In this Essential Guide, part of Orrick’s Cybersecurity & Privacy Compass Series, we offer insights into the Cyberspace Administration of China's (CAC) new rules and requirements for cross-border data transfers.

The Cyberspace Administration of China (CAC), the country’s data protection regulator and authority, has published long-awaited final rules to regulate and promote cross-border data flows. The rules relax requirements for data transfers for many international companies. The rules were published in March and take effect immediately.

What’s new in the rules?

The rules significantly reduce some international companies’ obligations when it comes to exporting data.

Before the change, most data processors could export data containing personal information (PI) from China in recent years through:

• A security assessment conducted by the CAC (the “CAC Security Assessment”),
• A Personal Information Protection Certification, or
• Chinese Standard Contractual Clauses (SCCs).

Given that the export of PI is common for centralized human resource management among international companies with operations in China, such companies were essentially required to at least file signed data export contracts with SCCs with local CAC authorities before the deadline of 30 November, 2023, which caused considerable anxiety among them.

The new CAC rules provide exceptions to that process. The change will allow companies to export PI, excluding important data, without using one of the three mechanisms in the following cases:

• Contractual necessity: Necessary export of PI to conclude or fulfill a contract to which the data subject is a party. Examples include cross-border shopping, mailing, payment, cross-border account creation, airline and hotel bookings, processing of visa applications, or testing services.
• International HR management: Necessary export of employees’ PI for implementing cross-border human resources management in accordance with lawfully developed internal labor rules and lawfully signed collective agreements.
• PI of less than 100,000 individuals: Export of PI (excluding sensitive personal information) of less than 100,000 individuals since 1 January of the respective year. However, this exception does not apply to PI exported by critical information infrastructure (CII) operators.

Additional exceptions include:

• Necessary export of PI in cases of an emergency to protect the life and health of natural persons and property safety (excluding important data).
• Export of data collected and generated in international trade, cross-border transportation, academic cooperation, transnational manufacturing and marketing activities (excluding PI and important data).
• (Re-)export of PI that is cumulatively collected and generated outside of China, transferred to China for processing and not combined with any PI or important data in China during processing.

What about other data transfers?

For data transfers not covered by the exceptions above, the obligation remains to use one of the three transfer mechanisms.

The rules include a consolidated and slightly updated set of provisions on the applicability of the three transfer mechanisms previously (partially) set out in the Measures for Security Assessment of Outbound Data Transfers (the “Security Assessment Measures”) and the Measures for the Standard Contract for the Export of Personal Information (the “SCC Measures”) (over both of which the Rules expressly take precedence):

• Obligation to enter into SCCs and filing signed SCCs to local CAC authorities or obtain PI protection certification – data processors (other than CII operators) exporting:
  • PI (excluding sensitive PI) of more than 100,000 but less than 1 million individuals or
  • Sensitive PI of less than 10,000 people, in each case from 1 January of the respective year.
• Obligation to undergo the CAC Security Assessment:
  • CII operators exporting PI or important data, other data processors exporting important data or other data processors exporting, from 1 January of the respective year:
    • PI (excluding sensitive PI) of more than 1 million individuals or
    • Sensitive PI of more than 10,000 individuals.

The CAC Security Assessment is valid for three years from the date of the result’s issuance. The validity can be extended by three years if the data export remains necessary and there is no need to re-file the CAC Security Assessment.

Any other requirements to be aware of?

While the major obstacles to data transfers from China are outlined above, the rules refer to further requirements which data exporters must comply with and which reflect more general compliance obligations, including:

• Compliance with statutory obligations of notification, obtaining consent and conducting PI protection impact assessments.
• Compliance with data security obligations by implementing technical and other necessary measures to ensure the security of data abroad.
• When a data security incident occurs or is likely to occur: Obligation to take remedial measures and to promptly notify the competent authorities.

Background: History of three mechanisms for exporting data from China

China’s Cybersecurity Law (CSL), effective from 1 June 2017, was the first legislation to require the CAC to conduct a security assessment of CII operators for exporting personal information or so-called important data from China. Prior to this, data export restrictions had only been sporadically provided in regulations related to certain sectors, such as finance and healthcare.

China’s Data Security Law, which took effect in 2021, reiterated the CAC Security Assessment requirement for CII operators to export important data. It also directed the CAC and other departments to develop regulations on the cross-border transfer of important data by data processors (i.e., in GDPR terms, data controllers) other than CII operators.

Around the same time, China’s Personal Information Protection Law provided the three alternative mechanisms for exporting PI from China (the CAC Security Assessment, a Personal Information Protection Certification or the Chinese SCCs).

Rules to implement these mechanisms were set out in 2022:

• CAC Security Assessment
  • On 7 July 2022, the CAC published the final version of the Security Assessment Measures. It provided that the CAC Security Assessment requirement only applies to the export of important data, the export of PI by CII operators or for other data processors, if quantitative thresholds of affected individuals are met.
• Personal Information Protection Certification
  • On 24 June 2022, China’s National Information Security Standardization Technical Committee released the final version of the “Cybersecurity Standards Practice Guide – Technical Specifications for the Security Certification of Personal Information Cross-Border Processing.”
  • On 18 November 2022, China’s State Administration for Market Regulation and the CAC released the “Implementation Rules of Personal Information Protection Certification.”

• Standard Contractual Clauses
  • On 22 February 2023, the CAC released the SCC Measures and the SCCs, effective from 1 June 2023.
    • Data processors other than CII operators may use SCCs to export PI if none of the quantitative thresholds of affected individuals – they are the same as those set forth in the Security Assessment Measures – is met.
    • Essentially, the use of SCCs (and Personal Information Protection Certification) is only allowed if the CAC Security Assessment requirement does not apply.
    • The SCC measures provide for a six-month grace period (ending on 30 November 2023) for PI exports commenced prior to 1 June 2023. Also, signed data export contracts with the SCCs need to be filed with the local province-level CACs.