Home

Internal

Deutsch|English

Insights: Employer of Record – a country overview of opportunities and limits » |

Worldwide

Cross-border data transfer from China: New simplifications

published on 27 March 2024 | reading time approx. 7 minutes

Regulations on promoting and regulating cross-border data flow released, guide to applications for security assessment of outbound data transfers and guide to the filing of the standard contract for outbound transfer of personal information updated.

On 22 March 2024, the Cyberspace Administration of China (“CAC”) officially published the long-awaited regulations on promoting and regulating cross-border data flow (“Regulations”). They took effect on the same day. Compared to the draft released on 28 September 2023 (read more in our article), the regulations further relax the regulatory requirements for cross-border data transfers. The law now generally exempts companies that transfer personal data of less than 100,000 individuals from 1 January of the current year, from the obligations to enter a standard contract or undergo a certification. The threshold for exemption from the same obligations in the previous draft regulation was 10,000 individuals. To comply with the regulations, the authorities also updated the guide for application for security assessment of outbound data transfer (“Security Assessment Guide”) and the guide for filing the standard contract for outbound transfer of personal information (“Standard Contract Guide”) on the same day.

Important definitions »
Exemption of filing or review procedure with CAC »
Cross-border data flow subject to security assessment with CAC »
Cross-border data flow subject to standard contract or certification »
“Negative lists” to be issued by pilot free trade zones »
Identification of import data »
Changes to the security assessment guide and standard contract guide »
Implication and recommendations »

Important definitions

Critical information infrastructure operator (“CIIO”)

Critical information infrastructure operator (“CIIO”) refers to an operator of important network facilities and information systems in important industries and fields such as public telecommunications, information services, energy, transportation, water conservancy, finance, public services, e-government and national defense science, technology and industry, as well as other important network facilities and information systems which, in case of destruction, loss of function or leak of data, may result in serious damage to national security, the national economy and the people's livelihood and public interests.

“Important data”

“Important data” refers to data that, once tampered with, destroyed, leaked, illegally obtained, or illegally used, may endanger national security, economic operation, social stability, public health and security, etc.

“Sensitive personal information”

“Sensitive personal information” refers to personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and location and tracking, as well as the personal information of minors under the age of 14.

Personal information protection impact assessment report (“PIPIA”)

Personal information protection impact assessment report (“PIPIA”) refers to the process to verify the extent of its legality and legitimacy for personal information processing activities, to identify various risks of damaging the legal rights and benefits of the personal information subjects as well as to evaluate whether the various measures to protect the subjects of personal information are effective.

Exemption of filing or review procedure with CAC

The regulations provide for six cases where the law exempts a data processor from the obligation to conduct the security assessment for cross-border transfer of data, to conclude a standard contract for outbound transfer of personal information, or to perform a personal information protection certification:

Where data (excluding personal information or important data) is transferred abroad which is collected or generated during the activities like international trading, cross-border transportation, academic cooperation, cross-border production and manufacturing, marketing, and promotion etc., or
Where personal information collected or generated overseas, then transferred to and processed in China, is returned abroad without adding personal information or important data generated in China during the data processing, or
Where personal information must be provided abroad to conclude and perform a contract for an individual as a party, such as cross-border shopping, mail, remittance, payment, account opening, as well as air ticket and hotel reservations, visa applications, exam services etc., or
Where it is necessary to transfer personal information of internal employees abroad to implement human resources management, and this happens in accordance with the labor rules and regulations formulated according to law and the collective contracts signed according to law, or
Where it is necessary to transfer personal information abroad to protect the life, health, or property of natural persons in case of an emergency, or
Where a data processor (except CIIO) transfers personal information abroad (excluding sensitive personal information) of less than 100,000 individuals as from 1 January of the current year.

But since a cross-border transfer of personal information is involved, preparing a PIPIA under the Personal Information Protection Law (“PIPL”) is still required.

Cross-border data flow subject to security assessment with CAC

In the following two cases, a data processor must undergo the security assessment by the CAC:

Where the CIIO transfers personal information or important data abroad, or
Where a data processor (except a CIIO) transfers important data abroad or transfers personal information (excluding sensitive information) abroad of 1,000,000 individuals or more or sensitive information of 10,000 individuals or more as from January 1 of the current year.

