After months of uncertainty, China’s data regulator, the Cyberspace Administration of China (CAC), issued the Provisions on Facilitating and Regulating Cross-Border Data Flows (促进和规范数据跨境流动规定, the Provisions) addressing a range of issues concerning China’s cross-border data transfer (CBDT) regime. The Provisions relax and clarify key elements of that regime, raising the volume threshold that triggers the requirement to conduct a security assessment for the export of personal information (PI), introducing welcome carve-outs for certain low-volume exports and for exports in certain contexts (such as HR administration), and significantly clarifying the scope of important data intended to be subject to the CBDT regime. This will ease the compliance burden for many companies in the short term and help resolve the bottleneck at CAC in its review of the large volume of applications it has already received under the old regime. But this apparent good news may also give rise to challenges.
The Provisions came into force immediately and will prevail over earlier regulations concerning CBDT in the event of any conflict or inconsistency.
With promulgation of the Personal Information Protection Law (PIPL), the Data Security Law (DSL), and a raft of ancillary regulations over the last few years, the Chinese government introduced what came to be viewed in the market as an extraordinarily burdensome CBDT regime.
Under the terms of the regime as it operated before the Provisions were issued, a PI handler (broadly akin to a “controller” under the General Data Protection Regulation) needing to transfer PI or important data out of China was required to satisfy one of the following conditions:
Due to the dearth of guidance on how to comply with these formalities, and bottlenecks within CAC in its review of those regulatory filings that were made, many PI handlers held off on completing the formalities beyond the relevant official deadlines, waiting for additional guidance. CAC issued a draft of the Provisions on September 28, 2023, which many commentators expected to be issued in final form before the end of 2023. The Provisions, although issued much later than expected, adhere closely to the September draft. The principal difference between the two is that the Provisions set separate, lower thresholds for sensitive PI.
The Provisions feature a number of significant relaxations from the previous regime. Key highlights include:
The following table sets out a more detailed comparison of the old and new CBDT regimes:
Old Regime | New Regime pursuant to the Provisions | |
Security Assessment |
|
|
SCCs Filing / Certification | A PI handler may opt to comply with either the SCCs filing or the certification mechanism when a security assessment is not triggered | Export of PI by a PI handler that, since January 1 of the current year, has already exported (i) PI of between 100,000 and one million individuals or (ii) sensitive PI of less than 10,000 individuals A PI handler meeting this criterion may opt to comply with either the SCCs filing or the certification mechanism |
Exemptions | None Every PI handler contemplating the export of any amount of PI or important data is required to fulfill one of the prescribed mechanisms. | Volume Exemptions: No export mechanism required for a PI handler that, since January 1 of the current year, has exported PI of less than 100,000 individuals, provided that such data do not contain any sensitive PI Exempted Categories of PI Export: No export mechanism required for a PI export that is undertaken on one of the following legal bases:
PI that is exported under any of these three legal bases will not be taken into account in the calculation of PI export volume for the purposes of measuring against the relevant PI volume thresholds |
Special Treatment | None | A FTZ may formulate its own negative list of data that is subject to data export mechanisms upon completing certain approval and filing procedures |
With its issuance of the Provisions, CAC has eased the procedural burden for companies by extending the validity period of a security assessment approval from two years to three. CAC has also streamlined filing processes by launching a web portal for the online submission of security assessment and SCCs filing applications. It remains to be seen whether (and, if so, how) CAC will also standardize and streamline its regulatory review process.
To align with the Provisions, CAC has also updated guides for security assessments and SCCs filings that set out the application process and documentary requirements for those two mechanisms. Among other updates, CAC has revised the template assessment reports under both mechanisms to clarify the scope of information required to be included. Another notable update is the addition of language that makes clear that CAC considers there to be an export of data when a foreign PI handler that is subject to the PIPL’s extraterritorial scope directly collects and processes PI from Chinese residents and requires that any such export be undertaken in reliance on one of the data export mechanisms when relevant criteria are met. However, CAC has not yet clarified how this would work in practice, for example, who the foreign PI handler should conclude the SCCs with and how it should complete the assessment report, which is designed for domestic PI handlers. We expect further guidance from CAC on this issue.
Reportedly, CAC’s slowness in issuing the Provisions was due in part to competing views among regulators on how to balance the conflicting goals of boosting economic growth and strengthening national security.[1]
The requirement under the CBDT regime that a security assessment be undertaken for the export of “important data” is of particular national security importance. Yet compliance with this requirement has been virtually impossible due to the lack of clarity as to what counts as important data. The DSL calls for central government departments and local governments to issue catalogues identifying important data within their respective scopes of authority, but they have been slow to do so over the almost three years since the DSL was promulgated.
The last few months have seen a faster pace of efforts by governmental authorities to publish such catalogues. In February, authorities in both Tianjin FTZ and Lin-gang Special Area of Shanghai FTZ issued regional guidance on the identification of important data. Also, regulators in the automotive, financial, telecommunications, aviation, and certain other sectors have published rules that at least provide guidance on the criteria to be used in identifying important data. However, the process will be gradual and uncertainty as to the scope of important data will endure.
In this context, the Provisions provide meaningful comfort by expressly clarifying that data (other than PI) that has not yet clearly been identified as important data may be exported without complying with the CBDT regime. Meanwhile, data exporters ought to keep track of the fast-evolving landscape relevant to important data.
The Provisions go a long way to addressing criticisms of China’s old CBDT regime. The exemption from compliance with the various regulatory filing and related requirements of the CBDT regime for companies that export only small volumes of PI is particularly welcome, as is the change in approach concerning important data. The Provisions will also help clear the bottleneck that the old CBDT regime created within CAC in its review of the large volume of applications the old regime required.
Nonetheless, data exporters should bear in mind that, by reducing its ex-ante review of data exports, CAC is not in any way exempting data exporters from other requirements of China’s CBDT regime or relinquishing its authority to scrutinize data export practices. These other requirements include:
Through CAC’s ex-post inspections of their data handling practices, or indeed because of enforcement actions by data subjects, individual companies can be called to account for any non-compliance with these requirements. To some extent, with its issuance of the Provisions, CAC has shifted the burden to individual companies to make judgment calls as to what practices are compliant with these and other PIPL requirements. Notably, the Provisions urge local CAC branches to strengthen the supervision of data export activities of local companies. We expect that various remaining uncertainties concerning PIPL’s data export and other rules will be clarified gradually through CAC’s enforcement activity and claims pursued by individual data subjects.
As further explained in the Terms / Notices linked below, the information provided herein is not legal advice. Any information concerning the People’s Republic of China (PRC) is not an opinion on, determination on, or certification of the application of PRC law. We are not licensed to practice PRC law.
[1] See the Financial Times: China’s sluggish approval of data exports leaves companies struggling, January 3, 2024.