On March 22, 2024, following nearly six months after the publication of the Provisions on Promoting and Regulating Cross-border Data Flows (Draft for Solicitation of Comments), the Cyberspace Administration of China (“CAC”) officially released the Provisions on Promoting and Regulating Cross-border Data Flows (“the Provisions”), which came into immediate effect. In accordance with the Provisions, CAC has also issued the "Guidelines for Data Export Security Assessment Declaration (Second Edition)" and the "Guidelines for Filing Standard Contracts for Personal Information Export (Second Edition)."

In looking to establish more clarity and certainty, the Provisions substantially alleviate the compliance obligations for enterprises regarding cross-border data transfers. This is done by introducing exemptions for cross-border compliance obligations and refining the conditions triggering the more onerous obligations of security assessments, standard contracts, and certifications which would be required absent the exemptions. This creates a more favorable business environment for enterprise development and a more relaxed regulatory environment for cross-border data flows.

The Exemptions for HR Data Transfer Scenarios

One of the exemptions in (Article 5(2)) can now be particularly applied to Chinese companies who export employees’ information to parent companies overseas or a third-party platform for human resource management purposes. Note that the exemption only applies when it is genuinely necessary to transmit employees’ personal information abroad for a cross-border human resources management purpose. The exemption will be operative when such transfers align with legally established employment regulations and collective contracts, noting that “personal information provided abroad” in this context excludes data categorized as “important data” (e.g., genetic health data, etc.).

How to Qualify for the HR Scenarios Exemption?

While this exemption relieves the data handler from certain compliance measures, such as formal security assessments, standard contracts for personal information export, or passing authentication for the protection of personal information, they do not release the company from all corporate liability in data transfer activities. To be successfully qualified for these exemptions under these newly released provisions, the company still needs to complete compliance measures before data exportation in order to demonstrate the legality, reasonableness, and necessity of outbound transfer of employees' personal information. For example, businesses should have their counsel undertake the following:

1. Comprehensive Analysis of Outbound Scenarios: Assisting companies in conducting a thorough examination on various scenarios involving the processing, fields, and purposes of employees' personal information outbound activities. This comprehensive analysis ensures a thorough understanding of outbound activities related to employees' personal information, which can be subsequently reflected in the assessment report (as mentioned in point 5 below).
2. Review of Existing Employment Contracts, Regulations, or Collective Agreements: Assessing the legality and effectiveness of existing labor contracts, regulations, or collective agreements to ensure these documents comply with legal requirements and support the legitimacy of outbound activities related to employees' personal information.
3. Verification of Outbound Scenarios: Verifying whether all outbound scenarios and fields identified in the first phase can be fully covered by existing labor contracts, regulations, or collective agreements as the legal basis for processing. In case of any non-compliance, it is necessary to supplement/revise the corresponding documents (which we have indicated under point 4 below).
4. Drafting/Revising "Employee Personal Information Handling Rules": Drafting or revising internal rules governing the handling of employee personal information, including all aspects related to personal information outbound activities. Ensuring that these rules fulfill the obligation to inform employees comprehensively.
5. Personal Information Protection Impact Assessments: Conducting a “Personal Information Protection Impact Assessment” before initiating outbound activities involving employees' personal information and eventually forming a report summarizing the assessment findings (including those as set out in points 1, 2, 3 and 4 above) and relevant rectification proposals to respective findings.