CAC Issues Draft Regulation for Easing Cross-Border Data Transfers

On 28 September 2023, the Cyberspace Administration of China (“CAC”) released the Draft Provisions on Regulating and Facilitating Cross-Border Data Transfer (“Draft Regulation”), open for public comments until 15 October 2023. The Draft Regulation, if ultimately issued substantially in its present form, would benefit many multinational companies as they transfer various kinds of data out of China. The substance of the Draft Regulation consists in exceptions to the requirements, such as security assessments and standard contracts, set out by existing laws and regulations for outbound cross-border data transfers (“Data Export”).

Existing Requirements for Data Export

Under the existing data protection regime, Data Export is subject to the following requirements (collectively, “Data Export Requirements”):

Security Assessment. The following parties must carry out so-called “security assessments”[1] before transferring data offshore:

• Critical information infrastructure operators seeking to transfer personal information (“PI”) offshore;
• Data handlers seeking to transfer so-called “important data”[2] offshore;
• Data handlers who process the PI of more than one million individuals and seek to transfer any PI offshore;
• Data handlers who transfer offshore, on a cumulative basis, the PI of more than 100,000 individuals in the period since January 1 of the preceding year; and
• Data handlers who transfer offshore, on a cumulative basis, the “sensitive personal information” of more than 10,000 individuals in the period since January 1 of the preceding year.

Standard Contract or PI Protection Certification. If none of the thresholds for the security assessment listed above is triggered, a party wishing to transfer any PI out of China must nevertheless carry out one of the following procedures:[3]

• executing a standard contract issued by the CAC with the relevant overseas recipient of the PI; or
• passing “PI protection certification” from a specialized institution designated by the CAC;

Proposed Exceptions to Data Export Requirements

Under the Draft Regulation, none of the Data Export Requirements would apply in the following circumstances:

• PI exporting that is necessary for the conclusion or performance of a contract to which the PI subject is a party, such as cross-border shopping, payments, ticket and hotel bookings, visa applications, etc.;
• Exporting PI of employees for purposes of implementing HR management according to employment policies and collective labor contracts;
• Exporting PI of no more than 10,000 individuals within one year;
• Exporting PI for purposes of protecting individuals’ life, health, or property security in emergency situations;
• Exporting of PI that is not collected or generated within mainland China; and
• Exporting non-PI data that is collected or generated during international trade, academic cooperation, cross-border manufacturing and marketing, and certain other as-yet unspecified activities, unless such data is recognized as “important data”.

Eased Data Export Requirements

The Draft Regulation contains additional provisions that may ease Data Export.

Under the current framework,[4] data handlers who transfer offshore, on a cumulative basis, the PI of more than 100,000 individuals, or the sensitive PI of more than 10,000, in the period since January 1 of the preceding year are required to perform the security assessment obligations.

Under the Draft Regulation, in the case of exporting PI of 10,000 individuals or more, but less than one million individuals, within a one-year period, the PI handler would not be required to go through the security assessment procedure. Instead, such PI handlers can opt to follow either the standard contract process (i.e., signing a standard contract and filing it with the CAC) or the PI protection certification process. As stated above, for PI of 10,000 or fewer individuals, none of the Data Export Requirements would apply under the Draft Regulation: data handlers could export PI of up to 10,000 individuals, within a one-year period, without going through any of the security assessment, standard contract, or PI protection certification procedures.

However, even under the Draft Regulation, the security assessment procedure would need to be followed by any data handler that transfers PI of one million or more individuals offshore.

Requirements Related to Other Data

The Draft Regulation also provides that unless the data to be transferred offshore has been designated “important data” by relevant PRC regulators, PI handlers would not be required to go through the security assessment procedures related to offshore transfers of “important data”.

At the same time, the Draft Regulation provides that Free Trade Zones (“FTZs”) are allowed to formulate negative lists to specify data types subject to the relevant Data Export Requirements (“Negative List”). For a data handler domiciled in an FTZ, the Data Export Requirements would only apply to export of data types included in the FTZ’s Negative List.

Our Observations

The exceptions and other easing of existing Data Export Requirements proposed under the Draft Regulation would significantly reduce compliance burdens for many multinational companies.

If the Draft Regulation is ultimately issued substantially in its current form, upon its implementation, many cross-border data transfers involved in various daily operations of multinational companies, including transferring PI of China employees or of customers, vendors, and other business associates, will not be subject to security assessments, standard contracts, or PI protection certification. Furthermore, the threshold amount of data subjects whose PI can be exported before triggering the requirement to go through the security assessment procedure would be raised, from 100,000 to one million, i.e., data handlers could transfer PI of up to (but not including) one million data subjects within a one-year period, without being required to undertake a security assessment.

Data handlers in FTZs might benefit from even fewer requirements: if the data type to be transferred would not be included in a Negative List of the kind proposed by the Draft Regulation, such data handlers could transfer the data without being subject to any of the Data Export Requirements.

However, certain provisions or aspects of the Draft Regulation would still need to be clarified or interpreted by the CAC, such as the manner of calculating the one-year period for counting the number of subjects whose PI will be transferred, and clarifying whether a standard contract would be sufficient for transferring sensitive PI of more than 10,000 individuals (but fewer than one million) within a one-year period.

In light of the above potential ramifications and uncertainties, any public comments on the Draft Regulation, the eventual issuance or next draft of the Draft Regulation, and any authoritative statements about the meaning and implication of certain provisions of the Draft Regulation may all be followed closely.

[1] See the Measures Concerning the Security Assessment for Cross-Border Data Transfer (“SA Measures”), issued by the CAC on, and effective as of, 1 September 2022.

[2] Under the SA Measures, “important data” is defined as any data that, once tampered with, damaged, leaked, illegally accessed or used, etc., may endanger national security, economic operation, social stability, or public health and safety.

[3] See Article 38 of the Personal Information Protection Law of the People’s Republic of China, promulgated by the Standing Committee of the National People’s Congress and effective as of 1 November 2021.

[4] See Article 4 of the SA Measures.