The publication of the Provisions on Promoting and Regulating Cross Border Data Flow (the Data Export Relaxation Provisions) by the Cyberspace Administration of China (CAC) is a welcome development for international businesses operating in China. Prior to this development, businesses (especially those with strong demands for data export) struggled with the compliance burden created by the previous set of cross-border data transfer requirements that were published by the CAC in 2022 and 2023 (the Previous CBDT Requirements).
The clarification of 'important data', as well as changes to the requirements for security assessments, use of the PRC personal information export standard contract, as well as personal information protection certifications, will help lighten the compliance burden and, ideally (from a policy perspective), facilitate data flows for businesses.
That said, many international businesses have made significant investments in the past two years to restructure data governance and export processes to comply with the Previous CBDT Requirements. While some of these businesses are unlikely to be affected by this development, they may nevertheless benefit from these changes when considering new business processes or initiatives that may involve the export of personal data from China. However, businesses should note that these changes only impact outbound data transfers from China – the strict standards concerning security and use of personal data imposed by China Personal Information Protection Law remain unchanged.
Please refer to the update prepared by Shanghai Pacific Legal* for details about this recent development.
*Shanghai Pacific Legal is a domestic PRC firm with whom we have a "best friend" relationship with.
Despite the relaxed measures granted by the Data Export Relaxation Provisions, the other regulatory requirements prescribed in the Personal Information Protection Law still apply to data export activities in China. Specifically, personal information handlers must notify the personal data subject and obtain separate consent. In addition, a personal information protection impact assessment shall be undertaken accordingly.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.