On September 28, 2023, the Cybersecurity Administration of China (the “CAC”) published a set of draft Provisions on Regulating and Promoting Cross-border Data Transfer (the “Draft Rules”) to solicit public comments. It has not been publicly announced when the Draft Rules will come into effect. Some legal practitioners speculate that they would take effect before the expiration of the grace period for filing the standard contracts as stipulated in Measures on the Standard Contract for Cross-Border Transfer of Personal Information[i]. However, these remain speculations and are not confirmed by the authorities in any official announcement.

The Draft Rules intend to implement, if adopted, certain rules relating to cross-border data transfer. Specifically, the Draft Rules have outlined certain circumstances under which a company’s cross-border data transfer will not require security assessment, the execution of a standard contract or obtaining of the certification for personal information protection. In general, the Draft Rules, if adopted, would likely reduce the compliance burden for some companies in connection with cross-border data transfer. 

We list below some provisions of the Draft Rules that will most likely reduce the compliance burden faced by companies with respect to cross-border data transfer:

1. If a company needs to transfer data abroad, and any of the following circumstances exists, then such company is not required to apply for security assessment for the data, to execute a standard contract, or to pass the certification for personal information protection:
   • The data to be transferred is generated in international trade, academic cooperation, transnational manufacturing and marketing, and does not contain personal information or important data.
   • The data to be transferred is personal information that is not collected or generated in China. 
   • The data to be transferred is personal information of an individual that must be transferred abroad for the execution and performance of a contract to which such individual is a party, such as in the case of cross-border shopping, cross-border remittance, air tickets and hotel booking, and visa processing, etc.
   • The data to be transferred is personal information of the company’s employees that is necessary to be transferred abroad for the human resources management in accordance with the labor regulations and rules formulated in accordance with the law and collective contracts executed in accordance with the law.
   • The data is personal information that must be transferred abroad to protect the life, health and property safety of natural persons in an emergency.
2. As long as the data has not been designated by competent authorities or publicly announced as “important data”, the relevant data handler is not required to apply for security assessment for such data.
3. If a company estimates that the personal information to be provided abroad within one year is of less than 10,000 individuals, then such company is not required to apply for security assessment for the data to be provided abroad, to conclude a standard contract for outbound provision of personal information or to pass the certification for personal information protection. However, if such information is to be provided abroad based on the consent of such individuals, the consent from the personal information subjects shall be obtained.
4. If a company estimates that the personal information to be provided abroad within one year is of more than 10,000 but less than one million individuals, and the company has concluded with the overseas recipient of the information a standard contract for the provision of personal information abroad and has filed such contract for the record with the cyberspace administration at the provincial level, or has passed the certification for personal information protection, then the company is not required to apply for security assessment for the data to be provided abroad. However, if such information is to be provided to overseas parties based on the consent of such individuals, the consent from the personal information subjects shall be obtained.
5. If a company estimates that the personal information to be provided abroad within one year is of more than one million individuals, then the company shall apply for security assessment for the data to be provided abroad. If such information is to be provided to overseas parties based on the consent of such individuals, the consent from the personal information subjects shall also be obtained.
6. The Free Trade Zones (the “FTZs”) can formulate a list of data, the cross-border transfer of requires the relevant data handler to apply for security assessment for the data to be provided abroad, to conclude a standard contract for personal information to be provided abroad or to pass the certification for personal information protection. Data that is not in the aforesaid list can be transferred abroad without such pre-requisites.

FOOTNOTES

[i] For the cross-border transfer of personal information that has already occurred before June 1, 2023, rectification should be completed within 6 months after June 1, 2023.

[View source.]