China: Facilitated procedures for the outbound transfer of personal data

published on 25 October 2023 | approx. reading time 3 minutes

On 28 September 2023, the Cyberspace Administration of China (hereinafter referred to as the “CAC”) published the Regulation on Standardizing and Promoting Cross-Border Data (Draft for Comment) (hereinafter referred to as the “Draft Regulation”). The purpose of the Draft Regulation is to relax the currently applicable data compliance requirements set forth in the Measures for the Standard Contract for Outbound Transfer of Personal Information (herein-after referred to as the “Standard Contract Measures”), which will take effect on 1 June 2023, and the Security Assessment Measures for Data Provision Abroad (hereinafter referred to as the “Security Assessment Measures”), which will take effect on 1 September 2022.

Current rules under the security assessment measures and standard contract measures »
New rules under the draft regulation »
Conclusion and recommendations »

Current rules under the security assessment measures and standard contract measures

The security assessment by the CAC and the required administrative filing apply to the following circumstances:

where a data handler provides critical data overseas;
where a key information infrastructure operator or a data handler processing the personal information of more than one million individuals provides personal information overseas;
where a data handler has provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals in total overseas since 1 January of the previous year; and
other circumstances prescribed by the CAC for which a security assessment notification for overseas data provision is required.

If the above thresholds are not met and a security assessment is not required, a standard contract may be used only if all of the following conditions are met:

the personal information processor is not a critical information infrastructure operator;
it processes the personal information of less than 1 million individuals;
it has cumulatively transferred abroad the personal information of fewer than 100,000 individuals since 1 January of the previous year; and
it has cumulatively transferred abroad the sensitive personal information of fewer than 10,000 individuals since 1 January of the previous year.

Even if the circumstances for security assessment do not apply to most foreign invested enterprises, the above-mentioned current rules provide a general mandatory obligation for every data processor to enter into a standard contract and comply with the filing procedure even if it has transferred or intends to transfer very limited personal information abroad.

New rules under the draft regulation

The highlights of the new rules to be implemented under the Draft Regulation are as follows:

Cross-border data transmission without notification and verification procedure

For the first time, the legislator provides a legal breakthrough for three personal information processing scenarios that will no longer be subject to filing or review procedures with the CAC prior to their cross-border transfer:

where the personal information must be provided abroad in order to enter into and perform a contract with an individual as a party, such as cross-border shopping, cross-border money transfers, air ticket and hotel reservations, visa processing, etc.
when it is necessary to provide personal information of internal employees abroad in order to carry out human resources management in accordance with the labour rules and regulations formulated in accordance with the law and the collective contracts signed in accordance with the law; and
when it is necessary to provide personal information abroad in order to protect the life, health and property of natural persons in case of emergency.

Regulations in the case of low data volume

For the first time, in addition to the above-mentioned exceptional cases, the lawmaker also provides another legal breakthrough from small volume of data transfer:

Those who are expected to transfer personal data of less than 10,000 persons abroad within one year do not need to declare security assessment, conclude standard contracts for personal data transfer and pass personal data protection certification (three approaches as provided for in items 1, 2 and 3 of Article 38 PIPL).
Those who are expected to provide personal information of more than 10,000 persons but less than 1 million persons abroad within one year do not need to declare security assessment, provided that they have chosen one of the approaches of concluding standard contract for filing with CAC or passing personal information protection certification; if the personal information of more than 1 million persons is expected to be provided abroad, the security assessment shall be declared as before.

Negative lists in free trade areas

For the first time, in addition to the above exceptional cases, the legislator also encourages the governor of each free trade zone to develop its own negative list for data transfer; it is expected that “free” data transfer abroad without any filing formality with the CAC will be possible if the data concerned don't fall into such a negative list.

Conclusion and recommendations

If the Draft Regulations are enacted, it will affect most foreign invested enterprises in China in the following ways:

It is very likely that the company will be exempted from filing the standard contract if the data processed in one year is less than 10,000 individuals. We recommend that you keep a close eye on this legislation and temporarily suspend the signing of the standard contract.
It's noteworthy that the filing obligation could be exempted, the Personal Information Protection Impact Assessment (“self-assessment”) is still required according to Article 55 PIPL, the work should be done continuously prior to the transfer.

In summary, the new rules in the Draft Regulation may facilitate the preparation and filing of documents for companies that are not key information infrastructure operators or that do not transfer critical data abroad or that intend to transfer personal data of more than 10,000 individuals. However, the new draft regulation will not substantially change the general data protection compliance requirements under the Cybersecurity Law, the Data Security Law and the PIPL.

The CAC will strengthen supervision before, during and after cross-border data transfers, and require correction or suspension of cross-border data transfers in case of relatively large risks or security incidents in cross-border data transfers.