On 22 March 2024, the Cyberspace Administration of China (“CAC”) implemented the Provisions on the Promotion and Regulation of Cross-border Data Transfer (“Provisions”) and updated the guidelines for security assessment and standard contracts (together the “Updated Guidelines”) with immediate effect. The Provisions aim to promote foreign investments into China and lessen the compliance burden of multinational companies on cross-border data transfer.
Prior to the Provisions, data may be transferred abroad after meeting one of the following procedures :-
1. passing the security assessment led by the CAC (“Security Assessment”);
2. obtaining personal information protection certification from the relevant professional institutions (“Protection Certification”); or
3. entering into a standard contract with the overseas recipient and filing it with the CAC (“Standard Contract”).
Highlights of the Provisions
The Provisions relaxed the cross-border data transfer requirements by revising the threshold for triggering the Security Assessment and provided a number of exemptions to the three transfer procedures, which is a step greatly welcomed by the international business community in China.
Revised Thresholds for Triggering the Security Assessment
For operators of critical information infrastructure (i.e. important network facilities and information systems in important industries and fields as determined by regulators) (“CII Operators”), the original restrictions still apply for the transfer of important data and personal information. Additionally, CII Operators must pass the Security Assessment and cannot opt to fulfill the procedures via Protection Certification nor Standard Contract.
For non-CII Operators, the Security Assessment is relaxed and no longer required for processing the personal information (not sensitive data) of more than 100,000 but less than 1 million individuals or sensitive personal information of less than 10,000 individuals. In such cases, it can choose to obtain the Protection Certification or enter into Standard Contract and file it with the CAC instead. If non-CII Operators transfer important data or personal information of more than 1 million individuals cumulatively or when they transfer sensitive personal information of more than 10,000 individuals cumulatively, the Security Assessment is still required.
The Provisions also modified the calculation of cumulative number of individuals by counting from 1 January of the current year instead of the preceding year, reducing the chance of hitting the threshold for Security Assessment.
Under the Provisions, Security Assessment is not required if the important data that the data processor is transferring does not fall under the ones classified as such by official notices or published announcements made by the relevant regulatory authorities.
Exemptions under the Provisions
Non-CII data processors are completely exempted from the above three procedures if they fall under one of the following exempted circumstances :-
1. Where personal information is collected and originated by a data processor overseas and transferred into China for domestic processing before being provided abroad and no personal information or important data is introduced within the domestic processing.
2. Where personal information, not containing any important data, is transferred due to necessity for the execution and performance of a contract to which the data subject is a party, such as for cross-border purchases, deliveries, remittances, payments, account opening, hotel and air ticket reservations, visa applications, examination services, etc.
3. Where outbound transfer of employees’ personal information (not including important data) is necessary for cross-border human resource management in accordance with the applicable labour regulations and legally executed collective contracts.
4. Where outbound transfer of personal information (not including important data) is necessary for emergency situations in order to protect an individual’s life, health and safety of an individual’s property.
5. When transfer personal information (non-sensitive personal information) of less than 100,000 individuals in the current year.
6. If the data processor is within a free trade zone and the data transfer falls outside the scope of the negative list established by the free trade zone.
Otherwise, compliance with any one of the three procedures, as the case may be, should be required. Therefore, it is important to review the data to be transferred and take note of any sensitive personal or important data information within that which may fall outside any of the above exemptions.
On another note, it is now clarified in the Updated Guidelines that overseas data processing activities under Article 3(2) of the Personal Information Protection Law will be considered as cross-border data transfer.
Despite the Provisions, data processors are still required to comply with other cross-border data transfer obligations when dealing with personal information such as notifying the affected individuals, obtaining separate consent from them (where applicable) and conducting personal information impact assessments. Nevertheless, the relaxation of the cross-border data transfer rules provides a great opportunity for businesses to review, evaluate and update their data protection policies to take advantage of the more flexible rules.
If you have any questions on the above China Update or China business matters, experienced lawyers in our firm would be happy to assist you.