The security assessment result is valid for three years. If the data processor does not need to conduct a new security assessment due to unchanged data processing circumstances for cross-border data transfer, the data processor can apply for extension of the previous security assessment report for another three years within 60 working days before the expiration of the previous security assessment.

Cross-border data flow subject to standard contract or certification

Where a data processor (except a CIIO) transfers personal information (excluding sensitive information) abroad of 100,000 or more but less than 1,000,000 individuals or sensitive information of less than 10,000 individuals as from 1 January of the current year, the transferor and transferee must either conclude a standard contract for outbound transfer of personal information, or a personal information protection certification is completed.

When concluding a standard contract, the personal information processor shall, within ten working days after the standard contract enters into effect, apply for filing with the CAC by submitting the signed standard contract, the PIPIA as well as other required documents. The processor must modify or resign the standard contract and conduct the PIPIA again if the data processing circumstances for cross-border transfer of personal information change.

When conducting a personal information protection certification, the data processor shall apply at the designated website and with the qualified certification institute. The certification is valid for three years. The data processor can renew it upon the fulfillment of the supervision requirements.

“Negative lists” to be issued by pilot free trade zones

Pilot free trade zones may develop own negative lists for data transfer setting out the data which are subject to cross-border security assessment, conclusion of standard contract for outbound transfer of personal information, or personal information protection certification. If data is not mentioned in the respective negative list, it can be freely transferred abroad without any filing or application formality with CAC.

Identification of import data

The regulations stipulate that a data processor shall identify and report “important data” according to the relevant regulations. If there are no regulations which define certain data as important data, a data processor need not conduct security assessment for cross-border data transfer.

So far only few regulations define “important data.” The Data Security Law (“DSL”) provides that all regions and departments shall determine the specific catalogue of important data for their respective regions and departments and for relevant industries and fields. This shall happen under the data classification and hierarchical protection system, and by giving priority to the protection of data included in the catalogue. But until recently, only the several provisions on automotive data security management (for trial implementation) set forth a clear definition of important data. Similar provisions or regulations are still pending for other industries and regions.

The regulations will push the relevant departments or regions to accelerate the process for identification and defining of important data either by approaching the respective enterprises separately or publishing the corresponding catalogues which apply to the designated industries or regions.

Changes to the security assessment guide and standard contract guide

According to the updated security assessment guide and standard contract guide, the official website is provided as official online channel not only for security assessment but also for standard contract filing. CIIO or other entities for which it is improper to apply for security assessment via this online system, may also file directly with CAC on provincial level by submitting hard and electronic copies of the required application documents.

Alert to overseas entities: The security assessment guide and standard contract guide regards the processing of personal information of domestic natural persons by overseas entities also as cross-border transfer of personal information. This can occur when overseas entities collect personal information from China either for the purpose of provision of products or services to domestic natural persons, or when they analyze and evaluate activities of domestic natural persons. In this case, overseas entities must establish a special agency or designate a representative in China according to Article 53 of the PIPL to fulfill the personal information protection compliance requirements under Chinese laws and regulations.

Implication and recommendations

With the implementation of the eased compliance requirements under the regulations, the law releases many foreign invested enterprises from filing and review formalities with CAC. But the data processor, including foreign invested enterprises must continue to observe other relevant obligations according to laws and regulations when providing personal information abroad. This includes the statutory obligation to inform the concerned individuals, to obtain a separate consent from the individuals, to perform the PIPIA, etc.

To enjoy the eased requirements, if practicable, foreign invested enterprises should avoid transferring sensitive personal data to overseas. Otherwise, this type of data will still trigger enhanced procedures as outlined above.

Further, the CAC may strengthen the supervision before, during or after the cross-border transfer of data. CAC may demand corrective or eliminating measures in case of relatively big risks or security incidents involving cross-border data transfers. In case of refusal to correct or in case of severe consequences, the authorities may pursue corresponding legal liabilities for the enterprise concerned or the responsible person(s) based on Chinese laws and regulations, in particular, the cybersecurity Law, DSL and PIPL.

Accordingly, companies operating in China should now commence a more detailed data protection related “health check” to identify at an early convenience whether and if yes, which actions are recommendable in their individual case.