KEY TAKEAWAYS
China's data provisions ("the CDPs") were drafted at a time when numerous significant foreign businesses were leaving China, amid concerns about the gloomy economic climate and tightened regulatory environment. That trend appears to be continuing.
The standout difference between China and Australia's framework is that the latter relies on individual choice and corporate compliance, with an emphasis on individual privacy. For China, it is about State supervision of information as a national asset.
The core issue may not be the rules themselves, but rather the level of control that Chinese officials consider to be both normal and required, and the discretions that these officials are empowered to exercise at the administrative level.
China's Provisions on Regulating and Promoting Cross-border Data Flow ("CDPs") came into effect on 22 March this year. Four months later it is opportune to assess how these important new rules have been received by the foreign investor community engaged in China business. Has China's Cyberspace Administration helped business flow? In this article, Moulis Legal partner Charles Zhan and lawyer Susie Li provide a breakdown of China's data export rules and compare them with Australia's, in substance and philosophy.
Early academic optimism not shared by business
When first issued as a draft regulation, China's proposed data provisions ("the CDPs") were touted as being a significant change to China's existing data-export regulatory framework, potentially offering businesses and organisations a more navigable route for information transfer. They were seen by some as an attempt to quell concerns of multinationals about China's stringent data-related security norms and compliance requirements. Bloomberg was optimistic, saying that "the more permissive data regime may aid local companies".1 A China expert at the Centre for International Security and Cooperation at Stanford University considered that "these changes [will] create a more clear path for most data to be sent abroad".2 Experts at the Peterson Institute for International Economics noted that the draft rules "could signal a shift away from security toward growth".3
The regulation was drafted at a time when numerous significant foreign businesses were leaving China, amid concerns about the gloomy economic climate and tightened regulatory environment. That trend appears to be continuing. In August 2023, global law firm Dentons announced a split with its China branch, Dacheng. The firm said in a memo to clients that the split was "in response to an evolving regulatory environment for Chinese law firms in China — including new mandates and requirements relating to data privacy, cybersecurity, capital control and governance".4 In 2024, major law firms including Orrick, Akin, Latham & Watkins, Perkins Coie, and Proskauer Rose also announced reduced locational engagement by closing at least one of their China offices.
The Deputy Director-General of the influential NGO group BusinessEurope was reported as saying in Beijing in November 2023 that "[i]f people are afraid you could be going to jail in China... you have to make some very difficult choices and this could effectively lead to the decoupling we all want to avoid".5
Active investigations by China's Cyberspace Administration into the collection and transmission of information by due diligence companies, and by marketing and opinion experts servicing foreign business investment in China, have not helped matters. Major disruption was caused to US consultancy firm Gallup, which withdrew from China at the end of last year. Staff members of another US consultancy, Mintz, have reportedly been detained and the company double-fined for failing to have statistical work it was undertaking in China properly approved.
Existing PIPL, and the new CDP overlay
Given that the CDPs were intended to relax and clarify the existing regulatory framework for data export, consisting of the Personal Information Protection Law ("PIPL") and various implementing regulations, how have these controversies erupted? Let's consider what the CDPs achieve in a legal sense.
First, what is the nature of the data regulatory environment into which the CDPs have been introduced? Under PIPL, there are three primary data transfer mechanisms for compliance purposes. Each comes with its own set of challenges, complexities and costs.
The first of these is the requirement for security assessment. This is applicable to organisations in China that are designated as "critical information infrastructure operators", or are involved in exporting very large amounts of personal information or in exporting data classified as "important data" by the relevant department. Such entities must allow a government-approved security assessment to take place before transferring data abroad. Inevitably, these assessments are intrusive, and there are additional specific approval requirements based on the volume of data being transferred. Undertaking this assessment can incur significant compliance costs.
The second is the ability for data exporters to require privacy compliance by overseas parties by means of a standard contract. Companies involved in the exportation of personal information that do not reach the security assessment threshold may choose to utilise a standard template contract for cross-border data transfers. These contracts must be filed with the Cyberspace Administration. Requirements that must be met under the standard contracts share features of the more prohibitive security assessment, posing significant challenges and regulatory costs for smaller businesses.
The third option, and the least intrusive, is the option of certification. Qualifying businesses may obtain a personal information security certification from agencies that are approved by the Cyberspace Administration, as an alternative to filing standard contracts, thereby allowing their data flows to take place without strong oversight. Businesses that do not meet the threshold for a security assessment can apply for certification.
Certification in this way is considered a more efficient and convenient approach for multinational companies that have to manage frequent and daily operations and transactions. Currently, the China Cybersecurity Review, Certification and Market Regulation Big Data Centre (CCRC) is the only approved agency. CCRC charges application and assessment fees, with the total cost of obtaining certification estimated to exceed CNY150k, which is currently about USD21k. Further, the accreditation process typically takes up to 110 working days from the receipt of an application. On 15 December 2023, the CCRC issued its first personal information protection certificates to five entities, including e-commerce giants such as Alipay and JD.Com.
China's CDPs - new pathways with less oversight?
The CDPs are suggestive of an "easing" of the regulatory approach towards data export. They offer exemptions for companies that are neither critical information infrastructure operators nor public entities for some specific data transfers. The kinds of information that the CDPs exempt include:
- general data related to international trade, academic cooperation, multinational production, manufacturing, and marketing that does not involve 'important data' or personal information;
- personal information necessary for cross-border HR management, such as transferring employee personal information overseas;
- personal information for contractual necessities like cross-border shopping, postal services, remittances, payments, account openings, travel bookings (flights and hotels), visa applications and test services; and
- personal information for emergencies to protect the life, health and property.
