On September 28, 2023, the Cyberspace Administration of China (CAC) released draft Provisions on Regulating and Promoting Cross-Border Data Flows (see the Chinese version and the unofficial English translation) for public comments. The commenting period ends on October 15, 2023. While this draft is subject to change after the commenting period, it is worth taking a look to see where the CAC is aiming. Overall, the good news is that the CAC appears to be loosening its cross-border data transfer requirements. In particular, as identified in more detail below, transfers of employees’ personal information for necessary human resources (HR) management purposes will be exempted from adopting a transfer mechanism. Further, the threshold triggering a CAC security assessment is significantly raised, which means that a number of transfers that would be subject to CAC’s prior approval under the current regulatory framework could be exempted from such a requirement in the future.

As discussed in our previous posts (see this October 2022 post and this March 2023 post), under China’s current cross-border data transfer regulatory framework, organizations processing personal information or “important data” must comply with one of the three available lawful transfer mechanisms:

• A security assessment conducted by the CAC: applicable to organizations (i) transferring “important data” outside of China; or (ii) meeting certain thresholds for the personal information processing and transferring activities; or
• A standard contract released by the CAC (SCC) or a certification issued by a qualified certification agency: applicable to organizations that are not mandated to undergo a security assessment.

These draft provisions clarify a few issues that are currently in a “gray area” (e.g., how to determine if “important data” is transferred) and also provide a number of important exemptions to the adoption of a transfer mechanism. 

Key takeaways

The following processing and transferring activities are exempted from adopting a transfer mechanism:

• No personal information or “important data” is transferred overseas. The draft provisions clarify that if no personal information or “important data” is included in the data set that will be transferred overseas, no transfer mechanism is required.
• Transfer of “important data.” A security assessment for the transfer of “important data” should only be triggered if the data transferred falls into the scope of “important data” that has been publicly announced (e.g., the Several Provisions on the Management of Automobile Data Security, at a high level, set out certain types of “important data” in the automobile sector) or specifically notified to the exporter by the government authority.
• Personal information collected or generated outside of China. If an organization stores personal information not originating in/from China on servers in China, it does not need to adopt any transfer mechanism when transferring such personal information outside of China.
• Transfer of less than 10,000 individuals’ personal information within one year. If an organization anticipates that it will transfer personal information of less than 10,000 individuals within one year, it does not need to adopt any transfer mechanism. To the extent that the organization relies on consent as its legal basis under Article 13 of China’s Personal Information Protection Law, it must still obtain a separate consent from individuals for the transfer.
• Transfer of more than 10,000 but less than 1,000,000 individuals’ personal information within one year. If an organization anticipates that it will transfer personal information of more than 10,000 individuals but less than 1,000,000 within one year, it is not mandated to undergo a CAC security assessment and can choose to adopt either the SCC or certification as its transfer mechanism.
• Exempted transfers. An organization does not need to adopt any transfer mechanism for the following transfers:
  • Transfers necessary for the conclusion or performance of contracts with data subjects. A transfer mechanism is not needed for a transfer if it is necessary for the conclusion or performance of a contract to which the data subject is a party. Examples of this exemption include necessary transfers for cross-border e-commerce, cross-border wire transfers, booking flight tickets and hotels, and visa applications.
  • Transfers necessary for HR management purposes. A transfer mechanism is not needed for transfers of employees’ personal information that are “necessary” for HR management purposes in accordance with the employer’s internal labor policies or collective contracts lawfully formulated or concluded under Chinese labor laws.  However, it is currently unclear if personal information of nonemployee contractors also will be exempted.
  • Vital interest in emergencies. No transfer mechanism is needed when the transfer is necessary for the protection of life, health and property safety of natural persons in emergencies.
• Free Trade Zone “negative lists.” In addition to the exemptions and clarifications discussed above, the draft provisions also grant China’s Free Trade Zones (FTZs) the power to publish their own “negative lists” within respective FTZs. For data that falls beyond the scope of such a negative list, its transfer will not be subject to the requirement for adopting a transfer mechanism. China currently has more than 20 FTZs located in multiple provinces, which could potentially result in “competitions” among FTZs to attract businesses to be incorporated within their zones.

What’s next?

It is currently unclear when the CAC may issue the final version of these provisions, but it is possible that they could be finalized before November 30, 2023, which is the deadline for the grace period of the SCC filing requirements. Companies conducting cross-border data transfer activities should evaluate whether any of the exemptions may be applicable and closely monitor the development of the draft provisions.

[View source.]