China’s Most Recent Efforts to Rebalance Security and Economic Development Through Data
Raymond Wang and Yihan Zang of Shihui Partners discuss the latest cross-border data transfer rules of China, in light of the country’s policy goals and hybrid challenges.
Yihan Zang
View firm profileAs China steps into 2024, it faces a world vastly different from that of 2021, when it introduced its initial cross-border data transfer (CBDT) framework. On the west coast of the Pacific Ocean, China is still struggling to realise its post-COVID-19 economic recovery goals. On the east coast, generative AI has heralded a potential new wave of industrial revolution, while China grapples with imposed restrictions on accessing advanced computing power. Similar restrictions are being extended to data, the “ingredients” of AI products and high-tech competition, as more countries abandon the concept of free flow and embrace protectionism.
In the past three years, more geopolitical bridges were demolished and more walls erected, and China now encounters escalating pressure in both security and economic development. It is compelled to strike a new, more intricate balance when reassessing its CBDT benchmarks, which were previously deemed overly security-focused and burdensome to multinationals. That explains why the Cyberspace Administration of China (CAC) attracted so much attention when releasing its long-awaited Rules on Facilitating and Regulating the Cross-Border Flow of Data (the “Rules”) on 22 March 2024.
What do the Rules bring?
The Rules have responded to the pleas from multinationals and industrial associations with a moderate relaxation of the lengthy government review process, the more complex data export security assessment process and the slightly conducive SCC filing process, for CBDT (the third option, personal information protection certification, is not yet a mature option in practice). The relaxation is primarily in the following ways:
Firstly, the Rules stipulate that data controllers can bypass the government review process if one of the exemptions applies to its CBDT of personal data:
- Scenario-based exemptions – no government review is required, if:
- the data subject to CBDT is purely in-transit from other countries;
- CBDT is necessary for the conclusion or performance of a cross-border contract to which the data subject is a party;
- CBDT is necessary for cross-border human resources management in accordance with lawful labour policies or collective contracts; or
- CBDT is necessary for protecting an individual’s life, health, or property safety in an emergency.
- Volume-based exemptions – in the absence of applicable scenario-based exemptions, government review is required only where a controller’s annual volume of personal data subject to CBDT hits one of the thresholds summarised below:
No of Data Subjects | No of Data Subjects Whose Non-sensitive Personal Data are Exported | |||
---|---|---|---|---|
1–99,999 | 100,000–999,999 | 1,000,000+ | ||
No of Data Subjects Whose Sensitive Personal Data are Exported | 0 | N/A | SCC Filing/Certification | Security Assessment |
1–9,999 | SCC Filing/Certification | SCC Filing/Certification | Security Assessment | |
10,000+ | Security Assessment | Security Assessment | Security Assessment |
Secondly, the Rules enable free trade zones (FTZs) in China to formulate their respective negative lists within the national framework of data classification and grading. Controllers located in the FTZs can skip the government review process, as long as the data subject to CBDT are not on the negative lists.
Thirdly, the Rules alleviate some of the burden on the controllers by streamlining the requirements on the application materials (eg, the application forms and the self-assessment reports).
What remains unchanged?
Perhaps the intricacy of the Rules is best illustrated not by what has been relaxed, but by what remains unchanged.
The enumerated scenario-based exemptions suggest that China is less likely to introduce in the near future a more holistic exemption to satisfy multinationals’ broader intra-group management needs. This presumably reflects China’s concern over the potential circumvention of the general rules by abusing the broader exemption. Some of the listed exemptions can apply quite narrowly. For instance, the legal community generally agrees that the cross-border contract exemption would not apply to a China subsidiary’s transfer to its foreign headquarters of the personal data generated from its transactions contracted and performed in China, because such transfer is not considered “necessary”.
The Rules can be described as China’s efforts to ease restrictions on CBDT of non-sensitive data by non-sensitive controllers. Therefore, if the controllers are themselves sensitive, eg, if they are designated as “critical information infrastructure operators” (CIIOs), or if the exported data are either “important data” or “sensitive personal data”, the prior government formalities largely remain intact. In particular, in terms of the volume-based exemptions, it is noteworthy that even under the new framework, export of “sensitive personal data” of a single individual is enough to trigger the government review process, which requires, among other things, the foreign recipient’s full commitment to the data security and data privacy obligations stipulated in a government-issued template agreement, and an assessment of the recipient’s data security capabilities. Because the definition of “sensitive personal data” explicitly includes an individual’s biometrics, medical health, financial accounts, and personal whereabouts, many industries, such as financial services, life sciences, e-commerce, and automated driving, are less likely to benefit from the volume-based exemptions.
What to expect next?
While the Rules are released by the CAC, they are the products of close inter-agency consultation and deliberation, and reflect the best pragmatic compromise among the official stakeholders. The Rules show that China’s CBDT framework is moving from a security-centric approach towards a more balanced, risk-based approach, but it is not difficult to perceive that they still hold the line by retaining almost all major security controls.
It remains to be observed how the Rules will be implemented in practice, as there is still ample room for interpretation and discretion. For instance, while one may be interested in learning the breadth of the future negative lists, it is equally important to observe their coverages – the extent to which companies registered outside of FTZs can take advantage of the preferential treatment given to their affiliates registered therein.
As the Rules have just been rolled out, it may take some time for the implementation benchmarks to stabilise, at least for a certain period, until they are further affected by international economic and geopolitical developments. The rebalance is most likely to be a dynamic calibration process.
Shihui Partners
5 ranked departments and 6 ranked lawyers
Learn more about the firm’s ranking in Chambers Greater China Region
View firm profile