On March 22, 2024, the Cybersecurity Administration of China (CAC), issued the long-awaited new Regulations on Promoting and Regulating Cross-Border Data Flows (the New Regulations) for compliance with China's Personal Information Protection Law (PIPL), the Data Security Law (DSL), and their implementing regulations. The New Regulations take effect immediately and are modeled on the draft Regulations issued by CAC on September 28, 2023 (the Draft Regulations).

In addition, the CAC also issued the Guide to the Application for Security Assessment of Outbound Data Transfers (Second Edition) and the Guide to the Filing of Standard Contract for Outbound Transfer of Personal Information (Second Edition) (collectively, the Guidelines).  The Guidelines provide detailed procedures for data handlers, who can also now use the Outbound Data Transfers Application System for outbound personal information transfers. However, the Regulations take precedence over any provisions that may conflict with PIPL and the Guidelines.

The New Regulations and Guidelines ease numerous compliance requirements and promote cross-border data transfers for data handlers. Notably, there are generally no provisions easing the transfer of sensitive personal information under the New Regulations. In addition, data handlers should be mindful that given the lack of clarity around the definition of “important data,” the New Regulations permit data handlers to consider their data as nonimportant unless expressly identified or notified by regulators or if the data in question is determined to be important data publicly announced by authorities.  We expect sectoral and local regulators to provide additional guidance regarding the classification of important data. Furthermore, the New Regulations still require that cross-border transfer of personal information outside of China must still comply with the PIPL requirements related to notice, separate consent, and personal information protection impact assessment. 

Some of the key changes provided by the New Regulations are outlined below.

Exemptions 

The New Regulation now exempts data handlers from filing a Standard Contract/personal information protection certification (a Standard Contract Filing) or application for a security assessment (a Security Assessment) if the below data processing activities apply.

1. New Threshold.  If there is a cross-border transfer of personal information (excluding sensitive personal information) of fewer than 100,000 individuals since January 1 of the current year, the Draft Regulations triggered a Standard Contract Filing for fewer than 10,000 individuals. However, this does not apply to the cross-border transfer of sensitive personal information or critical information infrastructure operators (CIIOs).
2. Human Resource Activities.  Where it is necessary to transfer personal information overseas for the purpose of carrying out human resources management in accordance with labor rules and regulations, and lawfully executed collective contracts (the Human Resource Information). However, the Human Resource Information must comply with the PIPL principle of "minimum and necessary." 
3. Contractual Necessity. The New Regulations exempts the cross-border transfer of personal information that is necessary for the performance of a contract to which the individual is a party. This includes contracts for cross-border shopping, cross-border mailing and delivery, cross-border remittance, cross-border payment, cross-border account opening, flight and hotel reservations, visa processing, and examination services.
4. Emergencies. The cross-border transfer of personal information necessary to protect the life, health, and property of a natural person in an emergency.
5. Personal Information Outside of China. If overseas personal information is transferred to China for processing before being transferred overseas and it does not involve the introduction of domestic personal information or important data during the processing.
6. Other Data. Any cross-border transfer of personal information from international trade, cross-border transportation, academic cooperation, transnational manufacturing, marketing, and other activities that do not involve personal information or important data.

A Standard Contract Filing

The New Regulation mandates that where a data handler (excluding a CIIO) transfers personal information of between 100,000 and 1,000,000 individuals, it will need to complete a Standard Contract Filing.  

Security Assessment

The New Regulation requires that if a data handler is processing personal information outside of China, then a Security Assessment is required when: 

• a CIIO transfers any personal information or important data outside of China; or
• a data handler (excluding a CIIO) transfers important data or personal information of over 1,000,000 individuals, or sensitive personal information of over 10,000 individuals.

Furthermore, the New Regulations increase the period of validity of an approved Security Assessment from two years to three years. 

Free-Trade Zones

The New Regulations provide that free-trade zones have the authority to pilot policies to lists of data that require a Security Assessment or a Standard Contract Filing (the Negative List).  The Negative List can be exported subject to approval by the provincial CACs and must be filed with the central CAC and the National Data Administration (NDA) (which is a newly created regulator under the New Regulations).  Data that falls outside of the Negative List is exempted from these requirements.

Companies will need to carefully assess all their data processing activities on a case-by-case basis. In addition, companies will need to update their policies, procedures, and processes to comply with the New Regulations, the Guidelines, PIPL and DSL.