Bytes Without Borders: China Relaxes Cross-Border Data Transfer Rules

Kevin Duan and Yuting Wang of Han Kun Law Offices in Beijing discuss China’s recent regulatory changes to cross-border data transfers, highlighting exemptions and updated standards. Their analysis delves into the implications for multinational corporations, offering insights into compliance measures and advice on how to navigate the evolving regulatory landscape.

Published on 15 May 2024
Kevin Duan, Expert Focus Contributor, Han Kun
Kevin Duan

Ranked in Chambers Greater China Region Guide

View profile

The regulatory framework governing data export, established under the Personal Information Protection Law, has been implemented through rules such as Measures on Security Assessment for Data Cross-border Transfers and Measures on the Standard Contract for Cross-border Transfer of Personal Information. Despite these efforts, enterprises, especially multinational corporations (MNCs), continue to encounter various practical challenges during security assessment or standard contract record-filing procedures. These challenges include the lengthy security assessment application and rectification process, uncertain approval standards, and difficulties in obtaining separate consent due to the unique characteristics of certain industries.

In a clear demonstration of the Chinese government’s commitment to boosting economic globalisation and improving the foreign investment climate, the Cyberspace Administration of China (CAC) released the Provisions on Promoting and Regulating Cross-border Data Flows (the “CBDT Provisions”) on 22 March 2024. These regulations significantly ease the compliance burden on data handlers by eliminating procedural requirements in certain exempted scenarios, while maintaining oversight over important data and critical information infrastructure operators (CIIOs). Additionally, these provisions update numerical thresholds that trigger government approval for data exports and introduce preferential treatment for free trade zones (FTZ). These changes, compared to the previous rules, create a more favourable environment for data transfers, and reflect the Chinese regulator’s determination to facilitate global data flow and utilisation.

Exempted Scenarios

The CBDT Provisions introduced several significant changes to the existing regulatory framework for cross-border data transfers.

According to Articles 3-5 of the CBDT Provisions, the following scenarios are exempted from undergoing a data export security assessment, entering into and filing standard contracts for personal information (PI) cross-border transfers (“Standard Contract”), or undergoing a PI protection certification (collectively “CBDT Procedures”). The exempted scenarios include those data flow scenarios that are highly necessary and common for MNCs.

Cross-border transfer of non-regulated data

Data export not involving PI or important data would be exempted from the CBDT Procedures.

International transfers with stopovers in mainland China

The offshore provision of PI that is collected and generated overseas and then processed within mainland China would be exempted from the CBDT Procedures if the processing does not introduce domestic PI or important data.

Contract performance scenarios

The CBDT Provisions exclude scenarios in which PI must be exported for the purpose of entering into and performing a contract to which a PI subject is a party. Several examples are listed by the CBDT Provisions, such as cross-border shopping, cross-border mailing, cross-border remittance, cross-border payment, cross-border account opening, airline tickets and hotel reservations, visa processing, examination services, etc.

HR scenarios

PI of an employer’s employees may be exported without undergoing CBDT Procedures if the export is necessary for HR management and is implemented in accordance with the employer’s lawfully formulated rules and lawfully executed collective contracts. This would significantly ease the compliance burden on MNCs, given the near inevitability of exporting PI to overseas headquarters and affiliated companies for HR management purposes. However, this clause should be interpreted strictly. For example, the export of PI relating to job candidates who have not yet entered into labour contracts with employers might be excluded from this exemption.

Emergency scenarios

No CBDT Procedure would be required in emergencies where it is necessary to export PI to protect the life, health, and property security of natural persons.

Minimal amount of non-sensitive PI

Data handlers other than CIIOs would be exempted from the CBDT Procedures if they transfer non-sensitive PI of less than 100,000 individuals since 1 January of the current year.

Exceptions for FTZs

FTZs are established across China as testing grounds for special regulations where qualified companies can leverage these regulations to promote economic growth. Under the new CBDT regulations, each FTZ would be empowered to formulate special data export mechanisms that further relax the data export requirements. One such mechanism is a data export negative list, which would be a shortened list of data that is subject to data export security assessment, Standard Contract record filing, or PI protection certification compared to non-FTZs. Data export falling outside the negative list would be exempted from the CBDT Procedures.