The CPDs exempt companies that have exported personal information of fewer than 100,000 individuals (excluding sensitive information) since 1 January 2024, where.
- "personal information" is defined as any data related to natural persons in China, including names, birth dates, ID numbers, addresses, telephone numbers, email addresses, and health and location data, excluding anonymised data; and
- "sensitive information" is defined as data that, if disclosed or misused, could harm an individual's dignity or endanger their personal or property safety, including biometrics, religious beliefs, health, financial accounts, movements, and personal information of minors.
The CDPs also allow free trade zones to establish their own "negative lists" (specifically exempted categories) for data exports.
For companies exporting personal information of more than 100,000 but less than 1 million individuals, a standard contract filing or certification may be required but will be exempt from a security assessment. However, if a company has exported sensitive information of more than 10,000 individuals since 1 January 2024, a mandatory security assessment is required.
The following flowchart quite usefully shows the overall picture of types of information, organisations involved, and compliance mechanisms applicable.
How Australia's data movement laws compare
Australia's data transfer rules are primarily found in the Australian Privacy Principles (APPs). The different objectives of data protection as between China and Australia are evident. Compared to China's focus on specific regulatory mechanisms, retention of aggregated information, and compulsory assessment prior to data transfer, Australia's framework relies on individual choice and corporate compliance. For Western countries the emphasis is on individual privacy. For China, it is about State supervision of information as a national asset.
Australia does not classify data into "important data" or "sensitive data" as is the case in China. Instead, the focus is on accountability. APPs require commercial and public organisations to take reasonable steps to ensure compliance, often through contracts that bind information providers and overseas recipients, requiring them to comply with privacy standards. Australian entities remain legally accountable for any mishandling of the information by overseas recipients, unless they can prove that they have taken all reasonable measures to prevent the breach. Some of the more severe consequences of data breaches in Australia are discussed in this recent article.
Importantly, organisations carrying on business in Australia must have a privacy policy detailing likely overseas disclosures. When Australian entities transfer personal data internationally, they must take reasonable steps to make sure that the overseas recipient does not break the APPs regarding personal information. Reasonable steps mainly involve enforceable contracts. However, if that mechanism is not available, other steps are acceptable, such as verifying safeguards the recipient has in place and reviewing the recipient's internal policies. Also, individuals must be notified or made aware of overseas disclosures when their personal information is collected.
Exemptions are available, most notably when the recipient is subject to a regulatory scheme similar to Australia's. That said, there is currently no jurisdiction that has qualified for the exemption. Other exemptions apply under specific circumstances, such as in emergency situations; when disclosure is required by law or a court order; and when individuals "currently and specifically" give "informed consent" to the transfer at the time it takes place.
The Office of the Australian Information Commissioner (OAIC) can investigate and take enforcement action where infringements are detected. Under the Privacy Act, the maximum penalty for serious or repeated breaches of privacy can reach up to AUD2.5m for individuals. For corporations, the maximum penalty is the greatest of these three amounts: AUD50m; three times the value of the benefit obtained; and 30% of adjusted turnover.6
Different bed, different dreams
The introduction of the CDPs was interpreted as signaling a slight policy easing towards data export by the Chinese regulator, and an acknowledgment of the complexity and impact of the current rules on trade and business operations. This was seen as being in line with the 14th opinion of the State Council's 24 Opinions on Attracting Foreign Investment issued in August 2023, which supports the development of a simplified security management procedure for cross-border data flow.
However, the policy easing communicated by the 14th opinion and by the CDPs themselves has not been replicated in the practical implementation of the approval procedures, which Western business sees as being intrusive and expensive. This is of course not helped by the national interests that the US, Chinese and other world governments pursue through both protection of data (anti-hacking) and access to data (hacking). As with many of the differences of opinion between East and West, it is the Sino-American power play, and the role of government and cultural habits formed over many centuries of social development, that have created these modern-day data tensions.
The data protection regulations in China, issued by multiple authorities in the past few years, are complex and intricate. However, the core issue is not the rules themselves, but rather the level of control that Chinese officials consider to be both normal and required, and the discretions that these officials are empowered to exercise at the administrative level. Additionally, the delay in implementation of China's data rules generally has communicated a lack of commitment and of urgency to Chinese officials and Western businesses alike. For instance, while the PIPL established the security certification system in 2021, the first certificate was not issued until December 2023. A lack of detailed guidance on how to apply for certification and the absence of a designated agent to manage the applications made for a poor start. Further, only one FTZ negative list has been approved, for the Tianjin FTZ, in May this year. All of this has led to complicated interactions with authorities and high compliance costs.
The message communicated to foreign business by the fines for unlawfully collecting excessive data, as were levied against Chinese companies Didi in July 2022 and China National Knowledge Infrastructure in September 2023 – USD165m and USD7m respectively – has been heard loud and clear. And these are local Chinese companies! Uncertainty and risk are not the friends of the foreign investment community.
Footnotes
1. https://www.bloomberg.com/news/articles/2023-09-29/china-looks-to-relax-data-export-rules-to-allay-business-fears?embedded-checkout=true
2. https://www.ft.com/content/b1f9a792-1abe-4ca1-9818-b2b8ad266029
3. https://www.piie.com/blogs/realtime-economics/chinas-new-rules-data-flows-could-signal-shift-away-security-toward-growth
4. https://www.afr.com/companies/professional-services/global-law-firm-retreats-from-china-ahead-of-data-crackdown-20230809-p5dv84
5. https://www.ft.com/content/93bbc4ee-41ee-4552-9da0-d2cffaae0528
6. https://www.oaic.gov.au/about-the-OAIC/our-regulatory-approach/guide-to-privacy-regulatory-action/chapter-7-privacy-assessments
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.