At a Glance

• On September 28, 2023, China’s data protection and cybersecurity regulator — the Cyberspace Administration of China — released the draft provisions on Regulating and Facilitating Cross-Border Data Flow for public consultation.

On September 28, 2023, China’s data protection and cybersecurity regulator — the Cyberspace Administration of China (CAC) — released the draft provisions on Regulating and Facilitating Cross-Border Data Flow (Draft Provisions) for public consultation. The consultation period is open until October 15, 2023. No date has been specified for implementation of the Draft Provisions, but with the grace period for filing of standard contracts expiring November 30, it can be logically anticipated that new rules would be finalized by then. This article offers the key highlights and our observations of the new Draft Provisions.

The data export from China is currently subject to fulfilling any of the three conditions: completing a security assessment, entering into and filing standard contract or obtaining a personal information protection certification (Data Export Requirements).

Proposed Exemptions to Current Data Export Requirements

Under the Draft Provisions, transfers of the following data would be exempt from the Data Export Requirements:

• Data that is collected or generated during international trade, academic cooperation, cross-border manufacturing and marketing which does not contain personal information or important data.
• Personal information exporting that is necessary for the conclusion or performance of a contract to which the personal information subject is a party, such as cross-border shopping, payments, ticket and hotel bookings, visa applications, etc.
• Employee data transfers necessary to implement HR management according to employment policies legally implemented and collective labor contracts.
• Exporting personal information for purposes of protecting individuals’ life, health, or property security in emergency situations.
• Personal information not collected within mainland China subsequently transferred offshore.
• Organizations estimating to export the personal information of less than 10,000 individuals within a one-year period.

The Draft Provisions also provide a partial exemption for organizations that, within a one-year period, estimate to export personal information of more than 10,000 individuals but less than one million, which would be subject to filing of executed standard contracts with the provincial level CAC or passing the personal information protection certification, instead of currently as required to complete a security assessment.

Important Data Clarification

Currently, organizations seeking to transfer important data abroad are required to complete a security assessment. The practical challenge remains that important data is not sufficiently defined to enable businesses to understand what types of data trigger the security assessment requirement. The Draft Provisions now provide that unless the data to be transferred out of China has been designated as “important data” by relevant PRC regulators, businesses would not be required to go through the security assessment procedures related to outbound export of that data.

Free Trade Zone’s Negative Data List

The Draft Provisions propose that Free Trade Zones (FTZs) can, with the approval of the provincial CAC, formulate their own “negative data lists” stipulating the types of data subject to the Data Export Requirements. Data that is not on the negative list would be exempt from the Data Export Requirements, indicating that data processors in FTZs might benefit from even relaxed requirements.

Our Observations

The Draft Provisions propose a number of exemptions for businesses which would otherwise be subject to the existing data export mechanisms, and will likely have a substantial impact, if adopted and implemented substantially in its current form, on many international organizations’ ongoing Data Export Requirements projects. It seems likely that the Draft Provisions are a reaction to the difficulties reported by many organizations struggling to comply with the Data Export Requirements in practice and also an echo to the recent Greater Bay Area’s data flow initiative and the State Council’s Opinions on Boosting Foreign Investment.

However, certain aspects of the Draft Provisions would still need to be further clarified or interpreted by the CAC, such as how to decide the starting point of one-year period for counting the numbers of individuals’ personal information to be transferred and clarifying whether the numbers of employees’ personal information exempted in the Draft Provisions should be included into the calculation of data to be transferred out of China in the preceding year. Also, in the absence of an express test as to what amounts to “necessity,” a question remains as to what HR management activities can be justified in the practice of exporting personal information offshore.

It is essential to understand that the exemptions under the Draft Provisions only apply to the data export mechanisms under the Personal Information Protection Law (PIPL) and outbound data transfers from China will still be subject to complying with the requirements under the PRC data privacy laws. In essence, organizations still need to follow the compliance requirements pursuant to the PIPL as the Draft Provisions emphasize the regulators’ attention on supervising data compliance activities in China:

• Having a legal collecting and processing basis such as obtaining consent from data subjects, and separate consent to cross-border data export activities if the data is collected based on consent.
• Justifying the HR management activities which need to collect and process personal information in the employee handbook or other labor/employment policies.
• Providing necessary information notices and policies specific to the cross-border personal information export activities.
• Notably, conducting the PIA on the personal information or other regulated data export activities and documenting the relevant data processing activities.