On 8 February 2024, Shanghai FTZ published trial regulations that classify the to-be-exported data into three levels – ie, core data, important data and general data. Each category entails varying compliance obligations. Tianjin FTZ published similar rules on 5 February 2024, providing additional guidance on data categorisation and identification of important data within Tianjin FTZ. MNCs may keep close contact with the FTZ administration committees to leverage this preferential treatment.

Updated Standards to Determine the Appropriate CBDT Procedures

The CBDT Provisions update the regulatory regime regarding cross-border transfers of non-sensitive PI, while upholding the numerical standards regarding sensitive PI.

A Security Assessment applies to cross-border transfers of:

  • PI or important data conducted by CIIOs;
  • important data conducted by data handlers other than CIIOs, or
  • non-sensitive PI conducted by data handlers other than CIIOs concerning more than one million individuals (excluding sensitive PI) or sensitive PI concerning more than 10,000 individuals.

A Standard Contract record filing or a PI protection certification applies to cross-border transfers by data handlers other than CIIOs concerning:

  • non-sensitive PI of more than 100,000 individuals but less than one million individuals; or
  • sensitive PI of less than 10,000 individuals.

When applying these standards and calculating the CBDT volume, it is to be noted that:

  • the exempted scenarios and FTZ rules under Articles 3-6 of the CBDT Provisions prevail over these numerical standards;
  • instead of considering the quantity of PI a PI handler currently possesses, the sole criterion for assessing the need for any CBDT Procedures is the accumulated PI export volume since 1 January of the current year; and
  • PI reaching a certain amount (eg, 100,000 or one million) would be deemed as important data under sector-specific or regional rules; in such cases, a security assessment would apply.

FAQ

We have summarised below some FAQ to better illustrate the impact of the CBDT Provisions on data handlers.

“Data handlers must continue to abide by the three fundamental principles of legality, legitimacy, and necessity”.

Which compliance measures should be taken regarding cross-border data transfers that fall under the exempted scenarios?

The CBDT Provisions aim to simplify the relevant administrative approval and certification procedures for data export, but this does not imply a reduction in compliance obligations. Thus, data handlers exporting PI must continue to abide by the three fundamental principles of “legality, legitimacy, and necessity” to mitigate interim and post-regulatory risks associated with data export activities. Such compliance measures include conducting PI protection assessments and implementing technical and organisational data protection measures.

Will any CBDT Procedures be triggered if the PI export volume under the exempted Contract Performance Scenarios or HR Scenarios exceeds the 100,000 or one million threshold?

Normally, CBDT Procedures would be exempted under the Contract Performance Scenarios or HR Scenarios, regardless of the PI export volume. In other words, no security assessment would be applicable even if the data handlers annually export PI of more than one million individuals, as long as the PI export qualifies as an exempted scenario.

Will any CBDT Procedures be triggered if the PI export under the exempted Contract Performance Scenarios or HR Scenarios involves any sensitive PI?

If the PI export under such exempted scenarios involves sensitive PI but no important data, then the CBDT Procedures would still be exempted, as according to Articles 7 and 8 of the CBDT Provisions, for situations stipulated in Articles 3, 4, 5, and 6, such provisions shall prevail.

How should data handlers proceed with the pending procedures of security assessments or Standard Contract record filings with respect to the exempted scenarios?

According to the press conference held by the CAC, if it is not necessary to carry out the CBDT Procedures in accordance with the CBDT Provisions, the data handler may proceed in accordance with the original procedures, or it may withdraw the declaration and file with the local provincial cyberspace department.

Han Kun Law Offices

Han Kun logo, Chambers Expert Focus contributor
16 ranked departments and 33 ranked lawyers

Learn more about the firm's ranking in Chambers Greater China Region

View firm profile

Chambers In Focus Newsletter

Sign up for our newsletter and never miss out on thought leadership content from legal experts and the key stories driving the legal profession forward.
Sign up here