In Part I of our alert about China’s new safe harbor rules, we discussed key developments between the draft Provisions on Regulating and Facilitating Cross-Border Data Flow (Chinese version only) and the Provisions on Facilitating and Regulating Cross-border Data Flow (the Provisions, Chinese version only). In this alert, we will compare the Provisions and China’s three existing routes for a cross-border data transfer.

The key existing regulations are the Measures for the Security Assessment of Outbound Data Transfer (CAC Assessment Rules), the Specifications on Security Certification for Cross-border Personal Information Processing Activities (Licensed Certification Guidance), and the Measures for the Standard Contract for the Outbound Transfer of Personal Information (China SCC Measures).

Prior to the release of the Provisions, multinational corporations (MNCs) with the need to transfer data, especially personal data, out of China were required to go through one of the three data export mechanisms: (i) the security assessment conducted by the CAC (the CAC Assessment) (please refer to our comprehensive CAC Assessment series: Part 1, Part 2, and Part 3 for in-depth insights); (ii) the protection certification by a licensed organization (the Licensed Certification) (detailed in our client alert on the licensed certification);¹ and (iii) the China standard contract (the China SCC) (see our client alert on the China SCC) (collectively known as the Three Mechanisms).

The introduction of the Provisions (the Safe Harbor Rules) offers exemptions from the cumbersome Three Mechanisms and clarifies the relationship between Safe Harbor Rules and existing regulations of the Three Mechanisms.

The Provisions make it clear that in the case of any conflicts between the Safe Harbor Rules and the existing regulations of the Three Mechanisms that were promulgated before the Safe Harbor Rules, the Safe Harbor Rules will prevail.

The Three Mechanisms do not introduce the concept of the three types of necessary data export as exemption from the Three Mechanisms. As such, where the data exporter is not a critical information infrastructure operator (CIIO)² or where the data to be exported does not comprise important data, the mechanism to be used by a data exporter among the Three Mechanisms will depend exclusively on the volume of personal data involved in the contemplated transfer.

The table below sets out the major changes of the volume threshold of the Three Mechanisms for personal data exporters who are not CIIOs between the key existing regulations and the Provisions.

After the introduction of the Provisions, the criteria for mandatory mechanism of China SCC, Licensed Certification, and CAC Assessment have been substantially limited in that:

• Certain volume thresholds that trigger the Three Mechanisms have been higher. In other words, more scenarios that are not within the scope of the three types of necessary data export activities are no longer subject to the CAC Assessment under the Provisions;
• The period for calculating the volume of personal data exports has been shortened from two years to one year, lifting the threshold for data exporters to trigger the Three Mechanisms; and
• The Provisions also eliminate the obligation for data controllers processing the personal data of more than 1 million individuals in China (the Mass Data Controllers) to undergo a CAC Assessment if they only export personal data of a small amount of people, such as one individual. Previously, Mass Data Controllers were compelled to undertake CAC Assessments even if they exported personal data of one individual.

Our Observations

1. The Provisions have substantially lowered the compliance burdens for most MNCs in exporting data from China, especially in the scenario of cross-border human resource management and for the business-to-business relationships in which only a limited amount of personal data (employee or nonemployee) is exported from China, and generally for business purposes.
2. MNCs need to have a proper China employee privacy notice that is compliant with both the data privacy protection laws and the labor laws in place.
3. Regardless of the Provisions’ stipulations stating that MNCs would be exempt from the Three Mechanisms when requirements are met, MNCs are still required to adhere to in-house compliance obligations for data export and general data processing under the Personal Information Protection Law. This includes, notably:

• Proper notification to individual data subjects;
• Obtaining individual consent (where necessary);
• Conducting personal data protection impact assessments required in any of seven scenarios;
• Fulfilling data security obligations;
• Implementing technical and other necessary safeguards;
• Managing security incidents; and
• Establishing data security and personal data protection systems.

¹ Our client alert on the licensed certification was drafted before the revised licensed certification guidance came out on 16 December 2022.

² Under the Provisions, a CIIO’s data export is not entitled to the volume threshold exempt. Regarding the three types of necessary data export, please refer to Part I of our alert for details.