By introducing a number of exemptions to China’s restrictions on cross-border personal data flows, the Final Provisions will be welcome by international organizations whose data flows fall within the scope of the exemptions.

At the same time, the CAC also released the Guidelines to the Application for Security Assessment of Data Exportation (Second Edition) and the Guidelines to the Filing of Standard Contracts for Exportation of Personal Information (Second Edition) (collectively, “Second Edition Guidelines”), which provide additional detailed guidance on procedural matters associated with China’s data export controls.

Amended Data Volume Thresholds for Data Transfer Review

PRC law requires organizations to obtain data subjects’ “separate consent” to transfers of personal data from mainland China and do one of the following:

(i) complete a security assessment conducted by the CAC (“Security Assessment”);

(ii) obtain certification for the transfer by a third party professional institution (“Third Party Certification”); or

(iii) enter into standard contractual clauses (“SCCs”) with the offshore data recipient and file these terms with a personal information privacy assessment impact (“PIPIA”) report

((i) to (iii) referred to as “Data Transfer Review” in this briefing).

The Final Provisions do not change the basic requirements of Data Transfer Review, but do introduce some important exemptions that will benefit some organizations transferring personal data from the PRC. With the Final Provisions taking effect, Security Assessments (the most rigorous form of Data Transfer Review) will only apply to data transfers undertaken:

(i) by operators of critical information infrastructure (“CIIO”) transferring any personal information or “important data”; and

(ii) by other organizations that, from 1 January of the current year have cumulatively made international transfers of personal information (excluding sensitive personal information) of more than one million individuals or sensitive personal information of more than 10,000 individuals.

The Final Provisions have introduced a 10,000 data subject threshold for Security Assessment in respect of transfers of sensitive personal information and adjusted the reference period for assessing whether or not these thresholds have been met. Previously, organizations would look back to 1 January of the preceding year to assess data transfer volumes, meaning that the assessment period ultimately ranged between 12 and 24 months. The thresholds have now been adjusted so that the assessment is made within the then current year.

Organizations that have cumulatively transferred non-sensitive personal information of more than 100,000 but less than 1 million individuals or transferred sensitive personal information of less than 10,000 individuals are required to complete one of the other two forms of Data Transfer Review: i.e., either obtaining a Third Party Certification or entering into and filing SCCs.

Organizations that have cumulatively transferred non-sensitive personal information of less than 100,000 individuals are exempt from Data Transfer Review altogether. The Final Provisions therefore demonstrate the Chinese government’s strict approach to the regulation and protection of sensitive personal information, placing more pressure on China’s broad and potentially open-ended definition for that term. Businesses transferring sensitive personal information of less than 10,000 individuals must either obtain the Third Party Certification or make an SCC filing.

The Final Provisions also extend the validity period for a completed Security Assessment from two years to three years, with the ability to extend for another three years with the CAC’s approval.

At a Glance – Current Thresholds Triggering Data Transfer Review

Exemptions to Data Transfer Review Introduced for Personal Data

In addition to making adjustments to the thresholds for Data Transfer Review, the Final Provisions also update exemptions to Data Transfer Review first proposed in the draft published last autumn:

• In addition to exempting data generated during activities such as international trade, academic cooperation, cross-border manufacturing and marketing which do not contain personal data or important data, the Final Provisions exempt transfers of data related to cross-border transportation.
• The Final Provisions specify that personal data collected and generated overseas and subsequently transferred to China for processing would be exempted, provided that no domestic personal information or important data is introduced during the processing (an exemption that is most likely meant to address situations in which China-based shared services operations and outsourcing arrangements process data originating from outside mainland China).
• The Final Provisions supplement the proposed exemption for “contractual necessity” where it is necessary to provide personal data overseas for the conclusion or performance of a contract to which the data subject is an interested party, including cross-border shopping, cross-border payment, cross-border account opening, and examination services.

Clarification in Relation to Important Data

The Final Provisions follow the draft measures in requiring organizations to identify and report their processing of important data in accordance with applicable rules and regulations. However, in a relaxation that may prove to be significant, unless industry regulators or other officials have published or notified industry participants of a particular type of data as being important data, the Security Assessment procedure will not apply.

The topic of “important data” continues to cloud China’s data regulation landscape, with concerns that the broadly defined concept may stifle cross-border business operations across a wide range of activity. There has been some movement to define “important data”, with a number of industry regulators consulting on data catalogues and classification rules. The recently published national standard, GB/T 43697-2024 Data security technology — Rules for data classification and grading also provides the identification guidelines for important data. For the time being, at least, organizations in non-sensitive industries are not required to make their own assessment of what important data might be in the context of cross-border transfer regulations.

Free Trade Zones’ Negative Data List

The Final Provisions enable Free Trade Zones (“FTZs”) to formulate their own “negative data lists” stipulating the types of data which are subject to Data Transfer Review. These lists must be prepared in accordance with the national data classification protection framework and may only be implemented with the approval of the provincial CAC. Data exporters based in FTZs would be exempt from performing Data Transfer Review provided that the data does not appear on the negative list.

The Tianjin and Shanghai FTZs have taken the lead in exploring the measures to promote cross-border data transfer. In February, these FTZs issued measures for data classification and grading. Organizations based in FTZs are advised to closely monitor developments with a view to taking advantages of FTZ policies where they are beneficial.

Key Takeaways from the Second Edition Guidelines

The Second Edition Guidelines raise a number of important practical points for data exporters:

• New online filing system: To facilitate applications for Security Assessment and the filing of SCCs, an online filing system is now available for non-CIIOs¹ (CIIOs are still required to make physical, onsite submissions for their Security Assessment applications).
• Direct offshore collection: It is now explicit that direct collection of personal data by an offshore entity subject to the PIPL’s extra-territorial effect is deemed to be data exportation, and so subject to Data Transfer Review as applicable.

• Calculation of the exported data volumes: When preparing the PIPIA report accompanying an SCC filing, data exporters should estimate the volume to be transferred overseas for the coming three years (as opposed to the two-year period under previous measures). The Final Provisions also clarify that the amount of data that falls under the exemption scenarios can be excluded from accumulated data volumes when evaluating the threshold.

• Simplified application documents: The Second Edition Guidelines reduce the detail required in application documents. For example, the updated PIPIA report template for SCCs filing consolidates and reduces the original four major sections and eight subsections into two major sections and four subsections.

Implications for China Compliance Programs

The Final Provisions formalize some long-anticipated exemptions to Data Transfer Review that will no doubt be welcomed by organizations in a position to benefit. However, it is important to understand that even where exemptions to Data Transfer Review apply, organizations are still required to comply with their obligations under the PIPL. For example, an organization exempt from the requirement to file their SCCs with a PIPIA report is still required to complete and execute the contract and work through the report. More broadly, the Final Provisions do not create general exemptions to PIPL requirements. Organizations are still obliged to perform the broad range of statutory compliance obligations under PIPL, including notifying data subjects and obtaining their separate consent to the international transfer, leaving much work still to be done.

References

1 https://sjcj.cac.gov.cn