ARTICLE
28 October 2024

Data security in China: New cross-border data regulations.

A
Acclime

Contributor

Acclime is a premier provider of professional formation, accounting, tax, audit & finance, HR and advisory services in China. We focus on providing high-quality outsourcing and consulting services to our international clients in China and throughout the region.
35 countries and regions introduced data localisation and cross-border control requirements
China Privacy

The cross-border flow of data is critical in the global economy's digitalisation wave, carrying information and accelerating innovation; however, to ensure national security and social stability, protect the public interest, and promote economic development at home, many countries and regions are exploring appropriate legislation to restrict the cross-border flow of data.

In 2017, 35 countries and regions introduced data localisation and cross-border control requirements. By 2023, this number grew to 62, including the U.S., which traditionally promotes free data flow due to its long-arm jurisdiction. However, the U.S. recently issued Executive Order 14117, aimed at preventing countries of concern from accessing Americans' bulk sensitive personal data and U.S. government-related information, signalling a shift toward stricter data flow restrictions.

On March 22 2024, the Cyberspace Administration of China (CAC) published the Provisions on Promoting and Regulating Cross-boarder Data Flows to support the implementation of the Cybersecurity Law, Digital Security Law and Personal Information Protection Law (PIPL).

Effective immediately, this new policy tackles key issues raised by multinational corporations regarding data transfer abroad during the public comment period. It outlines six scenarios where data processors can bypass strict assessment and certification requirements, such as data from international trade, academic cooperation, cross-border HR management or emergencies. This policy aims to lessen the compliance load on companies and reduce regulatory oversight on transferring non-sensitive and non-critical data and personal information across borders.

Highlights of the new data security regulations

Important data outbound that meets the prescribed circumstances needs to undergo a security assessment

Managing the cross-border flow of data is based on the distinction between important and non-important data. According to the Provisions, the cross-border flow of important data is subject to security assessment, and data processors shall identify and declare important data in accordance with the relevant provisions. However, data processors are not required to declare data as important data for outbound security assessment if they have not been notified or publicly released as important data by relevant departments or regions.

Outbound exemption for data that does not contain personal information or important data

According to the Regulation, data collected and generated during international trade, cross-border transportation, academic cooperation, transnational manufacturing and marketing activities and provided outside the country are exempt from security assessments, standard contracts for the personal information transfer and personal information protection certification if they do not contain personal information or important data.

A data processor that transmits personal information collected and generated outside the country for processing within the country and then provides it outside the country is also exempt from security assessments, standard contracts for the personal information transfer and personal information protection certification if no personal information or important data are introduced into the country during processing.

Outbound exemption for partial personal information

Under the new Regulation, the following four scenarios are exempt from the requirement to declare a data outbound security assessment, enter into a standard contract for personal information transfer, or obtain personal information protection certification (as long as important data is not involved):

  • Personal information is required to fulfil contracts involving individuals, such as for cross-border shopping, mailing, remittance, payments, account opening, flight and hotel bookings, visa applications or examination services.
  • Cross-border human resources management is necessary, following labour laws and collective contracts, where employee information needs to be provided outside the country.
  • In emergencies, when it is necessary to send personal information abroad to protect a person's life, health or property.
  • Data processors who have provided non-sensitive personal information for fewer than 100,000 individuals overseas since January 1 of the current year.

Special Legislative Power and Negative List System in Pilot Free-Trade Zones (FTZs)

The Regulations state that, under the framework of the national data classification and hierarchical protection system, Pilot Free Trade Zones may, on their own, formulate a list of data (the Negative List) within the zone that need to be included in the scope of management of data outbound security assessment, personal information outbound standard contract, and personal information protection certification. This list must be reported to the national network information and the national data management departments after approval by the Provincial Committee of Cybersecurity and Informatisation.

Data processors in the FTZ that provide data outside the Negative List to foreign countries may be exempt from outbound data security assessments, standard contracts for personal information transfers and personal information protection certification.

Refinement of data outbound security assessment and personal information outbound standard contract and certification system

The Regulations make clear provisions on the circumstances in which an outbound data security assessment is required:

  • A critical information infrastructure operator provides personal information or important data outside the country.
  • A data processor other than a critical information infrastructure operator provides important data out of the country, more than 1 million non-sensitive personal information, or more than 10,000 sensitive personal information out of the country cumulatively since 1 January 2024. The validity period of the results of passing the data outbound security assessment is three years, and an extension can be applied after the expiry of the period.

Conclusion

On September 28 2023, the Cyberspace Administration of China (CAC) issued a Draft of Comments for the Provisions on Promoting and Regulating Cross-border Data Flows. After six months, it formally restructured the existing data cross-border mechanism. The New Cross-border Regulation continues the tone and regulatory framework of orderly management and appropriate relaxation of the Draft for Comments. It appropriately adjusts the Draft for Comments considering the actual data outbound security management work. Key changes in the new regulations include identifying specific scenarios for exemptions from filing, raising the threshold for personal information situation assessment and filing, requiring a publicly available catalogues or notifications and allowing Pilot Free Trade Zones to issue negative lists for data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More