With China's relaxation of cross-border data transfer requirements still in draft form – how should MNCs in China approach their data exports?
China recently released a set of draft rules which purport to relax some of the burdensome requirements on data exports. Amidst a yearslong tightening of data security laws and an anti-espionage campaign over the summer, the move was widely welcomed by foreign businesses as a signal that regulators were willing to temper national security objectives with the need to support economic growth. With the rules still in draft form, we explain their significance and how companies should respond until they are finalised and effective.
What are the key changes proposed in the draft rules?
On 28th September 2023, the Cyberspace Administration of China released the draft version of the Provisions on Regulating and Promoting Cross-Border Data Flows for public comment. They establish exemptions for a number of key data export activities, as well as adjust the thresholds by which the three main mechanisms for cross-border data transfer (government assessment, standard contract and certification) become mandatory.
Among other proposals, the following data export activities are exempted from the cross-border data transfer mechanisms:
- HR management – Where it is necessary to transfer the personal information of internal employees overseas.
- Less than 10,000 individuals – Where a company expects to transfer the personal information of less than 10,000 individuals overseas in one year.
- Contractual necessity – Where personal information is transferred overseas in order to perform a contract to which the individual is a party, including for cross-border shopping, cross-border remittances, air ticket and hotel reservations or visa processing.
What this means for data exports from China?
A significant number of foreign companies will benefit from reduced compliance burdens, particularly those operating in B2B industries with smaller amounts of personal information. The exemptions covering employee data and contract performance reflect a recognition that certain cross-border business activities present a relatively low risk to national security. Notably, the draft rules maintain that "important data" must undergo a security assessment before being provided abroad, but only where it has been expressly identified by the relevant authorities as such.
Furthermore, whereas previous rules mandated regulators to determine whether data exports were truly "necessary", the draft rules suggest that companies are to make this determination for themselves. This important change in wording reflects a regulatory shift from ex ante supervision (i.e. mandatory government approval before data export) towards ex post scrutiny (i.e. permitting some data flows subject to continued scrutiny). This should help to relieve administrative burdens on both the regulators and the wider business community.
How should MNCs respond in the interim?
Though it was anticipated that the draft rules would become effective before November 30 2023 (the deadline of the grace period for data exporters to file their standard contract with the authorities where the original thresholds have been triggered), they have yet to be finalised at the time of writing. Nonetheless, we expect the final version to be released in the coming months which retains many of the draft's key features.
In the meantime, companies should closely assess their position under the draft rules' proposed thresholds and exemptions. This includes estimating the volume of data likely to be transferred overseas within the one-year timeframe. Furthermore, implications may vary based on the current progress of a company's existing government assessments or standard contract filings, for example:
- for operators in a sensitive industry (such as healthcare, financial services), proceed with the government security assessment or the standard contract filing;
- for operators in a less sensitive B2B industry not meeting the new thresholds within the draft rules, adopt a "wait and see" approach to developing legislation;
- for less sensitive B2B operators which exceed the new thresholds (for example, transferring more than 10,000 individuals' personal information overseas in one year), proceed with standard contract preparation, but hold off on the filing.
Lastly, it is worth underlining the remaining requirements for cross-border data transfer that companies will still need to adhere to after the draft rules come into force, including:
- Legal basis for processing – Data processors are required to have a lawful basis for processing personal information such as individual consent, as well as obtaining "separate consent" for cross-border data transfer.
- Contractual arrangements – When transferring data overseas to a third party, this needs to be governed by a detailed contractual agreement which is compliant with the relevant PRC regulations.
- PIA – China's Personal Information Protection Law requires an impact assessment to be conducted when providing personal information abroad.
- Internal Data Security and Privacy Protection Measures – MNCs shall implement proper data security management and technical systems, establish regular internal data protection audit procedures, and prepare for government supervision under certain circumstances.
Forward Look
Overall, the draft rules represent a positive development in China's data governance regime. Restrictions on cross-border data transfer have long been a cause for concern for MNCs operating in China. By reducing the compliance burden and permitting a wider range of cross-border data flows, this will provide a significant boost to foreign investment in China.
Looking forward, the draft rules also authorise China's free trade zones to develop their own "white lists" for data exports that are exempt from the cross-border data transfer mechanisms. This could see the incremental growth of permitted categories of data to be exported with ease from China's free trade zones, which may eventually be adopted on a regional or national level.
As ever, it remains important to keep abreast of regulatory and policy developments in this fast-moving space, as well as to ensure that existing data compliance protocols are fit for purpose.
Please feel free to reach out to us if you would like to discuss the impact of China's data compliance requirements on your company.
This article is a joint publication by Lusheng Law Firm and Lusheng's strategic partner Rouse.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.