-border shopping, delivery, payments, bank account opening, ticket and hotel bookings, visa applications, examination services, etc.;
• Exporting PI of employees for purposes of implementing HR management according to employment policies and collective labor contracts;
• Exporting PI for purposes of protecting individuals’ life, health, or property security in emergency situations;
• Exporting non-sensitive-PI of no more than 100,000 individuals (on a cumulative basis) by a data handler who is not a critical information infrastructure operator (“CIIO”) since January 1 of the current year;
• Exporting PI that is collected or generated outside mainland China (provided no “important data” or PI collected/generated in mainland China is included in the Data Export); and
• Exporting non-PI data that is collected or generated during international trade, cross-border shipping, academic cooperation, cross-border manufacturing and marketing, and certain other as-yet unspecified activities, unless such data is recognized as “important data” (or as some other, more specialized, kinds of data, e.g., state secrets).

Other Relaxing of Data Export Requirements

In addition to the Exceptions (listed above), the Regulation relaxes some other requirements for Data Export. Most notably, it eases some of the thresholds that trigger the requirement for security assessments or for either standard contracts or PI protection certification.

Security Assessment: The Regulation eliminated one of the triggers for the security assessment requirement (“data handlers who process the PI of more than one million individuals and seek to transfer any PI offshore”), increased and thus relaxed the threshold amount of non-sensitive-PI that can be transferred abroad without triggering the requirement (from 100,000 to 1 million individuals’ PI), and shortened the time period for the cumulative threshold amounts of PI and sensitive PI (counting only the current year, rather than also the preceding year). In short, the thresholds triggering the security assessment requirement are now as follows:

• CIIOs seeking to transfer any PI or “important data” offshore;
• Data handlers who are not CIIOs seeking to transfer “important data” offshore;
• Data handlers who are not CIIOs seeking to transfer offshore, on a cumulative basis, the PI (excluding sensitive PI) of more than 1 million individuals in the period since January 1 of the current year;
• Data handlers who are not CIIOs seeking to transfer offshore, on a cumulative basis, the sensitive PI of more than 10,000 individuals in the period since January 1 of the current year.

To be clear, however, if an instance of intended cross-border data transfer exceeds any one of the above thresholds but the circumstances are among one of the Exceptions, it is still not subject to the security assessment requirement. Moreover, in a press release about the Regulation, the CAC clarified that when it calculates the amount of PI (including sensitive PI) processing to determine if a threshold is exceeded, the CAC will not count PI that is transferred under any of the Exceptions.

Standard Contract or PI Protection Certification: The Regulation also shortens the time period for calculating cumulative PI and sensitive PI to determine whether a threshold is reached – a change which significantly relaxes the triggers for the requirement. Now, the relevant triggers are as follows:

• Data handlers who are not CIIOs seeking to transfer offshore, on a cumulative basis, the PI (excluding sensitive PI) of more than 100,000 individuals but less than 1 million individuals in the period since January 1 of the current year;
• Data handlers who are not CIIOs seeking to transfer offshore, on a cumulative basis, the sensitive PI of no more than 10,000 individuals in the period since January 1 of the current year.

If either of the above thresholds are exceeded while none of the security assessment thresholds are met and the circumstances are not among the Exceptions, data handlers will have to satisfy either the standard contract requirement (including not only executing the contract but also filing it with the CAC) or the PI protection certification requirement.

Requirements Related to Other Data

The Regulation also provides that unless the data to be transferred offshore has been designated “important data” by relevant PRC regulators, PI handlers are not required to go through the security assessment procedures related to offshore transfers of “important data”.

At the same time, the Regulation provides that Free Trade Zones (“FTZs”) are allowed to formulate negative lists to specify data types subject to the relevant Data Export Requirements (“Negative List”). For a data handler domiciled in an FTZ, the Data Export Requirements will only apply to export of data types included in the FTZ’s Negative List.

Our Observations

The Regulation’s exceptions and other easing of existing Data Export Requirements will significantly reduce compliance burdens for many multinational companies.

With this Regulation, many cross-border data transfers involved in various daily operations of multinational companies, including transferring PI of China employees or of customers, vendors, and other business associates, will not be subject to any security assessment, standard contract, or PI protection certification requirements. Furthermore, the threshold amount of data subjects whose PI can be exported before triggering the requirement to go through the security assessment procedure has been raised, from 100,000 to one million, and the period for counting the amount has been shortened, i.e., data handlers can now transfer PI of up to (but not including) one million data subjects within the period starting from January 1 of the current year (rather than starting from the preceding year) before being required to undertake a security assessment (but through a standard contract or PI protection certification if the threshold reaches 100,000).

Data handlers in FTZs benefit from even fewer requirements: if the data type to be transferred would not be included in a Negative List of the kind proposed by the Regulation, such data handlers could transfer the data without being subject to any of the Data Export Requirements.

Given the Exceptions and relaxed requirements, for a data handler who has already filed an application for security assessment or filed a standard contract, if the CAC has not completed its review but the circumstances of the data handler and its cross-border data transfer(s) are no longer subject to the Data Export Requirements, the data handler can withdraw its filing.

[1] For overviews of the pre-existing Data Export Requirements, please see our newsletters China Releases Finalized Rules on Security Assessments for Cross-Border Data Transfers | DaHui Lawyers, CAC Releases Finalized Measures on Standard Contracts for the Outbound Cross-Border Transfer of PI | DaHui Lawyers, and CAC Issues Guidelines on Standard Contract Filing for Outbound Cross-Border Transfer of PI| DaHui Lawyers.