[co-author: Zhenye Wang*]

中国正式发布《促进和规范数据跨境流动规定》

On March 22, 2024, nearly six months after the release of the “draft Provisions on Regulating and Promoting Cross-border Data Transfer” (the “Draft Rules”), the Cybersecurity Administration of China (the “CAC”) formally released the “Regulations on Facilitating and Regulating Cross-border Data Flow” (the “New Regulations”), which came into effect on the date of release.

The New Regulations introduce exemptions to the existing filing obligations for outbound data transfer, including (1) absolute exemptions, which are exemptions applicable to all regulatory procedures for outbound data transfer (i.e., security assessment filing, personal information protection certification, and standard contracts filing), and (2) exemptions from the obligation to file a security assessment, i.e., the New Regulations have modified the thresholds mandating the filing of a security assessment and if such thresholds are not met, the data processor still needs to conduct standard contract filing or PI protection certification.

1. Absolute Exemptions

Data processors who are granted the following absolute exemptions will not be required to undertake any regulatory filing process.

1. Data collected and generated in activities such as international trade, cross-border transportation, academic cooperation, cross-border manufacturing, and marketing activities are provided aboard;
2. Personal information (the “PI”) not collected and generated within China is provided overseas;
3. For the purpose of concluding and fulfilling a contract, it is necessary to provide PI aboard, such as cross-border shopping, mailing, remittance, payment, account opening, air ticket and hotel booking, visa application, and examination services;
4. It is necessary to transfer PI of employees abroad for the purpose of cross-border human resources management;
5. It is necessary to transfer PI abroad in emergency situations, such as protection of the life, health and property safety of natural persons;
6. Transmission abroad of the data specified in the negative list formulated by the Free Trade Zone will be granted absolute exemptions;
7. Data processors (excluding critical information infrastructure operators, “CIIO”) that have provided less than 100,000 individual’s PI (excluding sensitive PI) abroad cumulatively since January 1 of the current year.

For items 1 to 7 above, the New Regulations do not include substantive amendments as compared to the Draft Rules, except item 7 adjusts the thresholds triggering the filing under different outbound scenarios. The threshold specified in the Draft Rules is 10,000 individual’s PI, not 100,000 as required by the New Regulations. In addition, it should be emphasized that none of PI/data referred to in the above 7 items should include critical data.

2. Adjustment of the Thresholds Triggering Different Filing Procedures

The New Regulations adjust the thresholds triggering the filing of a security assessment. If a data processing activity does not meet such thresholds and does not qualify for any other exemptions, then the relevant data processor should either conduct standard contract filing or PI protection certification. In addition, as mentioned above, the New Regulations emphasizes the importance of critical data as compared to the Draft Rules. Any data processor who transfers critical data aboard, regardless of the quantity of the critical data, is required to file a security assessment. Therefore, it is crucial for companies to determine whether it handles critical data.

In addition, with respect to the types of data processors, the New Regulations emphasize the regulation of CIIO as compared to the Draft Rules. The below table specifies the filing mechanism applicable to different types of data processors, based on the number of individuals whose PI has been transferred by such data processors in the current year:

3. Extension of the Security Assessment Validity Period

The New Regulations extends the validity period of the results of security assessment from 2 years to 3 years, and permits data processors to apply for an additional 3-year extension of the validity period upon the expiration of the original 3-year validity period, in the event that there have been no circumstances requiring reapplication.

The entry into force of the New Regulations means that data processors are relieved of some of their compliance burden. However, even in cases where the conditions for exemption apply, it is still necessary for the data processors to obtain the relevant individuals’ separate consent in order to stay compliant with applicable laws. Moreover, data processors should still conduct an impact assessment of the protection of PI, undertake technical and other necessary measures, and prepare emergency response in the event of a security incident, and establish data security/PI protection system, etc.

*Zhenye Wang is an associate in the Corporate Practice Group in the firm’s Shanghai office.